AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 601675

1705 questions total · 23pages · All types, answers revealed

Page 8

Page 9 of 23

Page 10
601
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16. They have two Availability Zones, each with a public subnet (10.0.1.0/24 and 10.0.2.0/24) and a private subnet (10.0.3.0/24 and 10.0.4.0/24). They have an internet-facing ALB in the public subnets and EC2 instances in the private subnets. The EC2 instances need to download updates from the internet. They deploy a NAT Gateway in each public subnet and add routes in the private subnet route tables pointing to the respective NAT Gateway in the same AZ. However, the EC2 instances in AZ2 cannot access the internet, while those in AZ1 can. What is the most likely cause?

A.The security group of the EC2 instances in AZ2 is blocking outbound traffic.
B.The NAT Gateway in AZ2 does not have an Elastic IP address assigned.
C.The private subnet in AZ2 is routing traffic to the NAT Gateway in AZ1, which is in a different Availability Zone and incurs cross-AZ charges but should still work.
D.The route table for the private subnet in AZ2 is missing a route to the NAT Gateway.
AnswerB

A NAT Gateway requires an Elastic IP; without it, it cannot route traffic to the internet.

Why this answer

The NAT Gateway in AZ2 may be in a different public subnet than the one the private subnet route points to, or the NAT Gateway may not have an associated Elastic IP. Option A is wrong because cross-AZ routing is possible but not the issue. Option B is wrong because the route is to the specific NAT Gateway in the same AZ.

Option D is wrong because the issue is specific to one AZ, not a global issue.

602
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises data centers. The network team notices that traffic between two VPCs is taking an unexpected path through the on-premises network instead of staying within the Transit Gateway. What is the most likely cause?

A.The Transit Gateway route table is not associated with the VPC attachments.
B.The VPC subnet route tables are not pointing to the Transit Gateway as the target.
C.The on-premises network is advertising more specific routes via BGP that override the Transit Gateway routes.
D.VPC peering connections are being used alongside Transit Gateway, creating conflicting routes.
AnswerC

BGP routes from on-premises can be more specific and take precedence, causing traffic to be sent on-premises.

Why this answer

Option B is correct because route propagation from the on-premises network via the VPN or Direct Connect can introduce more specific routes that override the local Transit Gateway routes. Option A is wrong because route tables are attached to the Transit Gateway, not specific VPC attachments. Option C is wrong because VPC peering is not used with Transit Gateway.

Option D is wrong because subnet associations do not affect Transit Gateway routing.

603
MCQmedium

A company is designing a hybrid network architecture that connects an on-premises data center to AWS via AWS Direct Connect. The on-premises network uses BGP to advertise routes to AWS. The company wants to ensure that the on-premises network can reach all VPCs in the AWS account using a single Direct Connect virtual interface. Which solution should the architect use?

A.Create a Direct Connect gateway and associate all VPCs directly.
B.Create a transit gateway and a Direct Connect gateway. Attach the VPCs to the transit gateway and associate the transit gateway with the Direct Connect gateway.
C.Create VPC peering connections between all VPCs and the on-premises network.
D.Create a virtual private gateway and attach all VPCs to it.
AnswerB

This setup allows multiple VPCs to communicate over a single Direct Connect virtual interface.

Why this answer

Option B is correct because a transit gateway acts as a central hub for VPC-to-VPC and on-premises connectivity, and when associated with a Direct Connect gateway via a transit virtual interface, it allows a single Direct Connect connection to reach multiple VPCs. The Direct Connect gateway terminates the BGP session from on-premises and forwards traffic to the transit gateway, which then routes to the attached VPCs. This design scales to many VPCs without requiring multiple virtual interfaces or complex peering.

Exam trap

The trap here is that candidates often assume a Direct Connect gateway can directly connect to multiple VPCs, but it requires a transit gateway to enable multi-VPC connectivity, as the Direct Connect gateway alone only supports a single VPC via a virtual private gateway.

How to eliminate wrong answers

Option A is wrong because a Direct Connect gateway can only be associated with a single virtual private gateway or transit gateway per association, not directly with multiple VPCs; it requires an intermediate gateway to route traffic to multiple VPCs. Option C is wrong because VPC peering does not support transitive routing and requires a full mesh of peering connections between all VPCs and the on-premises network, which is not feasible for a single Direct Connect virtual interface. Option D is wrong because a virtual private gateway can only be attached to a single VPC, so it cannot provide connectivity to all VPCs in the account via one Direct Connect virtual interface.

604
Multi-Selecteasy

A company is designing a VPC architecture for a web application that must be highly available across multiple Availability Zones. Which TWO components should be deployed in at least two Availability Zones to meet this requirement?

Select 2 answers
A.Transit Gateway
B.Internet Gateway
C.NAT Gateway
D.Application Load Balancer (with subnets in multiple AZs)
E.VPN connection
AnswersC, D

NAT Gateway is deployed in a specific AZ; multiple AZs needed for HA.

Why this answer

Options B and D are correct. NAT Gateways are AZ-specific, so deploying in multiple AZs ensures availability if one AZ fails. Application Load Balancers are regional services but can be configured with subnets in multiple AZs.

Option A is wrong because an Internet Gateway is a horizontally scaled, redundant service per VPC, not per AZ. Option C is wrong because a VPN connection is per VPC, not per AZ. Option E is wrong because a Transit Gateway is a regional service.

605
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that no security group allows inbound SSH (port 22) from 0.0.0.0/0. Which policy type should be used?

A.Network ACL
B.IAM policy
C.Service Control Policy (SCP)
D.AWS Config rule
AnswerC

SCPs can deny creation of security groups with SSH from 0.0.0.0/0.

Why this answer

Option A is correct because an SCP can restrict permissions at the account level. Option B is wrong because IAM policies apply to users/roles, not resource configurations. Option C is wrong because AWS Config rules are detective, not preventive.

Option D is wrong because NACLs are per-subnet, not account-wide.

606
Multi-Selecthard

Which TWO actions can be taken to reduce the attack surface of a VPC's public subnets? (Choose 2.)

Select 2 answers
A.Allow all inbound traffic from the internet to the public subnets
B.Place web servers in private subnets and use a load balancer in a public subnet
C.Use a single subnet for all application tiers
D.Use security groups to restrict inbound traffic to only necessary ports and IPs
E.Disable ICMP traffic on the network ACL
AnswersB, D

Reduces direct exposure of web servers.

Why this answer

Option B is correct because placing web servers in private subnets and using a load balancer in a public subnet reduces the attack surface by ensuring that the web servers have no direct internet-facing IP addresses. The load balancer acts as a single point of ingress, allowing security groups to tightly control traffic from the load balancer to the web servers, while the public subnet only exposes the load balancer's endpoints. This architecture follows AWS best practices for a multi-tier application, minimizing the number of resources directly accessible from the internet.

Exam trap

AWS often tests the misconception that disabling ICMP or using network ACLs alone is sufficient to reduce attack surface, when in fact the primary reduction comes from architectural changes like moving instances to private subnets and using a load balancer, combined with security group restrictions.

607
MCQhard

A company is designing a network security architecture for a multi-account AWS environment using AWS Transit Gateway. They need to ensure that all traffic between VPCs must be inspected by a centralized security appliance (e.g., firewall) in a shared services VPC. Which routing design meets this requirement?

A.Attach all VPCs to a single route table and enable VPC peering for inspection VPC.
B.Use a centralized NAT gateway in the inspection VPC and configure all spokes to route traffic through it.
C.Attach the inspection VPC and all spoke VPCs to the same Transit Gateway route table, and add a static route for the spoke VPC CIDRs pointing to the inspection VPC attachment, with blackhole routes for the same CIDRs.
D.Create separate route tables for each VPC attachment and propagate routes from all VPCs.
AnswerC

This forces spoke traffic to be routed to the inspection VPC for inspection before reaching the destination.

Why this answer

Option C is correct because by attaching both the inspection VPC and the spoke VPCs to the same route table with blackhole routes, traffic between spokes is forced to go through the inspection VPC. Option A is incorrect because it uses separate route tables, which would allow direct routing. Option B allows direct traffic.

Option D is not a standard practice.

608
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from an S3 bucket in the same region. The company wants to minimize data transfer costs and avoid traversing the internet. Which solution should the company implement?

A.Create a VPC Interface Endpoint for S3 and attach it to the private subnet.
B.Configure an S3 bucket policy to allow access from the VPC and use an Internet Gateway.
C.Create a VPC Gateway Endpoint for S3 and attach it to the private subnet's route table.
D.Create a NAT Gateway in the public subnet and route traffic to the S3 bucket through it.
AnswerC

Gateway Endpoint is free and provides private connectivity to S3.

Why this answer

Option B is correct because a VPC Gateway Endpoint for S3 allows private connectivity to S3 without internet, reducing costs. Option A is wrong because a NAT Gateway incurs costs and uses internet. Option C is wrong because a VPC Interface Endpoint for S3 is also charged per hour and per GB.

Option D is wrong because an S3 bucket policy does not provide connectivity.

609
MCQmedium

A company is deploying a web application in a VPC with public and private subnets. The web servers in public subnets must be protected from direct internet access, but they need to receive traffic from an Application Load Balancer (ALB). Which architecture should be used?

A.Internet-facing ALB in public subnets with web servers also in public subnets
B.Internal Network Load Balancer in private subnets with web servers
C.Internet-facing ALB in public subnets, and internal ALB in private subnets pointing to web servers
D.Amazon CloudFront with origin pointing to web servers in public subnets
AnswerC

This allows traffic to flow through the internet-facing ALB to the internal ALB, keeping web servers private.

Why this answer

Option C is correct because it uses an internet-facing ALB in public subnets to receive traffic from the internet, then forwards it to an internal ALB in private subnets, which distributes traffic to web servers in private subnets. This ensures the web servers are not directly accessible from the internet, meeting the security requirement while still allowing traffic from the ALB. The internal ALB uses private IP addresses, keeping the web servers isolated from direct internet access.

Exam trap

The trap here is that candidates often assume an internet-facing ALB alone can protect servers in public subnets, but the key requirement is that servers must not be directly accessible from the internet, which necessitates placing them in private subnets and using an internal ALB for internal routing.

How to eliminate wrong answers

Option A is wrong because placing web servers in public subnets with an internet-facing ALB still allows direct internet access to the servers if security groups are misconfigured, and the requirement explicitly states servers must be protected from direct internet access. Option B is wrong because an internal Network Load Balancer cannot receive traffic from the internet; it only routes traffic within the VPC, so it cannot serve as the entry point for external users. Option D is wrong because Amazon CloudFront with an origin pointing to web servers in public subnets still exposes the servers directly to the internet (via the origin), and CloudFront does not inherently protect the servers from direct access unless additional measures like VPC origins or WAF are used, which are not specified.

610
MCQmedium

A company has a VPC with multiple subnets. They want to centrally control outbound traffic to the internet and log all traffic. Which AWS service should they use?

A.NAT Gateway
B.Network ACL
C.VPC Flow Logs
D.VPC Traffic Mirroring
AnswerD

Traffic Mirroring allows you to copy traffic for monitoring and control.

Why this answer

The correct answer is D because VPC Traffic Mirroring allows you to capture and inspect network traffic for analysis. Option A (NAT Gateway) provides outbound internet access but does not log all traffic. Option B (VPC Flow Logs) captures IP traffic metadata but does not control traffic.

Option C (Network ACL) controls traffic at the subnet level but does not log all traffic.

611
MCQmedium

A company wants to monitor network traffic in their VPC for troubleshooting and security analysis. They need to capture IP traffic information, including source/destination IPs, ports, and protocol, but not the packet payload. Which AWS service should be used?

A.Amazon CloudWatch Logs.
B.AWS Network Firewall.
C.VPC Flow Logs.
D.AWS Traffic Mirroring.
AnswerC

VPC Flow Logs capture metadata without payload.

Why this answer

VPC Flow Logs capture metadata about IP traffic in a VPC, including source/destination IPs, ports, protocol, and packet counts, but never the payload. This meets the requirement for troubleshooting and security analysis without the overhead or privacy concerns of full packet capture.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (metadata only) with AWS Traffic Mirroring (full packet capture), assuming both provide payload data, but the question explicitly excludes payload capture.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs is a service for storing, monitoring, and accessing log files from AWS resources, not for capturing network traffic metadata directly from the VPC. Option B is wrong because AWS Network Firewall is a managed firewall service that filters traffic based on rules, but it does not natively log flow-level metadata like source/destination IPs and ports without additional configuration. Option D is wrong because AWS Traffic Mirroring copies entire packets (including payload) from network interfaces for deep packet inspection, which exceeds the requirement to capture only metadata and not payload.

612
Multi-Selectmedium

Which TWO statements are correct regarding the use of AWS Network Firewall? (Choose 2)

Select 2 answers
A.It supports stateful inspection using Suricata-compatible rules
B.It can be used with AWS Transit Gateway for centralized inspection
C.It can be used to inspect traffic between on-premises and AWS without a VPC
D.It provides automatic SSL/TLS decryption
E.It is a managed service that can be deployed outside of a VPC
AnswersA, B

Network Firewall uses Suricata for stateful inspection.

Why this answer

Option B is correct because Network Firewall supports stateful inspection with Suricata rules. Option C is correct because it can be deployed in a centralized inspection VPC with Transit Gateway. Option A is wrong because it is deployed in a VPC, not as a separate service.

Option D is wrong because it cannot be used without a VPC. Option E is wrong because it does not provide SSL/TLS decryption natively.

613
MCQmedium

A company is designing a VPC with public and private subnets in two Availability Zones. The private subnets host EC2 instances that need to download patches from the internet. The company wants to minimize costs while ensuring high availability. Which solution meets these requirements?

A.Create a NAT gateway in one public subnet and use a second NAT gateway in a different AZ as a backup, but only route traffic to the primary.
B.Create a NAT gateway in one public subnet and configure route tables for private subnets to use it.
C.Launch a NAT instance in one public subnet and configure route tables for private subnets to use it.
D.Create a NAT gateway in a public subnet in each Availability Zone and configure route tables for private subnets to use the NAT gateway in the same AZ.
AnswerD

Highly available and cost-effective with proper AZ-level routing.

Why this answer

Option D is correct because two NAT gateways (one per AZ) provide high availability, and each is placed in a public subnet. Option A is wrong because a single NAT gateway is a single point of failure. Option B is wrong because NAT instances are less reliable and require more management.

Option C is wrong because a NAT gateway in one AZ provides no cross-AZ high availability if that AZ fails.

614
MCQmedium

A company has a VPC with an application load balancer (ALB) in public subnets and web servers in private subnets. The web servers must be accessible only from the ALB. What is the most secure and efficient configuration?

A.Configure the web server security group to allow inbound HTTP from 0.0.0.0/0.
B.Configure the web server security group to allow inbound HTTP from the ALB's security group.
C.Configure the web server security group to allow inbound HTTP from the ALB's private IP addresses.
D.Configure the web server security group to allow inbound HTTP from the VPC CIDR.
AnswerB

Correct: Only ALB traffic is allowed.

Why this answer

Option B is correct because ALB uses a security group source, and using the ALB's security group ID as the source restricts traffic to only the ALB. Option A is wrong because it allows all traffic from the VPC. Option C is wrong because it allows traffic from any source on port 80.

Option D is wrong because it restricts to a specific IP range which may not represent the ALB.

615
Multi-Selecthard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a VPC with a subnet that hosts a web application. They need to ensure that traffic from the on-premises network to the web application does not traverse the internet. Which TWO components are required? (Select TWO.)

Select 2 answers
A.Internet Gateway attached to the VPC
B.Direct Connect Gateway associated with the Transit Gateway
C.Direct Connect private virtual interface attached to a Direct Connect Gateway
D.Site-to-Site VPN connection to the Transit Gateway
E.CloudFront distribution in front of the web application
AnswersB, C

This allows the Direct Connect connection to be propagated to the Transit Gateway.

Why this answer

To connect on-premises to a VPC via Transit Gateway without internet, you need a Direct Connect private VIF attached to a Direct Connect Gateway, and the Direct Connect Gateway must be associated with the Transit Gateway. Option A (VPN) would go over the internet; Option C (Internet Gateway) is internet; Option D (VPC Peering) is not for on-premises; Option E (CloudFront) is a CDN.

616
MCQeasy

A company has a VPC with public and private subnets. They launch an Amazon RDS for MySQL DB instance in a private subnet. The DB instance needs to be accessible from an on-premises application that connects via an AWS Site-to-Site VPN. What is the MOST secure way to allow the on-premises application to connect to the DB instance?

A.Assign a public IP address to the DB instance and restrict access using a security group.
B.Place the DB instance in a private subnet and use a NAT gateway to allow inbound traffic.
C.Place the DB instance in a public subnet and configure a network ACL to allow traffic from the on-premises CIDR.
D.Place the DB instance in a private subnet and configure a security group to allow inbound traffic from the on-premises CIDR.
AnswerD

Private subnet with security group provides granular, stateful firewall control without internet exposure.

Why this answer

Option C is correct. The most secure approach is to place the RDS instance in a private subnet with a security group that only allows inbound traffic from the on-premises network's CIDR range. Since the connection comes over the VPN (private network), it is not necessary to expose the database to the internet.

Option A is incorrect because making the DB instance publicly accessible is a security risk. Option B is incorrect because a network ACL is stateless and less granular than a security group; also, allowing all traffic to the DB subnet is overly permissive. Option D is incorrect because a NAT gateway is for outbound traffic, not inbound.

617
Multi-Selecteasy

A network engineer needs to monitor network performance between an on-premises data center and AWS via Direct Connect. Which TWO metrics should the engineer monitor in Amazon CloudWatch?

Select 2 answers
A.VirtualInterfaceBgpState
B.ConnectionBandwidthUtilization
C.Jitter
D.PacketLoss
E.Latency
AnswersA, B

This metric indicates the BGP session state.

Why this answer

The correct answers are B and D. Direct Connect provides metrics for connection bandwidth utilization and virtual interface BGP state. Option A is wrong because latency is not a standard Direct Connect metric (it's available via other methods).

Option C is wrong because packet loss is not a standard metric. Option E is wrong because jitter is not a standard metric.

618
MCQeasy

A company wants to restrict access to an EC2 instance such that only traffic from a specific security group (sg-12345678) can reach it. The instance is in a VPC with default network ACLs. What should the security group rule for the instance be?

A.Inbound rule with source set to the CIDR block of the VPC
B.Inbound rule with source set to sg-12345678
C.Inbound rule with source set to the VPC's CIDR block
D.Inbound rule with source set to a prefix list that includes the security group
AnswerB

Security groups can reference other security groups as a source.

Why this answer

Option B is correct. Security groups allow you to reference another security group as a source. Option A is wrong because referencing a CIDR block would allow traffic from any instance in that CIDR, not specifically from the security group.

Option C is wrong because security groups cannot reference prefixes. Option D is wrong because referencing a VPC CIDR is too broad.

619
Multi-Selectmedium

A company is deploying a new application across multiple Availability Zones in a VPC. The application needs to be highly available and must handle traffic from both internal users and external customers. Which TWO options should the network team implement to meet these requirements? (Choose two.)

Select 2 answers
A.Attach an Internet Gateway to the VPC.
B.Use a Network Load Balancer to distribute traffic across AZs.
C.Provision a NAT Gateway in each AZ for outbound connectivity from private subnets.
D.Create a single NAT Gateway in one AZ for outbound traffic.
E.Deploy an Application Load Balancer in each public subnet across multiple AZs.
AnswersC, E

Provides high availability for outbound traffic.

Why this answer

Option A is correct because an ALB can route traffic to targets across multiple AZs, providing high availability. Option C is correct because NAT Gateways in each AZ allow instances in private subnets to initiate outbound traffic to the internet while maintaining high availability. Option B is wrong because a single NAT Gateway in one AZ creates a single point of failure.

Option D is wrong because a Network Load Balancer is for TCP/UDP traffic, but the question does not specify protocol requirements, and ALB is more common for HTTP applications. Option E is wrong because an Internet Gateway is a single point of failure only if the VPC has only one, but IGWs are highly available by design, but the question asks for actions to implement, and IGW is already present.

620
MCQmedium

A security engineer needs to allow an EC2 instance in a private subnet to access an S3 bucket without traversing the internet. Which solution meets this requirement?

A.Attach an Internet Gateway to the VPC.
B.Use AWS Direct Connect to connect to S3.
C.Create a VPC Gateway Endpoint for S3.
D.Deploy a NAT gateway in a public subnet and update the route table.
AnswerC

Provides private connectivity to S3 without internet.

Why this answer

Option C is correct because a VPC Gateway Endpoint for S3 allows private connectivity. Option A is wrong because a NAT gateway would route traffic over the internet. Option B is wrong because an Internet Gateway would expose the instance.

Option D is wrong because Direct Connect is for on-premises connectivity, not for EC2 to S3.

621
MCQhard

A company is designing a VPC with public and private subnets. The private subnets need to access Amazon S3 and Amazon DynamoDB. The company wants to minimize data transfer costs and avoid using a NAT gateway. What is the MOST cost-effective solution?

A.Set up an HTTP proxy in the private subnets and configure the applications to use it
B.Use a NAT instance instead of a NAT gateway
C.Create VPC endpoints for S3 and DynamoDB in the private subnets and update route tables
D.Create a NAT gateway in a public subnet and route private subnet traffic to it
AnswerC

VPC endpoints are free and provide private connectivity without NAT gateway.

Why this answer

Option B is correct because VPC endpoints for S3 and DynamoDB are free to create and avoid NAT gateway costs. Option A is wrong because NAT gateway incurs hourly charges and data processing fees. Option C is wrong because an HTTP proxy is unnecessary and adds complexity.

Option D is wrong because it incurs NAT costs.

622
MCQeasy

A networking engineer is troubleshooting connectivity issues between two VPCs that are peered using a VPC peering connection. The VPCs are in different AWS accounts. The engineer has verified that the route tables are correct and the security groups allow traffic. However, ICMP ping fails from an instance in VPC A to an instance in VPC B. What is a likely cause?

A.The route tables in both VPCs do not have the route propagation enabled.
B.The VPC CIDR blocks overlap.
C.There is a VPN connection attached to both VPCs that creates a transitive routing issue.
D.The security group in VPC A does not allow inbound ICMP from VPC B.
E.The network ACLs are not configured correctly for return traffic.
AnswerC

VPC peering does not support transitive routing; if there is another connection that could create a transitive route, it may cause unexpected behavior.

Why this answer

Option C is correct because a VPN connection attached to both VPCs can introduce transitive routing, which is not supported by VPC peering. VPC peering does not allow transitive routing; traffic must flow directly between the peered VPCs. If both VPCs have a VPN connection to the same on-premises network or another network, the VPN can create a path that interferes with the direct peering path, causing ICMP pings to fail even when route tables and security groups are correctly configured.

Exam trap

AWS often tests the concept that VPC peering does not support transitive routing, and candidates may overlook how a VPN connection can inadvertently create a transitive path that breaks direct peering traffic.

How to eliminate wrong answers

Option A is wrong because route propagation is a feature used with virtual private gateways (VPN or Direct Connect) to automatically propagate routes into route tables; it is not required for VPC peering, which uses static routes. Option B is wrong because overlapping CIDR blocks would cause a route conflict that would prevent the VPC peering connection from being established in the first place, not just cause ICMP ping failures after correct route tables are verified. Option D is wrong because the scenario states that security groups allow traffic, and the question specifies that ICMP ping fails from an instance in VPC A to an instance in VPC B, so the security group in VPC A would need to allow outbound ICMP (or the security group in VPC B would need to allow inbound ICMP), but the issue is not about inbound ICMP to VPC A.

Option E is wrong because network ACLs are stateless and must allow both inbound and outbound traffic for the ICMP echo request and reply; however, the engineer has verified that route tables and security groups are correct, and network ACLs are not mentioned as verified, but the most likely cause among the options is the transitive routing issue, not a misconfigured network ACL.

623
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise a specific prefix (10.0.0.0/16) to AWS. The VPC CIDR is 10.0.0.0/16. The company wants to ensure that traffic from the VPC to on-premises uses the Direct Connect connection. However, traffic is going over the internet instead. What is the most likely cause?

A.The on-premises BGP ASN is prepended, causing the route to be less preferred.
B.The on-premises prefix is less specific than the VPC CIDR, so the VPC route takes precedence.
C.The VPC CIDR overlaps with the on-premises prefix, and the local route in the VPC route table takes precedence.
D.The BGP route is not being propagated into the VPC route table.
AnswerC

Overlapping CIDRs cause the local route to be used, ignoring Direct Connect.

Why this answer

Option D is correct because when the VPC CIDR and the on-premises prefix overlap, the VPC's local route takes precedence over any other route, including Direct Connect. Traffic destined for the on-premises network would be considered local to the VPC. Option A is wrong because longer prefix match does not apply to overlapping local routes.

Option B is wrong because AWS always prefers more specific routes; the issue is the local route. Option C is wrong because BGP ASN prepending does not affect route preference over the local route.

624
MCQmedium

A company is running a stateful firewall appliance in an EC2 instance in a VPC. The appliance inspects traffic between subnets. The company needs to ensure that traffic from the web tier subnet to the application tier subnet passes through the firewall, but the firewall itself must not affect other traffic. Which configuration should the company implement?

A.Place the firewall in the same subnet as the web tier and use security groups to redirect traffic.
B.Place the firewall in a separate subnet and use network ACLs to force traffic through it.
C.Use a Gateway Load Balancer to deploy the firewall appliance in a separate subnet, and configure route tables to send inter-subnet traffic to the Gateway Load Balancer endpoint.
D.Use a transit gateway with appliance mode and attach all subnets to it, then configure routing to send traffic through the firewall.
AnswerC

GWLB transparently intercepts traffic for inspection.

Why this answer

Option C is correct because using a Gateway Load Balancer with the firewall appliance in a separate subnet and configuring route tables with a route to the GWLBe endpoint for inter-subnet traffic is the recommended pattern. Option A is wrong because a security group cannot route traffic; it only filters. Option B is wrong because a network ACL is stateless and not suitable for stateful inspection.

Option D is wrong because a transit gateway with appliance mode could work but is more complex than GWLB.

625
MCQmedium

A company is designing a multi-region architecture with an Application Load Balancer (ALB) in each region. They need to route traffic to the closest healthy endpoint. Which AWS service should be used for global load balancing?

A.Use a single Application Load Balancer in one region with cross-region VPC peering.
B.Use AWS Global Accelerator with an endpoint group in each region.
C.Use Route 53 latency-based routing with health checks.
D.Use a Network Load Balancer in each region and Route 53 weighted routing.
AnswerB

Global Accelerator provides anycast IP and routes to the closest healthy endpoint.

Why this answer

AWS Global Accelerator provides static IP addresses and routes traffic to the closest healthy endpoint, improving performance and availability. Option A is wrong because an ALB is regional. Option B is wrong because a Network Load Balancer is also regional.

Option C is wrong because Route 53 with latency routing is a DNS-based approach, not as efficient as Global Accelerator for traffic optimization.

626
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs. The network team notices that traffic between two VPCs is taking a suboptimal path through a third VPC. What is the most likely cause?

A.Security groups are blocking the direct path, forcing traffic through a third VPC.
B.BGP is not configured between the VPCs, so traffic defaults through a transit VPC.
C.ECMP routing is enabled, causing traffic to be load-balanced across multiple paths.
D.Incorrect route table associations and propagations in the Transit Gateway.
AnswerD

Route tables determine which attachments can reach each other.

Why this answer

Option A is correct because Transit Gateway route tables control the path of inter-VPC traffic. If routes are not correctly configured, traffic may be forwarded to an unintended attachment. Option B is wrong because ECMP is for load balancing, not path selection.

Option C is wrong because security groups do not affect routing. Option D is wrong because BGP is not used between VPCs in Transit Gateway.

627
MCQmedium

A company applies the above S3 bucket policy. An administrator reports that an application using the AWS SDK is unable to upload objects to the bucket from an EC2 instance in the same account. The EC2 instance has an IAM role with s3:PutObject permission. What is the most likely cause?

A.The bucket policy grants access to the root user only, not the IAM role.
B.The application is not using server-side encryption.
C.The bucket policy does not grant access to the bucket itself, only to objects.
D.The application is using HTTP instead of HTTPS.
AnswerD

The condition requires secure transport; HTTP requests are denied.

Why this answer

Option C is correct because the condition aws:SecureTransport: true requires HTTPS, but the SDK must explicitly use HTTPS; if it uses HTTP, the request is denied. Option A is wrong because the principal is the account root, which does not apply to the EC2 role. Option B is wrong because the resource includes the bucket and objects.

Option D is wrong because the condition does not require encryption at rest; it only requires secure transport.

628
Multi-Selecthard

Which THREE actions can AWS Config perform to help with network security compliance? (Choose 3)

Select 3 answers
A.Evaluate whether security groups allow unrestricted SSH access
B.Automatically block non-compliant traffic
C.Track changes to Network ACLs and security groups
D.Send alerts when a security group rule is modified
E.Prevent creation of VPCs that do not have a specific tag
AnswersA, C, D

Config rules can check for specific security group rules.

Why this answer

Option A is correct because Config can evaluate resources against rules. Option C is correct because Config can track changes to security groups. Option E is correct because Config can send notifications via SNS.

Option B is wrong because Config does not automatically remediate; it can trigger automation via Lambda or Systems Manager, but not directly. Option D is wrong because Config does not enforce resource creation; it evaluates after creation.

629
MCQeasy

Which AWS service can be used to centrally manage and enforce security group rules across multiple accounts in AWS Organizations?

A.AWS Identity and Access Management (IAM)
B.AWS Firewall Manager
C.AWS Config
D.AWS Shield Advanced
AnswerB

Centrally manages security groups.

Why this answer

Option C is correct because AWS Firewall Manager allows centralized management of security groups across accounts. Option A is wrong because AWS Config evaluates but does not enforce. Option B is wrong because AWS Shield Advanced is for DDoS.

Option D is wrong because IAM is for user permissions.

630
MCQmedium

A company is using AWS CloudTrail to log API calls. They want to ensure that log files are encrypted at rest and that any tampering with logs is detectable. Which combination of services should they use?

A.S3 server-side encryption and CloudTrail log file validation
B.AWS KMS and CloudWatch Logs
C.S3 bucket policies and versioning
D.IAM roles and S3 bucket policies
AnswerA

Encryption protects at rest; validation detects tampering.

Why this answer

Option A is correct because S3 server-side encryption (SSE-S3 or SSE-KMS) encrypts logs at rest, and CloudTrail log file validation provides integrity verification. Option B (KMS with CloudWatch) does not provide integrity. Option C (IAM roles) is not relevant.

Option D (S3 bucket policies) does not encrypt or validate.

631
Multi-Selectmedium

A company is designing a network security architecture for a multi-tier application. They want to ensure that the web tier can communicate with the application tier only on specific ports, and the application tier can communicate with the database tier only on specific ports. Which TWO configurations should be implemented?

Select 2 answers
A.Use a transit gateway with network ACLs to filter traffic between tiers.
B.Use VPC peering to connect the tiers and apply security groups on the peering connection.
C.Use network ACLs to provide a secondary layer of stateless filtering at the subnet level.
D.Use a single security group for all tiers and define rules based on CIDR blocks.
E.Use security groups for each tier and allow traffic only from the source security group on the required ports.
AnswersC, E

Network ACLs can be used to further restrict traffic between subnets.

Why this answer

Options A and B are correct. Security groups are used to control traffic between tiers based on security group IDs. Network ACLs are stateless and can be used as a secondary layer.

Option C is wrong because a single security group cannot differentiate between tiers; multiple security groups are needed. Option D is wrong because VPC peering is for connecting VPCs, not for traffic filtering within a VPC. Option E is wrong because a transit gateway is for connecting multiple VPCs, not for security filtering.

632
MCQhard

A company is designing a global application that will use Amazon CloudFront to serve content from an Application Load Balancer (ALB) in us-east-1. They want to restrict access to the ALB so that it only accepts traffic from CloudFront. Additionally, they want to ensure that if someone bypasses CloudFront and directly accesses the ALB, the request is denied. Which solution should they implement?

A.Use CloudFront Origin Access Control (OAC) to restrict access to the ALB.
B.Configure the ALB security group to allow inbound traffic only from the CloudFront IP address ranges published in the AWS IP address ranges JSON file.
C.Use AWS WAF on the ALB with a rule that allows traffic only from CloudFront IP ranges.
D.Configure CloudFront to add a custom HTTP header (e.g., X-Origin-Verify) to requests forwarded to the ALB. Configure the ALB to only forward requests that contain that specific header to the target group.
AnswerD

This ensures that only requests from CloudFront with the correct header are accepted, preventing direct access.

Why this answer

Option D is correct because it uses a custom HTTP header (e.g., X-Origin-Verify) that CloudFront adds to requests forwarded to the ALB, and the ALB is configured to only forward requests containing that specific header to the target group. This ensures that any request not originating from CloudFront (i.e., direct access to the ALB) lacks the header and is denied, providing a secure and scalable method to restrict access without relying on static IP lists.

Exam trap

AWS often tests the misconception that CloudFront Origin Access Control (OAC) or IP-based restrictions (security groups or WAF) are sufficient for ALB origins, but the trap is that OAC only works with S3 and IP lists are dynamic and spoofable, making the custom header method the only reliable solution for non-S3 origins.

How to eliminate wrong answers

Option A is wrong because CloudFront Origin Access Control (OAC) is designed to restrict access to Amazon S3 origins, not Application Load Balancers; it uses signed requests with AWS Signature Version 4, which ALBs do not support. Option B is wrong because the CloudFront IP address ranges published in the AWS IP address ranges JSON file are not static and can change frequently, requiring constant updates to the ALB security group, and this approach does not prevent bypass if an attacker spoofs a CloudFront IP. Option C is wrong because using AWS WAF on the ALB with a rule that allows traffic only from CloudFront IP ranges suffers from the same IP volatility and spoofing risks as Option B, and WAF rules based on IP sets are not a reliable or recommended method for origin access restriction in this scenario.

633
MCQhard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. The security team wants to inspect all traffic between VPCs using a centralized inspection VPC with third-party firewall appliances. Which architecture ensures that traffic from VPC A to VPC B is routed through the inspection VPC?

A.Attach all VPCs to a Transit Gateway. Create separate route tables: one for inspection VPC attachments and one for others. In VPC A's route table, route to VPC B via the inspection VPC attachment.
B.Create a VPC peering connection between VPC A and VPC B, and attach firewall appliances in both VPCs.
C.Use AWS PrivateLink to create VPC endpoints in VPC A and VPC B, and route traffic through the firewall VPC.
D.Deploy AWS Network Firewall in each VPC and configure VPC route tables to send traffic to the firewall endpoint.
AnswerA

This design uses Transit Gateway route tables to force traffic through the inspection VPC.

Why this answer

Option A is correct because it uses separate Transit Gateway route tables to isolate the inspection VPC and other VPCs. By configuring the route table for VPC A to point to VPC B's CIDR via the inspection VPC attachment, all inter-VPC traffic is forced through the centralized firewall appliances. This leverages Transit Gateway's ability to route traffic between attachments based on route table associations and propagations, ensuring traffic flows through the inspection VPC without requiring VPC peering or additional per-VPC firewalls.

Exam trap

The trap here is assuming that simply attaching all VPCs to a Transit Gateway automatically routes traffic through a centralized inspection VPC, when in fact you must explicitly configure separate route tables and static routes to force traffic through the inspection VPC, otherwise Transit Gateway uses its default route table for direct attachment-to-attachment routing.

How to eliminate wrong answers

Option B is wrong because VPC peering creates a direct, one-to-one network connection between VPC A and VPC B, bypassing the inspection VPC entirely, so traffic cannot be centrally inspected. Option C is wrong because AWS PrivateLink is designed for private access to services via VPC endpoints, not for routing general inter-VPC traffic through a firewall; it does not support transitive routing between VPCs. Option D is wrong because deploying AWS Network Firewall in each VPC inspects traffic locally within each VPC but does not force traffic from VPC A to VPC B through a centralized inspection VPC; it lacks the transitive routing capability needed for centralized inspection.

634
Multi-Selectmedium

A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and a VPC over a Direct Connect connection. The engineer reviews the CloudWatch metrics for the virtual interface and sees an increase in 'ConnectionReset' and 'PacketDropRate'. Which TWO actions should the engineer take to resolve the issue? (Choose TWO.)

Select 2 answers
A.Add additional BGP peers to the Direct Connect connection
B.Increase the MTU on the virtual interface to 1500
C.Check the BGP session status and metrics on the virtual interface
D.Increase the bandwidth of the VPN connection as a backup
E.Check the physical layer metrics such as light levels and signal strength
AnswersC, E

BGP issues can cause connection resets.

Why this answer

Options B and D are correct. B: Checking BGP metrics can reveal route flapping. D: Checking physical layer metrics like light levels and signal strength can identify physical issues.

A is wrong because increasing MTU could cause more drops. C is wrong because more routing peers is not directly relevant. E is wrong because VPN bandwidth does not affect Direct Connect.

635
MCQeasy

A company is deploying a web application across multiple Availability Zones in a VPC. The application tier consists of EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic between the ALB and the EC2 instances be encrypted. Which solution meets this requirement?

A.Use an internal ALB with a TCP listener and a security group that allows only HTTPS.
B.Use an HTTP listener on the ALB and enable encryption on the security group.
C.Use an HTTPS listener on the ALB with a target group that uses HTTPS.
D.Use a TCP listener on the ALB with a target group that uses TCP.
AnswerC

HTTPS provides end-to-end encryption.

Why this answer

Option B is correct because using an HTTPS listener on the ALB with a target group that uses HTTPS ensures end-to-end encryption. Option A is incorrect because TCP listeners do not encrypt traffic. Option C is incorrect because internal ALBs still require HTTPS listeners for encryption.

Option D is incorrect because security groups do not provide encryption.

636
Multi-Selecteasy

Which TWO are valid methods to encrypt data at rest in Amazon S3? (Choose TWO.)

Select 2 answers
A.SSE-C
B.Client-Side Encryption
C.SSL/TLS
D.SSE-S3
E.SSE-KMS
AnswersD, E

Server-side encryption with S3-managed keys.

Why this answer

Options B and C are correct. SSE-S3 and SSE-KMS are two server-side encryption options. Option A is wrong because SSL/TLS is for data in transit.

Option D is wrong because Client-Side Encryption is not server-side. Option E is wrong because SSE-C is also valid, but the question asks for TWO, and SSE-S3 and SSE-KMS are the most common.

637
MCQhard

A company has a hybrid network with multiple VPCs connected via AWS Transit Gateway and an on-premises network via Direct Connect. The network team is planning to migrate a legacy application from on-premises to a new VPC. The application requires low-latency access to an RDS database running in an existing VPC. The team wants to minimize changes to the existing routing. What should the team do to meet these requirements?

A.Attach the new VPC to the existing transit gateway and ensure the transit gateway route tables permit traffic between the new VPC and the RDS VPC.
B.Set up a VPN connection from the new VPC to the on-premises network, and route traffic through on-premises to the RDS VPC.
C.Create a VPC peering connection between the new VPC and the RDS VPC.
D.Migrate the RDS database to the new VPC to keep the application and database in the same VPC.
AnswerA

Correct: Leveraging existing transit gateway minimizes routing changes.

Why this answer

Option D is correct because attaching the new VPC to the existing transit gateway allows immediate connectivity to the RDS VPC without changing existing routes, provided the route tables are configured correctly. Option A is wrong because VPC peering requires route table updates in both VPCs. Option B is wrong because a VPN connection adds complexity and latency.

Option C is wrong because moving the RDS instance changes the database endpoint and may cause downtime.

638
MCQmedium

A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Direct Connect private VIF. The VPC has a virtual private gateway attached. The on-premises router can ping the private IP of an EC2 instance in the VPC, but application traffic (TCP port 443) fails. What is the most likely cause?

A.The network ACL in the VPC is blocking outbound traffic.
B.The security group for the EC2 instance does not allow inbound HTTPS traffic.
C.The BGP session is in the 'Idle' state.
D.The route table associated with the virtual private gateway does not have a route to the on-premises network.
AnswerB

Security groups are stateful, so outbound return traffic is allowed automatically. The inbound rule for HTTPS must be present.

Why this answer

Since the on-premises router can ping the EC2 instance's private IP, Layer 3 connectivity is working, which rules out routing and BGP issues. The failure of TCP port 443 specifically points to a firewall or access control blocking the application traffic. A security group acts as a virtual firewall at the instance level, and by default it denies all inbound traffic unless explicitly allowed.

Therefore, the most likely cause is that the security group for the EC2 instance does not have an inbound rule permitting HTTPS (TCP 443) traffic.

Exam trap

The trap here is that candidates assume ping success implies full application-layer connectivity, but security groups can selectively block specific protocols or ports while allowing ICMP, leading to a false sense of network health.

How to eliminate wrong answers

Option A is wrong because a network ACL is stateless and operates at the subnet level; if outbound traffic were blocked, the ping reply (ICMP) would also fail, but ping succeeds, so this is not the issue. Option C is wrong because if the BGP session were in the 'Idle' state, the virtual private gateway would not have learned the on-premises routes, making Layer 3 connectivity impossible and ping would fail. Option D is wrong because if the route table associated with the virtual private gateway lacked a route to the on-premises network, return traffic from the VPC would not be forwarded, and ping replies would not reach the on-premises router, yet ping succeeds.

639
MCQhard

A company has a global application deployed across multiple AWS Regions. The application uses Amazon Route 53 latency-based routing. The network team wants to monitor the health of the application endpoints. They configure Route 53 health checks with fast interval (10 seconds) for each endpoint. After a few days, they notice an increase in costs. Which change will reduce costs while maintaining adequate health monitoring?

A.Disable health checks and rely on Route 53 latency measurements.
B.Change the health check interval to standard (30 seconds).
C.Use CloudWatch alarms instead of Route 53 health checks.
D.Remove health checks for endpoints that are in the same Region.
AnswerB

Standard interval reduces frequency and cost, still adequate for latency-based routing.

Why this answer

Health checks are billed per check. Using a slower interval reduces the number of checks. Standard interval (30 seconds) is sufficient for most cases.

Disabling end-to-end health checks or removing health checks would reduce functionality. Using CloudWatch alarms is additional cost.

640
MCQmedium

A company is designing a multi-region architecture using AWS Transit Gateway inter-region peering. They need to ensure that traffic between VPCs in different regions can traverse the TGW peering attachment without being inspected by a central security appliance. Which configuration should be used?

A.Create TGW peering attachments and configure the route tables to point to each other's TGW attachment.
B.Route all inter-region traffic through a centralized inspection VPC in one region.
C.Set up a VPN connection between the two TGWs for encrypted traffic.
D.Use VPC peering between the VPCs instead of TGW peering.
AnswerA

This allows direct traffic flow between TGWs, bypassing inspection.

Why this answer

Option D is correct. TGW peering attachments allow traffic to bypass the central inspection VPC if routing is set up to go directly between TGWs. Option A is wrong because it forces inspection.

Option B is wrong because VPN is not needed. Option C is wrong because VPC peering does not support transitive routing via TGW.

641
Multi-Selecthard

Which TWO scenarios are best suited for using AWS Transit Gateway over VPC peering? (Select TWO.)

Select 2 answers
A.Connecting VPCs in different AWS accounts
B.Connecting a single VPC to an on-premises network
C.Connecting hundreds of VPCs across multiple accounts
D.Connecting VPCs to on-premises via Direct Connect
E.Connecting two VPCs in the same account and region
AnswersC, D

Transit Gateway simplifies hub-and-spoke topology.

Why this answer

Options B and D are correct. Transit Gateway is ideal for many VPCs and for connecting VPCs with Direct Connect. Option A is wrong because one-to-one is simpler with peering.

Option C is wrong because VPC peering can also be used for cross-account. Option E is wrong because a single VPC does not need Transit Gateway.

642
MCQhard

A company has a global application deployed across multiple AWS Regions. They use an Amazon Route 53 latency-based routing policy to direct users to the closest region. Recently, users in Asia are experiencing high latency even though traffic is being directed to the nearest region. The network team reviews the latency measurements and notices that the Route 53 latency values are based on the region where the resources are hosted, but the actual application performance is poor. What is the most likely cause?

A.The Route 53 health checks are failing, causing traffic to be routed to a different region.
B.The company has not enabled DNSSEC, causing additional DNS resolution time.
C.The application in the Asian region is overloaded, causing increased response times.
D.The Route 53 latency routing policy is not using anycast, causing suboptimal routing.
AnswerC

Latency routing only optimizes network path; application slowdown still causes high latency.

Why this answer

Option B is correct. Route 53 latency routing measures latency between the user and the region, not the actual application response time. If the application itself is slow, users still experience high latency.

Option A is incorrect because Route 53 health checks can fail over but don't improve latency. Option C is incorrect because anycast routes to the nearest edge but doesn't affect application performance. Option D is incorrect because DNSSEC does not affect latency.

643
MCQmedium

A network engineer is troubleshooting connectivity between a VPC (10.0.0.0/16) and a peered VPC (10.1.0.0/16). The route table shown is associated with subnet-aaa. An EC2 instance in subnet-aaa cannot reach an instance in the peered VPC. What is the issue?

A.The route to the peered VPC's CIDR is missing
B.The route table does not have a route to an Internet Gateway
C.The route table is not associated with the correct subnet
D.The VPC peering connection is not in the 'active' state
AnswerD

If the peering connection is pending or rejected, traffic will not flow even though the route exists.

Why this answer

Option D is correct because a VPC peering connection must be in the 'active' state for traffic to flow between the VPCs. If the peering connection is in any other state (e.g., 'pending-acceptance', 'expired', 'failed', or 'deleted'), the route to the peered VPC's CIDR will be considered a black hole, and the EC2 instance in subnet-aaa will be unable to reach the instance in the peered VPC. The route table shown includes a route for 10.1.0.0/16 pointing to the peering connection, but the connection's state must be verified as 'active' for the route to be effective.

Exam trap

AWS often tests the misconception that simply adding a route to the peered VPC's CIDR in the route table is sufficient for connectivity, but the trap here is that the VPC peering connection must be in the 'active' state; otherwise, the route is a black hole and traffic will not flow.

How to eliminate wrong answers

Option A is wrong because the route table shown includes a route for 10.1.0.0/16 with the peering connection as the target, so the route to the peered VPC's CIDR is present, not missing. Option B is wrong because an Internet Gateway route is irrelevant for VPC peering traffic; the EC2 instance is trying to reach a private IP in the peered VPC, not the internet, and the route table does not need an IGW route for this communication. Option C is wrong because the question states the route table is associated with subnet-aaa, and the EC2 instance is in subnet-aaa, so the association is correct; the issue lies elsewhere.

644
MCQhard

A company is deploying a global application with users in North America and Europe. They have set up an Application Load Balancer (ALB) in us-east-1 and another in eu-west-1. They want to route users to the nearest ALB using AWS Global Accelerator. What is the correct configuration to achieve this?

A.Use Amazon CloudFront with origins pointing to each ALB
B.Place each ALB behind a Network Load Balancer and use Global Accelerator
C.Create a Global Accelerator accelerator with endpoint groups in each region, each pointing to the respective ALB
D.Create a Route 53 latency record set with aliases to each ALB
AnswerC

Correct; Global Accelerator uses Anycast to route to the nearest healthy ALB.

Why this answer

Option A is correct because Global Accelerator uses Anycast IP addresses and health checks to route traffic to the nearest healthy endpoint (ALB). Option B is wrong because Route 53 latency-based routing does not use Anycast; it relies on DNS, which can be cached. Option C is wrong because CloudFront is a CDN, not a load balancer for dynamic content without caching.

Option D is wrong because a Network Load Balancer (NLB) is not needed; Global Accelerator can directly target ALBs.

645
Multi-Selecthard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The company wants to centralize internet egress for all VPCs through a single VPC that has a NAT Gateway and an internet gateway. Which TWO configurations are required to achieve this?

Select 2 answers
A.In the egress VPC, add a route for 0.0.0.0/0 to the Transit Gateway.
B.Create a VPN connection between each VPC and the Transit Gateway.
C.In the egress VPC, add a route for 0.0.0.0/0 to the internet gateway in the route table of the subnet containing the NAT Gateway.
D.In each non-egress VPC, add a route for 0.0.0.0/0 to the Transit Gateway.
E.In each non-egress VPC, delete the local route.
AnswersC, D

This allows the NAT Gateway to reach the internet via the internet gateway.

Why this answer

To centralize internet egress, the NAT Gateway must be in the egress VPC. Other VPCs must route 0.0.0.0/0 to the Transit Gateway, which then forwards to the egress VPC. The egress VPC's route table must point 0.0.0.0/0 to the internet gateway.

Option A is correct because the egress VPC needs a default route to the internet gateway. Option C is correct because other VPCs need a default route to the Transit Gateway. Option B is incorrect because the egress VPC should not route to the Transit Gateway for internet traffic.

Option D is incorrect because you do not need a separate VPN. Option E is incorrect because you cannot delete the local route.

646
MCQeasy

A network engineer is setting up a site-to-site VPN connection between an on-premises network and AWS. After configuring the customer gateway, virtual private gateway, and VPN tunnel, the tunnel status shows 'DOWN'. Which step should the engineer take FIRST to troubleshoot?

A.Verify that route propagation is enabled on the VPC route table
B.Enable detailed CloudWatch metrics on the VPN connection
C.Test connectivity by pinging an EC2 instance in the VPC
D.Check the on-premises VPN device configuration for mismatched parameters
AnswerD

Configuration mismatch is common cause.

Why this answer

Option D is correct because the first step is to check the VPN configuration on the on-premises device to ensure it matches AWS settings. Option A is incorrect because CloudWatch metrics may not show tunnel status. Option B is incorrect because the VPN is down, so connectivity tests will fail.

Option C is incorrect because checking route propagation is secondary.

647
Multi-Selectmedium

A company is designing a VPC with multiple subnets for a three-tier application. They need to ensure that the database tier (private subnet) can be accessed only by the application tier (private subnet) and that no other resources in the VPC can access the database. Which TWO security mechanisms should be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Route tables
B.VPC Flow Logs
C.Security groups
D.Network ACLs
E.IAM policies attached to the database instances
AnswersC, D

Correct; security groups act as virtual firewalls at the instance level.

Why this answer

Option A (Network ACLs) and Option D (Security groups) are correct. Network ACLs provide stateless filtering at the subnet level, and security groups provide stateful filtering at the instance level. By configuring both, you can restrict access to the database subnet only from the application subnet.

Option B is incorrect because VPC Flow Logs are for monitoring, not access control. Option C is incorrect because an IAM policy controls permissions for AWS API calls, not network traffic. Option E is incorrect because a route table controls routing, not filtering.

648
Multi-Selecteasy

Which TWO of the following are best practices for securing a VPC?

Select 2 answers
A.Enable VPC Flow Logs on all subnets to block malicious traffic.
B.Use multiple Availability Zones for redundancy.
C.Place database instances in public subnets for easier management.
D.Restrict inbound SSH access to specific IP ranges.
E.Use the default VPC security group for all instances.
AnswersB, D

Improves availability and fault tolerance.

Why this answer

Option A is correct: Using multiple Availability Zones improves resilience and security. Option B is correct: Limiting inbound SSH access to specific IP addresses reduces attack surface. Option C is wrong: Public subnets should not have direct internet access for databases.

Option D is wrong: Default VPC security group allows all inbound traffic. Option E is wrong: Flow logs do not block traffic.

649
MCQeasy

A network engineer is designing a VPC with public and private subnets. The private subnets must have outbound internet access but not be directly reachable from the internet. Which AWS service should be used?

A.NAT Gateway
B.Elastic IP Address (EIP)
C.Internet Gateway (IGW)
D.Virtual Private Gateway (VGW)
AnswerA

NAT Gateway provides outbound internet without inbound.

Why this answer

Option C is correct because a NAT Gateway enables outbound internet access for private subnets while preventing inbound traffic. Option A is wrong because an Internet Gateway provides bidirectional access. Option B is wrong because a VPN connection is for hybrid connectivity.

Option D is wrong because an EIP is used with NAT Gateway or Internet Gateway, not alone.

650
MCQhard

A company is running a two-tier application with a web tier and a database tier. The web tier must be accessible from the internet, but the database tier should only be accessible from the web tier. Which architecture should they use?

A.Web tier in public subnet, database tier in private subnet with a security group allowing only web tier.
B.Both tiers in public subnets with security groups restricting database access.
C.Both tiers in private subnets with a NAT Gateway for internet access.
D.Web tier in private subnet, database tier in public subnet with a security group.
AnswerA

This architecture provides internet access to the web tier and isolates the database.

Why this answer

The correct answer is C because placing the web tier in a public subnet with an Internet Gateway and the database tier in a private subnet with a security group that allows traffic only from the web tier provides the required security. Option A (both in public) exposes the database. Option B (both in private) prevents internet access.

Option D (database in public) is insecure.

651
Multi-Selecthard

A company has a VPC with a public subnet and a private subnet. The private subnet hosts Amazon RDS instances. The security team wants to ensure that the RDS instances are not accessible from the internet. Which TWO actions should be taken?

Select 2 answers
A.Disable the 'Publicly accessible' option for the RDS instances.
B.Create a network ACL that denies all inbound traffic from 0.0.0.0/0.
C.Remove the route to an internet gateway from the private subnet's route table.
D.Ensure that the RDS instances are launched in a private subnet without a public IP address.
E.Configure the security group for the RDS instances to deny all inbound traffic.
AnswersC, D

Without a route to an internet gateway, traffic cannot reach the internet.

Why this answer

Options A and D are correct because removing internet gateway routes and not assigning public IPs prevent internet access. Option B is wrong because restricting security group inbound rules is important, but alone it may not prevent internet access if there is a public IP. Option C is wrong because network ACLs are stateless and can be used, but they are not as precise as security groups for this purpose.

Option E is wrong because RDS can have public accessibility disabled, but that is not a VPC-level action.

652
MCQeasy

A security engineer is designing a VPC with public and private subnets. The company requires that all outbound traffic from private subnets to the internet must go through a single IP address for logging and compliance. Which service should be used?

A.Transit Gateway
B.Internet Gateway
C.NAT Gateway
D.VPC Endpoint
AnswerC

A NAT Gateway provides outbound-only internet access with a single IP.

Why this answer

Option A is correct because a NAT Gateway provides outbound internet access from private subnets with a single Elastic IP. Option B is wrong because an Internet Gateway allows inbound and outbound traffic from public subnets. Option C is wrong because a VPC Endpoint is for accessing AWS services privately.

Option D is wrong because a Transit Gateway is for connecting multiple VPCs and on-premises networks.

653
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet for software updates. The instance is associated with an Elastic IP address. The route table for the private subnet has a default route (0.0.0.0/0) pointing to a NAT gateway. The NAT gateway is in the public subnet and has an Elastic IP. Despite this, the instance cannot reach the internet. The security groups and NACLs are properly configured. What is the likely cause?

A.The NAT gateway's Elastic IP is not associated with the NAT gateway
B.The NAT gateway is not in a public subnet
C.The private subnet's network ACL is blocking outbound traffic
D.The EC2 instance does not have a route to the internet
AnswerA

If the NAT gateway lacks an Elastic IP, it cannot communicate with the internet.

Why this answer

If an instance has a public IP (Elastic IP) and is in a private subnet, the route to the internet must go through a NAT gateway or Internet Gateway. The private subnet's route table points to NAT, which is correct. However, the NAT gateway itself must have a route to the internet via an Internet Gateway.

Option C is correct. Options A, B, and D are common misconfigurations but not the most likely given the setup.

654
MCQeasy

An IAM policy is attached to a user. What is the effect when the user attempts to launch an EC2 instance of type m5.large?

A.The action is allowed because the policy allows t2.micro instances.
B.The action is allowed because there is no explicit allow for RunInstances.
C.The action is denied because the condition is not met.
D.The action is denied because the instance type does not equal t2.micro.
AnswerD

The Deny statement with the condition StringNotEquals blocks all instance types except t2.micro.

Why this answer

Option D is correct because the IAM policy explicitly allows the `ec2:RunInstances` action only when the condition `ec2:InstanceType` equals `t2.micro`. Since the user is attempting to launch an `m5.large` instance, the condition is not satisfied, and the default implicit deny applies, resulting in the action being denied.

Exam trap

AWS often tests the concept that a conditional allow does not become a deny when the condition fails—instead, the default implicit deny applies, which candidates may misinterpret as an explicit denial based on the condition.

How to eliminate wrong answers

Option A is wrong because the policy does not allow all instance types; it only allows `t2.micro`, so launching `m5.large` is not permitted. Option B is wrong because there is an explicit allow for `RunInstances` in the policy, but it is conditional; the absence of an explicit allow for the specific instance type means the default deny applies. Option C is wrong because the condition is not met (the instance type is not `t2.micro`), which causes the allow to not apply, but the denial is due to the implicit deny, not because the condition itself is evaluated as a denial.

655
MCQhard

A company is deploying a multi-region application and needs to route users to the nearest healthy endpoint. They are using Amazon Route 53 with latency-based routing and health checks. Users in Asia are sometimes routed to the US region even when the Asia endpoint is healthy. What is the most likely cause?

A.The Asia region endpoint's Route 53 geolocation routing policy is misconfigured
B.The health check for the Asia region endpoint is failing or misconfigured
C.The TTL value for the DNS records is set too high
D.The DNS resolver used by users in Asia does not support latency-based routing
AnswerB

If the health check fails, Route 53 excludes the unhealthy endpoint and routes to the next best latency.

Why this answer

Option B is correct because latency-based routing uses the latency between the user and the endpoint; if the health check is misconfigured, the Asia endpoint might be considered unhealthy, causing Route 53 to route to the next best region. Option A is wrong because geolocation routing is different from latency-based. Option C is wrong because TTL affects caching but not routing decisions.

Option D is wrong because DNS resolution does not change routing behavior.

656
Multi-Selectmedium

A company is designing a network for a three-tier web application that must be highly available across multiple Availability Zones. The application uses an Application Load Balancer (ALB) for the web tier, EC2 instances for the application tier, and an Amazon RDS Multi-AZ database for the database tier. Which TWO design choices improve availability and fault tolerance?

Select 2 answers
A.Launch all EC2 instances in a single Availability Zone to reduce network latency.
B.Configure Amazon RDS Multi-AZ with a standby instance in a different Availability Zone.
C.Use a single NAT gateway in one Availability Zone for all outbound traffic.
D.Deploy the ALB across at least two Availability Zones.
E.Use VPC Gateway Endpoints for S3 to avoid NAT gateway costs.
AnswersB, D

Provides automatic failover.

Why this answer

Option B is correct because Amazon RDS Multi-AZ automatically provisions and maintains a synchronous standby replica in a different Availability Zone, providing automatic failover in the event of an AZ failure or database instance failure. This ensures the database tier remains available without manual intervention, directly improving fault tolerance for the three-tier application.

Exam trap

AWS often tests the misconception that a single NAT gateway is sufficient for high availability, but the trap here is that a single NAT gateway is a single point of failure unless paired with a second NAT gateway in another AZ and route tables that direct traffic to the healthy gateway.

657
MCQmedium

A network engineer is designing a hybrid network with AWS Direct Connect and a VPN backup. The company has multiple VPCs connected to an AWS Transit Gateway. The on-premises network advertises the same prefixes over both Direct Connect (via private VIF) and VPN (via BGP). The engineer wants to ensure that traffic from the VPCs to on-premises prefers the Direct Connect path. What should the engineer do?

A.Set a higher local preference on the Transit Gateway for Direct Connect routes
B.Decrease the AS path length on the Direct Connect BGP advertisements
C.Configure AS path prepending on the VPN BGP advertisements from on-premises
D.Set a higher MED on the Direct Connect BGP advertisements
AnswerC

Longer AS path makes the VPN route less preferred.

Why this answer

Option A is correct because adjusting the AS path prepending length makes the VPN path appear longer (less preferred) in BGP route selection. Option B is incorrect because MED is only compared between routes from the same AS. Option C is incorrect because local preference is used within a single AS, not across ASes.

Option D is incorrect because decreasing the AS path length would make the path more preferred.

658
Multi-Selectmedium

Which THREE of the following are valid methods to connect a VPC to an on-premises network?

Select 3 answers
A.AWS Direct Connect
B.VPC Peering
C.Site-to-Site VPN
D.AWS Transit Gateway
E.VPC Endpoint
AnswersA, C, D

Direct Connect provides a dedicated private connection.

Why this answer

The correct answers are A, C, and E. VPN, Direct Connect, and Transit Gateway are valid connection methods. Option B (VPC Peering) connects VPCs, not on-premises.

Option D (VPC Endpoint) connects to AWS services.

659
MCQmedium

A network engineer is setting up a VPC peering connection between two VPCs (VPC-A and VPC-B) in different AWS accounts. The VPCs are in the same region. After accepting the peering request, instances in VPC-A cannot communicate with instances in VPC-B. What should the engineer check first?

A.The security groups in both VPCs allow traffic from the peer VPC CIDR.
B.The network ACLs in both VPCs allow traffic from the peer VPC CIDR.
C.The route tables in both VPCs have routes to the peer VPC CIDR.
D.The VPC peering connection status is 'active'.
AnswerC

Without routes, traffic cannot traverse the peering connection.

Why this answer

Option C is correct because route tables must be updated with routes to the peer VPC CIDR. Without these routes, traffic is not directed to the peering connection. Option A is incorrect because security groups can be configured to allow cross-account traffic, but they are not the first check.

Option B is incorrect because the peering connection is already accepted. Option D is incorrect because NACLs are not the primary issue; routes are.

660
MCQhard

A company has a hybrid network with an AWS Transit Gateway connecting multiple VPCs and an on-premises data center via AWS Direct Connect. The security team requires that all traffic between VPCs must be inspected by a centralized firewall appliance deployed in a security VPC. They have configured a Transit Gateway with a route table that has blackhole routes for all VPC CIDRs except the security VPC, and the security VPC appliance performs inspection and returns traffic to the Transit Gateway. Recently, they added a new VPC for a critical application. After configuration, some traffic from the new VPC to other VPCs is being dropped. The network engineer verifies that the Transit Gateway route table includes a blackhole route for the new VPC's CIDR and that the security VPC's firewall rules allow the traffic. What is the most likely cause of the dropped traffic?

A.The security VPC's network ACLs are blocking return traffic from the firewall appliance back to the Transit Gateway.
B.The new VPC's route table does not have a default route pointing to the Transit Gateway attachment.
C.The Transit Gateway route table propagates the new VPC's CIDR, overriding the static blackhole route.
D.The Transit Gateway route table does not have a static route pointing to the security VPC attachment for the new VPC's CIDR.
AnswerD

The Transit Gateway route table must have a route for the new VPC's CIDR pointing to the security VPC attachment so that traffic from the new VPC is forwarded to the firewall for inspection. Without this route, traffic is blackholed.

661
Multi-Selecthard

A company has a VPC with CIDR 10.0.0.0/16. They have two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). An EC2 instance in subnet A needs to communicate with an RDS database in subnet B. Both subnets have network ACLs that allow all inbound and outbound traffic. However, the instance cannot connect to the database. Which TWO configuration changes could solve this issue? (Choose TWO.)

Select 2 answers
A.Attach an Internet Gateway to the VPC.
B.Ensure that the route tables associated with both subnets have a local route for the VPC CIDR.
C.Create a VPC peering connection between the subnets.
D.Modify the security group for the RDS database to allow inbound traffic from the EC2 instance's security group on port 3306.
E.Add a NAT Gateway in a public subnet and route traffic through it.
AnswersB, D

Local route is needed for intra-VPC communication.

Why this answer

Option B is correct because the local route for the VPC CIDR (10.0.0.0/16) is automatically added to the main route table, but if custom route tables are associated with subnets A and B, they must explicitly include this local route to enable routing between subnets within the same VPC. Without it, traffic from the EC2 instance in subnet A cannot reach the RDS database in subnet B, even if network ACLs allow all traffic.

Exam trap

AWS often tests the misconception that network ACLs alone control all traffic flow, but candidates forget that security groups must also allow inbound traffic, and that route tables must have a local route for intra-VPC communication.

662
MCQeasy

A company is deploying a public-facing web application on EC2 instances behind an Application Load Balancer. The ALB is configured to terminate HTTPS using a certificate from AWS Certificate Manager. What additional step is required to ensure the ALB can validate the certificate?

A.Attach the certificate to an Amazon CloudFront distribution.
B.Ensure the certificate is in the same AWS region as the ALB.
C.Create a DNS record to validate domain ownership.
D.Import the certificate into AWS Certificate Manager Private Certificate Authority.
AnswerB

ACM certificates are region-specific.

Why this answer

Option B is correct because ACM certificates must be in the same region as the ALB. Option A is wrong because DNS validation is not required for ALB. Option C is wrong because private CA is not needed.

Option D is wrong because CloudFront is a different service.

663
MCQhard

A network engineer is troubleshooting a VPN connection between an on-premises network (172.16.0.0/16) and an AWS VPC (10.0.0.0/16). The VPN status is 'available' but traffic is not passing. The engineer runs the command shown in the exhibit. What is the most likely cause of the issue?

A.The VPN tunnels are not in 'UP' state.
B.The VPC route table does not have a route for 172.16.0.0/16 pointing to the virtual private gateway.
C.The tunnel inside CIDRs overlap with the VPC CIDR.
D.The BGP session is not established.
AnswerB

Without this route, VPC traffic to on-premises is dropped.

Why this answer

The VPN status is 'available', which indicates that the VPN tunnels are established and the BGP sessions (if configured) are up. However, traffic still fails because the VPC route table lacks a route for the on-premises CIDR (172.16.0.0/16) pointing to the virtual private gateway (VGW). Without this route, the VPC does not know to send traffic destined for the on-premises network through the VPN connection, even though the tunnels themselves are operational.

Exam trap

The trap here is that candidates see 'available' status and assume all components are working, but they overlook the critical requirement of a route in the VPC route table pointing to the virtual private gateway for the on-premises CIDR.

How to eliminate wrong answers

Option A is wrong because the VPN status 'available' means the tunnels are in 'UP' state; if they were not, the status would be 'down' or 'degraded'. Option C is wrong because tunnel inside CIDRs (typically link-local addresses like 169.254.x.x) are used for BGP peering and do not overlap with the VPC CIDR (10.0.0.0/16); overlapping inside CIDRs would cause a different error, such as BGP session failure, not a traffic pass issue with 'available' status. Option D is wrong because the VPN status 'available' indicates that the BGP session is established; if BGP were not established, the status would show 'down' or 'negotiation'.

664
Multi-Selectmedium

Which TWO of the following are valid methods to secure data at rest in Amazon S3? (Choose two.)

Select 2 answers
A.Use SSE-S3 (Server-Side Encryption with S3 managed keys).
B.Use SSL/TLS to encrypt data during transfer.
C.Use client-side encryption before uploading objects.
D.Use a VPC endpoint to restrict access to the bucket.
E.Configure a network ACL to block unauthorized access.
AnswersA, C

SSE-S3 encrypts data at rest.

Why this answer

Options B and C are correct. Server-side encryption with S3 managed keys (SSE-S3) is a valid method. Client-side encryption where the customer encrypts data before uploading is also valid.

Option A is incorrect because SSL/TLS encrypts data in transit, not at rest. Option D is incorrect because network ACLs do not encrypt data. Option E is incorrect because VPC endpoints do not encrypt data.

665
MCQeasy

A company needs to connect its on-premises data center to a VPC in AWS using a dedicated, private, and high-bandwidth connection. Which AWS service should be used?

A.AWS Client VPN
B.VPC Peering
C.AWS Site-to-Site VPN
D.AWS Direct Connect
AnswerD

Dedicated private connection.

Why this answer

AWS Direct Connect is the correct choice because it provides a dedicated, private, high-bandwidth network connection from an on-premises data center directly to AWS, bypassing the public internet. This meets the requirements for a private, low-latency, and consistent network path, unlike VPN-based solutions that traverse the internet.

Exam trap

The trap here is that candidates often confuse AWS Site-to-Site VPN with a dedicated connection, overlooking that it still relies on the public internet and lacks the private, consistent bandwidth guarantees of Direct Connect.

How to eliminate wrong answers

Option A is wrong because AWS Client VPN is a managed remote access VPN service for individual clients (e.g., laptops) to connect to AWS or on-premises networks, not a dedicated high-bandwidth connection between a data center and a VPC. Option B is wrong because VPC Peering connects two VPCs within AWS, not an on-premises data center to a VPC, and it does not provide a dedicated physical connection. Option C is wrong because AWS Site-to-Site VPN creates an encrypted tunnel over the public internet, which does not offer the dedicated, private, or consistent high-bandwidth characteristics required; it is subject to internet variability and latency.

666
MCQhard

An IAM policy attached to a user allows creating and deleting VPCs and subnets only in us-east-1. The user attempts to create a VPC in eu-west-1. What will happen?

A.The API call will be denied with an authorization error.
B.The VPC will be created but the user will receive a warning.
C.The user can create the VPC because the condition is not applicable to VPC creation.
D.The VPC will be created successfully because the policy allows ec2:CreateVpc.
AnswerA

The condition fails, so IAM denies the action.

Why this answer

Option C is correct. The condition restricts actions to us-east-1 only, so the API call in eu-west-1 will be denied. Option A is wrong because the policy explicitly allows with a region condition.

Option B is wrong because the condition is evaluated. Option D is wrong because no override exists.

667
MCQhard

A network engineer is monitoring a hybrid network with a VPN connection to AWS. The engineer notices periodic packet loss and high latency during peak hours. The VPN tunnel uses static routing. The on-premises bandwidth is 100 Mbps, and the VPN connection is limited to 1.25 Gbps. What is the most likely cause?

A.The VPC route table has a blackhole route for the on-premises CIDR.
B.The on-premises internet connection is saturated.
C.The VPN tunnel is using the incorrect encryption algorithm.
D.The VPN tunnel is exceeding its maximum bandwidth limit.
AnswerB

The 100 Mbps link is likely overwhelmed during peak hours, causing packet loss and high latency.

Why this answer

The VPN connection's bandwidth (1.25 Gbps) is sufficient, but if the on-premises link is only 100 Mbps, any traffic exceeding that will cause congestion and packet loss. The VPN tunnel itself is not the bottleneck.

668
MCQhard

A company has multiple VPCs connected via AWS Transit Gateway. Each VPC has its own route table in the transit gateway. The company wants to restrict traffic between certain VPCs. For example, VPC A should be able to send traffic to VPC B but not to VPC C. VPC B should be able to send traffic to VPC C. Which configuration should the company use?

A.Use network ACLs on the transit gateway attachments to filter traffic.
B.Use security groups on the VPC attachments to allow or deny traffic.
C.Create separate transit gateway route tables for each VPC and add only the desired routes for other VPCs.
D.Create a single transit gateway route table and associate all VPC attachments with it.
AnswerC

Enables selective communication.

Why this answer

Option C is correct because each VPC has its own route table, and you can add routes for specific VPC attachments. By not adding a route for VPC C in VPC A's route table, traffic is blocked. Option A is wrong because a single shared route table would allow all VPCs to communicate.

Option B is wrong because network ACLs are not applied at transit gateway attachments. Option D is wrong because security groups are not used for inter-VPC routing decisions.

669
MCQeasy

A network administrator is setting up VPC Flow Logs to monitor traffic to an Amazon RDS instance. The logs are sent to Amazon S3. After enabling Flow Logs, the administrator notices that no logs are being delivered. What is the most likely cause?

A.The VPC Flow Logs are not enabled for the correct VPC
B.The IAM role for Flow Logs does not have permissions to write to S3
C.The RDS instance is in a private subnet
D.The S3 bucket is in a different region
AnswerB

Flow Logs need an IAM role with s3:PutObject permission on the bucket.

Why this answer

Flow Logs require a service-linked role or an IAM role with permissions to publish to S3. If the role is missing or incorrect, logs will not be delivered.

670
MCQmedium

A company is designing a network for a multi-tier application. The web tier must be accessible from the internet, the application tier must be accessible only from the web tier, and the database tier must be accessible only from the application tier. Which architecture meets these requirements?

A.Place each tier in a separate subnet and use network ACLs to allow traffic between tiers
B.Place each tier in a separate subnet and use security groups to allow traffic between tiers
C.Place all tiers in the same subnet and use security groups to control traffic
D.Place all tiers in a public subnet and use a NAT gateway for the application and database tiers
AnswerB

This provides isolation and granular control using security groups.

Why this answer

Placing each tier in separate subnets and using security groups to control inbound traffic between tiers is the standard approach. Using network ACLs is less granular and not stateful. VPC endpoints are for AWS services, not for tier-to-tier communication.

A single subnet with NAT would not isolate tiers.

671
MCQhard

A security engineer is troubleshooting connectivity issues. An EC2 instance cannot access the internet. The instance is in a private subnet with a route table that has a default route (0.0.0.0/0) pointing to a NAT gateway. The NAT gateway is in a public subnet with an Elastic IP. The security group allows all outbound traffic. What is the most likely cause?

A.The network ACL in the public subnet is blocking inbound traffic to the NAT gateway
B.The NAT gateway does not have a security group allowing outbound traffic
C.The internet gateway is not attached to the VPC
D.The route table in the private subnet has no route to the NAT gateway
AnswerA

NAT gateway needs inbound allowance for return traffic.

Why this answer

Option A is correct because the network ACL in the public subnet must allow inbound traffic from the internet to the NAT gateway's Elastic IP. Option B is wrong because the route table in the private subnet is correct. Option C is wrong because the NAT gateway's security group is not a thing; it uses security groups for instances.

Option D is wrong because the internet gateway is required and assumed attached.

672
MCQmedium

A company has a VPC with public and private subnets. They have a web application running on EC2 instances in an Auto Scaling group in the public subnets. The application needs to read and write data to an S3 bucket. They want to ensure that traffic to S3 does not traverse the internet. The security team also requires that all traffic to S3 be logged. The current setup uses a NAT Gateway for outbound internet access. However, the NAT Gateway is a single point of failure and costs are high. They want to replace it with a more cost-effective and highly available solution that meets the logging requirement. What should they do?

A.Set up a VPN connection to an on-premises data center and route S3 traffic through the VPN, enabling VPC Flow Logs.
B.Create a Gateway VPC Endpoint for S3, enable VPC Flow Logs, and remove the NAT Gateway after verifying no other outbound internet traffic is needed.
C.Create an Interface VPC Endpoint for S3 in each Availability Zone, enable VPC Flow Logs, and remove the NAT Gateway.
D.Create a Gateway VPC Endpoint for S3, enable VPC Flow Logs, and keep the NAT Gateway for other outbound traffic.
AnswerB

Gateway Endpoint is free and highly available; VPC Flow Logs provide logging; removing the NAT Gateway reduces cost and SPOF.

Why this answer

Option C is correct. A Gateway VPC Endpoint for S3 is free, highly available by design, and does not require a NAT Gateway. VPC Flow Logs can capture traffic to the endpoint for logging.

Option A is wrong because an Interface Endpoint incurs costs. Option B is wrong because removing the NAT Gateway would break other internet access. Option D is wrong because a VPN does not provide direct S3 access and adds complexity.

673
MCQhard

A company is deploying a VPC with a public and private subnet in each of three Availability Zones. They need to provide internet access to instances in the private subnets while ensuring that all outbound traffic is logged and that traffic to a particular on-premises CIDR (10.0.0.0/8) is routed via an AWS Direct Connect Virtual Private Gateway. The company has a VPN connection as a backup. Which design should they use?

A.Create a centralized egress VPC with NAT Gateways in each AZ. Peer the application VPCs to the egress VPC. Configure route tables in the application VPCs to send 0.0.0.0/0 to the egress VPC and 10.0.0.0/8 to the Direct Connect Virtual Private Gateway.
B.Place a NAT Gateway in each AZ in the application VPC. Configure route tables to send 0.0.0.0/0 to the NAT Gateway. Use a VPN connection for on-premises traffic.
C.Use a Transit Gateway to connect all VPCs and on-premises. Attach a NAT Gateway in one AZ to the Transit Gateway. Configure route tables to send 0.0.0.0/0 to the NAT Gateway and 10.0.0.0/8 to the Direct Connect Virtual Private Gateway.
D.Create a NAT instance in each private subnet and configure each instance's route table to send 0.0.0.0/0 to the NAT instance. For on-premises traffic, use a VPC peering connection to an on-premises network.
AnswerA

This design centralizes egress traffic, uses managed NAT Gateways, and allows logging. Route tables direct on-premises traffic through DX.

Why this answer

Option A is correct because it uses a centralized egress VPC with NAT Gateways in each AZ to provide internet access to private subnets while logging all outbound traffic. By peering the application VPCs to the egress VPC, the route tables can direct 0.0.0.0/0 traffic to the egress VPC for NAT, and 10.0.0.0/8 traffic to the Direct Connect Virtual Private Gateway, ensuring on-premises traffic uses the dedicated connection with VPN backup. This design meets all requirements: internet access, logging, and specific routing for on-premises CIDR.

Exam trap

The trap here is that candidates often assume NAT Gateways must be placed in the same VPC as the private subnets, overlooking the centralized egress VPC pattern that enables logging and centralized control, and they may incorrectly think a Transit Gateway can directly attach a NAT Gateway.

How to eliminate wrong answers

Option B is wrong because it places NAT Gateways in the application VPC, which does not provide centralized logging of all outbound traffic, and it uses a VPN connection for on-premises traffic instead of routing 10.0.0.0/8 via Direct Connect as required. Option C is wrong because attaching a NAT Gateway to a Transit Gateway is not a supported configuration; NAT Gateways cannot be attached to Transit Gateways, and this design would not log all outbound traffic. Option D is wrong because it uses NAT instances instead of NAT Gateways, which are less reliable and do not provide the same level of logging, and it uses VPC peering for on-premises traffic, which is not a valid connection method for on-premises networks (Direct Connect or VPN are required).

674
MCQeasy

A company has a VPC with a public subnet and a private subnet. The public subnet contains a web server (EC2 instance) that must be accessible from the internet. The private subnet contains a database server (EC2 instance) that should only be accessible from the web server. The web server's security group allows HTTP (80) and HTTPS (443) from 0.0.0.0/0. The database server's security group allows MySQL (3306) from the web server's security group. However, the web server cannot connect to the database server. The network engineer has verified that the web server can reach the internet and that the database server's security group is correctly configured. What is the most likely cause of the connectivity problem?

A.The route table for the private subnet does not have a route to the public subnet.
B.The web server's security group does not allow outbound traffic to the database server.
C.The network ACL associated with the private subnet is blocking inbound MySQL traffic from the web server.
D.The database server does not have a route to the internet gateway.
AnswerC

Correct: A custom NACL can block traffic even if security groups allow it.

Why this answer

Option B is correct because the default network ACL in a VPC allows all inbound and outbound traffic, but if a custom NACL is associated with the private subnet, it may block traffic if not properly configured. Option A is wrong because the route table does not affect traffic within the same VPC. Option C is wrong because security groups are stateful, so outbound traffic is automatically allowed.

Option D is wrong because internet gateway is not needed for VPC internal traffic.

675
MCQmedium

A security engineer is troubleshooting connectivity between an EC2 instance in a private subnet and an S3 bucket. The instance has a VPC gateway endpoint for S3, and the route table has a route to the endpoint. The security group for the instance allows all outbound traffic. However, the instance cannot access the S3 bucket. What is the most likely cause?

A.The security group outbound rule does not allow traffic to the S3 prefix list.
B.The VPC endpoint is not associated with the route table.
C.The route table does not have a route to a NAT gateway.
D.The S3 bucket policy does not allow access from the VPC endpoint.
AnswerA

Gateway endpoints are accessed via prefix list; security group must allow egress to that prefix list.

Why this answer

Option A is correct because VPC gateway endpoints use prefix lists, and the security group outbound rule must allow traffic to the S3 prefix list ID. Option B is wrong because the instance is in a private subnet; internet traffic would go through NAT, but S3 access should use the gateway endpoint. Option C is wrong because S3 buckets are accessed via the endpoint, not via the internet.

Option D is wrong because the route is present, but security group may still block.

Page 8

Page 9 of 23

Page 10