CCNA Network Design Questions

75 of 504 questions · Page 2/7 · Network Design · Answers revealed

76
MCQhard

A company is designing a global application that will serve users across North America and Europe. The application consists of a static website hosted on Amazon S3, a REST API hosted on Amazon API Gateway, and a backend application running on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The company wants to minimize latency for users by serving content from the closest AWS region. They also want to ensure high availability and automatic failover if a region becomes unavailable. The company is considering using Amazon Route 53 with a latency-based routing policy. However, they are concerned about DNS caching and propagation delays during failover. Which additional service should they use to improve the failover experience and provide a single endpoint for users?

A.Use a Network Load Balancer in each region and configure Route 53 with failover routing
B.Use Amazon CloudFront with multiple origins pointing to the S3 bucket and the ALB in each region
C.Use Lambda@Edge to dynamically route traffic based on the user's location
D.Use AWS Global Accelerator to provide a static IP address and route traffic to the ALB in the closest healthy region
AnswerD

Global Accelerator provides static IPs and fast failover using network layer routing.

Why this answer

AWS Global Accelerator uses the AWS global network to route traffic to the closest healthy endpoint via the Anycast static IP addresses, bypassing DNS caching and propagation delays. It provides a single fixed endpoint for users and integrates with the ALB in each region, automatically failing over to the next healthy region within seconds when health checks fail.

Exam trap

AWS often tests the misconception that CloudFront or DNS-based routing alone can solve latency and failover requirements for dynamic APIs, but Global Accelerator is the only service that provides static IPs and fast regional failover without DNS caching delays.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer does not provide a single global endpoint or improve DNS caching issues; Route 53 failover routing still relies on DNS TTLs, which can cause propagation delays during failover. Option B is wrong because CloudFront with multiple origins does not provide a single static IP endpoint for the REST API and backend; it is designed for content delivery, not for low-latency TCP/UDP traffic to dynamic APIs, and it still depends on DNS resolution for origin selection. Option C is wrong because Lambda@Edge is used for customizing CloudFront content and does not provide a static IP address or direct traffic to ALBs; it cannot replace the need for a global anycast network to minimize latency and ensure fast failover.

77
MCQmedium

A company is designing a multi-Region active-active application using Application Load Balancers (ALBs) in us-east-1 and eu-west-1, with Route 53 latency-based routing. Users report that after a failover, existing connections fail. What should the company implement to ensure seamless failover?

A.Use a Global Accelerator instead of Route 53
B.Enable client IP affinity on the ALBs
C.Use Amazon Route 53 geolocation routing instead of latency
D.Enable sticky sessions (session affinity) on the ALBs with a cookie duration
AnswerD

Sticky sessions ensure users are routed to the same ALB based on a cookie, maintaining session state.

Why this answer

Sticky sessions are required to maintain user sessions during failover. Route 53 latency routing alone does not preserve sessions. Option C is correct because ALB sticky sessions with a cookie duration keep users pinned to the same ALB.

Option A is wrong because cross-Region VPC peering does not affect session persistence. Option B is wrong because client IP affinity is not supported across Regions. Option D is wrong because Global Accelerator does not provide session stickiness.

78
MCQhard

A financial services company has a multi-account AWS environment using AWS Organizations. They have a central security account with AWS Network Firewall and a central inspection VPC. All other VPCs are connected to the inspection VPC via AWS Transit Gateway. The company wants to enforce that all traffic between VPCs (east-west) and traffic to the internet (north-south) passes through the Network Firewall. They have configured the Transit Gateway route tables appropriately. However, they notice that traffic from an application VPC to another application VPC is not being inspected. The network engineer has verified that the application VPCs have a default route to the Transit Gateway, and the Transit Gateway route table has a route for the inspection VPC. What is the most likely reason that east-west traffic is bypassing the Network Firewall?

A.The Transit Gateway route tables allow direct communication between application VPCs
B.The inspection VPC does not have a subnet for east-west traffic
C.Network Firewall cannot inspect traffic between VPCs at high throughput
D.Network Firewall is not stateful and cannot handle return traffic
AnswerA

If routes exist for direct VPC-to-VPC traffic, it will bypass inspection.

Why this answer

Option C is correct. For east-west traffic to be inspected, the Transit Gateway must route traffic from one VPC to the inspection VPC, then to the destination VPC. This requires that the route tables in the Transit Gateway are configured so that traffic between VPCs is forced through the inspection VPC.

If the application VPCs have a direct route to each other via the Transit Gateway (e.g., a static route or a route in the same route table), traffic will not go through the inspection VPC. The most common cause is that the Transit Gateway route table association allows direct VPC-to-VPC routing. Option A is wrong because Network Firewall can inspect traffic at scale.

Option B is wrong because Network Firewall is stateful and can handle return traffic. Option D is wrong because the inspection VPC can have multiple subnets for different traffic types.

79
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16. They want to create a subnet that can host at least 2000 EC2 instances. Which subnet size should they choose?

A./21
B./22
C./24
D./20
AnswerA

Provides 2048 IPs, enough for 2000 instances.

Why this answer

A /21 subnet provides 2,048 usable IP addresses (2^(32-21) - 5 = 2,048 - 5 = 2,043 for AWS, but the key is that 2,048 total addresses minus the 5 reserved by AWS yields 2,043, which exceeds the requirement of 2,000 EC2 instances). AWS reserves 5 IP addresses per subnet (network, VPC router, DNS, future use, broadcast), so the usable count is total addresses minus 5. A /21 is the smallest subnet that meets the 2,000-instance requirement.

Exam trap

AWS often tests the misconception that you only need to consider total IP addresses (e.g., /22 gives 1,024, which seems close to 2,000) without accounting for AWS's 5 reserved addresses, or that a larger subnet like /20 is automatically better, ignoring the principle of choosing the smallest subnet that meets the requirement.

How to eliminate wrong answers

Option B (/22) is wrong because it provides only 1,024 total IP addresses, yielding 1,019 usable after AWS reserves 5, which is insufficient for 2,000 instances. Option C (/24) is wrong because it provides only 256 total IP addresses, yielding 251 usable, far below the requirement. Option D (/20) is wrong because although it provides 4,096 total IP addresses (4,091 usable) and would technically work, it is larger than necessary; the question asks which subnet size they should choose, implying the most efficient size that meets the requirement, and /21 is the smallest that satisfies it.

80
MCQhard

A company is expanding its on-premises network to AWS using Direct Connect and VPN backup. They have two Direct Connect connections from different providers to two different Direct Connect locations in the same region. They have configured a private virtual interface (VIF) on each connection to a virtual private gateway (VGW) attached to a VPC. They have also configured a VPN connection as a backup. The company uses BGP to advertise the on-premises prefixes to AWS. They want to ensure that traffic is load-balanced across both Direct Connect connections under normal conditions and that the VPN is used only if both Direct Connect connections fail. They also want to minimize the cost of data transfer. Which BGP configuration should they use?

A.Configure a single BGP session over both Direct Connect connections using the same virtual interface
B.Advertise the same prefixes over both Direct Connect connections with equal local preference, and prepend AS path on the VPN routes to make them less preferred
C.Set a higher MED on one of the Direct Connect connections to make it the primary, and use the VPN as secondary
D.Advertise different on-premises prefixes over each Direct Connect connection and use the VPN for all traffic
AnswerB

Equal local preference allows load balancing; AS path prepending makes VPN less preferred.

Why this answer

Option D is correct. By using BGP with equal local preference for both Direct Connect paths and AS_PATH prepending on the VPN routes, the VPN will be less preferred. To achieve active/active load balancing across Direct Connect connections, the company should advertise the same prefixes with equal MED or local preference.

Option A is wrong because advertising different prefixes would not load-balance traffic. Option B is wrong because a single BGP session over one Direct Connect connection creates a single point of failure. Option C is wrong because increasing MED on one Direct Connect connection makes it less preferred, not equal.

81
MCQeasy

A company is designing a disaster recovery solution that requires replicating data from an on-premises database to an Amazon RDS instance in a different AWS region. The data transfer must be encrypted in transit and should not traverse the public internet. Which approach meets these requirements?

A.Use an AWS Direct Connect connection with public VIF
B.Establish an AWS Site-to-Site VPN over an AWS Direct Connect connection
C.Establish an AWS Site-to-Site VPN over the internet
D.Use VPC Peering between the on-premises network and the RDS VPC
AnswerB

Correct; this provides encryption and uses a private connection.

Why this answer

Option B is correct because an AWS Site-to-Site VPN over an AWS Direct Connect connection provides encrypted IPsec tunnels for data in transit while keeping traffic entirely within the private network, avoiding the public internet. The Direct Connect private VIF establishes a dedicated private link to AWS, and the VPN overlay adds encryption, meeting both requirements for an on-premises to RDS cross-region replication scenario.

Exam trap

The trap here is that candidates often assume a Direct Connect public VIF (Option A) provides encryption because it is a private circuit, but it does not encrypt the payload; only a VPN overlay or dedicated encrypted transport (e.g., MACsec) satisfies the encryption requirement.

How to eliminate wrong answers

Option A is wrong because a public VIF on Direct Connect provides access to public AWS services (e.g., S3, DynamoDB) but does not inherently encrypt traffic; data would traverse the Direct Connect link without IPsec encryption, failing the encryption-in-transit requirement. Option C is wrong because an AWS Site-to-Site VPN over the internet uses the public internet as the transport medium, which violates the requirement that data should not traverse the public internet. Option D is wrong because VPC Peering is used to connect VPCs within AWS and cannot extend to an on-premises network; it does not support on-premises connectivity and does not provide encryption by default.

82
Multi-Selectmedium

A company wants to connect its on-premises network to AWS using AWS Direct Connect. The company has two data centers, each with a redundant connection to an AWS Direct Connect location. The company wants to ensure high availability and failover capability. Which THREE steps should be taken?

Select 3 answers
A.Configure a VPN connection as a backup in case Direct Connect fails.
B.Order at least two Direct Connect connections from different providers or locations.
C.Configure BGP sessions over each Direct Connect connection.
D.Use a Direct Connect gateway to connect to multiple VPCs.
E.Provision multiple virtual interfaces on a single Direct Connect connection.
AnswersB, C, D

Multiple connections ensure redundancy if one fails.

Why this answer

Option A is correct: Order two or more Direct Connect connections for redundancy. Option C is correct: Use Border Gateway Protocol (BGP) to exchange routes between on-premises and AWS. Option E is correct: Use a Direct Connect gateway to connect to multiple VPCs.

Option B is incorrect because VPN is not required if Direct Connect is used, though it can be a backup. Option D is incorrect because multiple virtual interfaces can be established over a single connection, but that does not provide connection-level redundancy.

83
Multi-Selecthard

A company has a Direct Connect connection with a private VIF to a VPC. They want to add a second Direct Connect connection for redundancy. Both connections will terminate at the same Direct Connect gateway. Which TWO steps are required to enable BGP multipath (ECMP) across the two connections?

Select 2 answers
A.Ensure the same customer-side ASN is used on both virtual interfaces.
B.Use a different autonomous system number (ASN) on each virtual interface.
C.Advertise different BGP prefixes on each virtual interface.
D.Advertise the same BGP prefixes (routes) on both virtual interfaces.
E.Attach each virtual interface to a different VPC.
AnswersA, D

Same ASN is required for ECMP.

Why this answer

To enable BGP multipath (ECMP) across two Direct Connect connections terminating on the same Direct Connect gateway, you must use the same customer-side ASN on both virtual interfaces. This allows the Direct Connect gateway to treat both paths as equal-cost routes. Additionally, you must advertise the same BGP prefixes on both virtual interfaces so that the gateway sees identical routes from both paths and can load-balance traffic across them.

Exam trap

AWS often tests the misconception that using different ASNs or different prefixes is required for redundancy, but the key to ECMP is identical ASN and identical prefixes to enable equal-cost multipath routing.

84
MCQhard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and needs to connect to an on-premises network via AWS Direct Connect. The on-premises network uses 10.0.0.0/16. Which solution allows connectivity without IP overlap?

A.Establish a VPC peering connection between the VPC and on-premises network.
B.Use AWS Direct Connect with a private VIF and static routes to route traffic.
C.Create a new VPC with a non-overlapping CIDR, connect both VPCs via Transit Gateway, and use NAT on the Transit Gateway attachment to the on-premises network.
D.Deploy a NAT instance in the VPC to translate on-premises IPs.
AnswerC

Transit Gateway with NAT attachment allows IP translation to resolve overlap.

Why this answer

Option D is correct because creating a new VPC with a non-overlapping CIDR (e.g., 172.16.0.0/16) and using Transit Gateway with network address translation (NAT) on the attachment resolves overlap. Option A is wrong because overlapping CIDRs cannot be directly peered or connected via VPN. Option B is wrong because Direct Connect does not change IP addresses.

Option C is wrong because a single NAT instance cannot handle all traffic for overlapping CIDRs.

85
MCQhard

A company runs a critical application on EC2 instances in a VPC with a single private subnet (10.0.1.0/24) in us-east-1a. The instances need to download security updates from the internet. The company currently uses a NAT Gateway in a public subnet (10.0.0.0/24) in us-east-1a. Recently, an Availability Zone failure caused us-east-1a to become unavailable, and the application could not reach the internet. The company wants to redesign the network to be highly available across multiple AZs for internet access. The application must continue to use private IP addresses for outbound traffic. The company has a limited budget and wants to minimize costs while meeting high availability. Which solution should the company implement?

A.Deploy one NAT Gateway in a new public subnet in us-east-1b and update the private subnet route table to use it.
B.Remove the NAT Gateway and attach an internet gateway to the VPC. Add a route in the private subnet route table pointing 0.0.0.0/0 to the internet gateway.
C.Deploy a NAT Gateway in each of two AZs (us-east-1a and us-east-1b) in public subnets. Create private subnets in both AZs with separate route tables pointing to the local NAT Gateway.
D.Replace the NAT Gateway with a NAT instance in a public subnet in us-east-1a and configure a secondary ENI in us-east-1b for failover.
AnswerC

Multi-AZ NAT Gateways provide high availability with automatic failover.

Why this answer

Option C is correct because it ensures high availability for outbound internet traffic by deploying a NAT Gateway in each of two Availability Zones (us-east-1a and us-east-1b) with separate private subnets and route tables. This design eliminates the single point of failure; if one AZ fails, the other NAT Gateway continues to route traffic. The application retains private IP addresses for outbound traffic, and the cost is minimized by using only two NAT Gateways (one per AZ) rather than a more expensive multi-AZ architecture like a transit gateway or VPN.

Exam trap

The trap here is that candidates often think a single NAT Gateway in a different AZ (Option A) provides high availability, but they miss that a NAT Gateway is AZ-scoped and cannot fail over to another AZ automatically, so a single NAT Gateway remains a single point of failure.

How to eliminate wrong answers

Option A is wrong because deploying a single NAT Gateway in us-east-1b still creates a single point of failure; if us-east-1b fails, internet access is lost. Option B is wrong because attaching an internet gateway directly to a private subnet would assign public IP addresses to the instances, violating the requirement to use private IP addresses for outbound traffic; internet gateways only work with public subnets and public IPs. Option D is wrong because using a NAT instance with a secondary ENI in another AZ for failover is more complex, less reliable (manual or scripted failover), and typically more expensive than managed NAT Gateways; NAT instances also require ongoing patching and management, contradicting the limited budget and high availability goals.

86
MCQhard

The EC2 instance has a private IP 10.0.1.5. The first two hops are 10.0.1.1 (the subnet's default gateway) and 10.0.0.1. Based on the traceroute, what is the most likely configuration of the VPC?

A.The subnet is a public subnet with a route to an Internet Gateway
B.The subnet is a private subnet with no route to an Internet Gateway, and the default route points to a NAT instance or is missing
C.The subnet is a private subnet with a route to a NAT Gateway
D.The subnet is connected to a VPN
AnswerB

Traffic stops at VPC router, indicating no internet path.

Why this answer

The traceroute shows the first hop as 10.0.1.1 (the subnet's default gateway) and the second hop as 10.0.0.1 (the VPC router's IP for the main route table). The absence of a third hop to a public IP or NAT device indicates that the instance's traffic is not being forwarded beyond the VPC router. This is consistent with a private subnet that has no route to an Internet Gateway and either has no default route or a default route pointing to a NAT instance that is not responding or is missing, causing the traceroute to stop at the VPC router.

Exam trap

The trap here is that candidates often assume a private subnet must have a NAT Gateway or NAT instance for outbound traffic, but the traceroute's lack of a third hop indicates that either no NAT device exists or the default route is missing entirely, not that a NAT device is present but unresponsive.

How to eliminate wrong answers

Option A is wrong because if the subnet were public with a route to an Internet Gateway, the traceroute would show a third hop to the Internet Gateway's public IP or beyond, not stop at 10.0.0.1. Option C is wrong because a private subnet with a route to a NAT Gateway would show a third hop to the NAT Gateway's private IP (e.g., 10.0.0.100) before reaching the Internet, not stop at the VPC router. Option D is wrong because a VPN connection would route traffic through a Virtual Private Gateway, which would appear as a hop with a private IP in the VPC's CIDR range (e.g., 10.0.0.2) and then to the on-premises network, not stop at 10.0.0.1.

87
MCQmedium

A company is designing a multi-region active-active application using Application Load Balancers (ALBs) behind AWS Global Accelerator. The application uses Aurora MySQL global database. Which design should be used to minimize cross-region latency for writes?

A.Use Route 53 latency-based routing with a single ALB in the primary region.
B.Use Amazon CloudFront with origins in both regions and cache invalidation for writes.
C.Use Global Accelerator with a single ALB endpoint in one region and failover to the second region.
D.Deploy an ALB in each region with a Global Accelerator endpoint group containing both ALBs.
AnswerD

Global Accelerator with two endpoints provides active-active, anycast routing to the nearest region.

Why this answer

Option D is correct because deploying an ALB in each region and adding both to a Global Accelerator endpoint group enables active-active traffic distribution with optimal path routing via the AWS global network. Global Accelerator uses Anycast IPs to direct user traffic to the nearest healthy endpoint, minimizing latency. For writes to an Aurora MySQL global database, the primary region handles all write operations, but Global Accelerator ensures that write requests are routed to the primary region's ALB with the lowest possible latency from the client's location, while read traffic can be served locally from the secondary region's ALB.

Exam trap

The trap here is that candidates often assume Global Accelerator only supports active-passive failover, but it actually supports active-active configurations with multiple endpoints in an endpoint group, which is essential for minimizing cross-region latency in a multi-region setup.

How to eliminate wrong answers

Option A is wrong because Route 53 latency-based routing does not provide static Anycast IPs and can introduce DNS caching delays, making it unsuitable for minimizing cross-region write latency in an active-active design. Option B is wrong because CloudFront is a content delivery network optimized for static and dynamic content caching, not for handling database write operations; cache invalidation does not reduce write latency to an Aurora global database. Option C is wrong because using a single ALB endpoint with failover to a second region creates an active-passive architecture, not active-active, and fails to minimize latency for writes as traffic is not distributed to the nearest region.

88
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises data centers. They want to centralize internet traffic through a single VPC that has an internet gateway. Which Transit Gateway feature should they enable?

A.Transit Gateway route tables
B.VPN attachments
C.Multicast support
D.IPsec acceleration
AnswerA

Route tables allow you to centralize internet traffic through a specific VPC.

Why this answer

To centralize internet traffic through a single VPC with an internet gateway, you need to control the routing of traffic from other VPCs and on-premises networks. Transit Gateway route tables allow you to isolate or share routes between attachments, enabling you to create a default route (0.0.0.0/0) pointing to the centralized VPC's attachment. This ensures all outbound internet traffic from other VPCs is forwarded to the egress VPC, which then uses its internet gateway.

Exam trap

The trap here is that candidates often confuse Transit Gateway route tables with VPC route tables, thinking that simply attaching an internet gateway to a VPC will automatically route traffic from other VPCs through it, without realizing that explicit route table entries in the Transit Gateway are required to direct traffic to the egress VPC.

How to eliminate wrong answers

Option B is wrong because VPN attachments are used to connect on-premises networks over IPsec tunnels, not to centralize internet traffic through a specific VPC. Option C is wrong because multicast support enables group communication using UDP multicast traffic, which is unrelated to routing internet-bound traffic to a single egress point. Option D is wrong because IPsec acceleration is a feature to offload IPsec encryption processing, not a routing or forwarding mechanism for internet traffic centralization.

89
MCQeasy

A company is designing a multi-Region application using Amazon Route 53 latency-based routing. The application must be highly available and failover automatically if an AWS Region becomes unavailable. What should the company do to meet these requirements?

A.Configure latency-based routing with health checks and enable DNS failover.
B.Configure active-passive failover with latency-based routing and associate health checks with each record.
C.Configure geolocation routing policies and associate health checks.
D.Configure weighted routing policies with equal weights for all regions.
AnswerB

Correct: Active-passive failover with health checks and latency routing provides automatic regional failover.

Why this answer

Option B is correct because it combines latency-based routing with health checks and active-passive failover, which allows Route 53 to route traffic to the region with the lowest latency under normal conditions and automatically fail over to the passive region if the active region's health check fails. This meets the high availability and automatic failover requirements by leveraging Route 53's DNS failover mechanism, which updates DNS responses based on health check status.

Exam trap

The trap here is that candidates often assume that simply enabling health checks with latency-based routing (Option A) is sufficient for automatic failover, but without explicitly configuring an active-passive failover policy, Route 53 does not have a defined secondary target to fail over to when all endpoints in a latency-based set become unhealthy.

How to eliminate wrong answers

Option A is wrong because while it mentions latency-based routing with health checks and DNS failover, it does not specify active-passive failover, which is necessary to ensure a clear failover target when a region becomes unavailable; without an active-passive setup, latency-based routing alone may still send traffic to unhealthy endpoints if all regions are considered active. Option C is wrong because geolocation routing policies route traffic based on the geographic location of the user, not latency or availability, and do not provide automatic failover between regions based on health checks. Option D is wrong because weighted routing policies distribute traffic based on weights and do not inherently support failover; without health checks and active-passive configuration, traffic would continue to be sent to an unavailable region.

90
Multi-Selectmedium

A company is designing a network for a VPC with a CIDR of 10.0.0.0/16. The VPC has three private subnets in three different Availability Zones. The company needs to provide internet access to instances in the private subnets for software updates. The architecture must be highly available and cost-effective. Which TWO actions should the network engineer take?

Select 2 answers
A.Configure each private subnet's route table to route 0.0.0.0/0 to the NAT Gateway in the same Availability Zone.
B.Use a NAT instance in an Auto Scaling group.
C.Deploy a NAT Gateway in each Availability Zone.
D.Use a single route table for all private subnets and route to one NAT Gateway.
E.Deploy a single NAT Gateway in one Availability Zone.
AnswersA, C

This ensures traffic uses the NAT Gateway in the same AZ.

Why this answer

To achieve high availability, deploy a NAT Gateway in each AZ. Each private subnet's route table should point to the NAT Gateway in its own AZ. Option A is correct because multiple NAT Gateways provide fault tolerance.

Option D is correct because routing to the NAT Gateway in the same AZ ensures traffic stays within the AZ. Option B is incorrect because a single NAT Gateway is a single point of failure. Option C is incorrect because NAT instances are not fully managed and less reliable.

Option E is incorrect because a single route table would force all traffic through one NAT Gateway.

91
MCQhard

A company has multiple VPCs connected via AWS Transit Gateway. They need to inspect all inter-VPC traffic using a centralized firewall appliance. What is the most efficient way to achieve this?

A.Attach the firewall appliance to the Transit Gateway and configure Transit Gateway route tables to send traffic to the appliance
B.Enable VPC Flow Logs and analyze traffic patterns
C.Create VPC Gateway Endpoints for each VPC and route traffic through them
D.Use a Network Load Balancer to distribute traffic to the firewall appliance
AnswerA

This centralizes inspection by routing inter-VPC traffic through the firewall appliance.

Why this answer

Option B is correct because Transit Gateway supports route tables and attachments; you can attach the firewall appliance to a Transit Gateway and create a blackhole route or use the appliance as a route target. Option A is wrong because VPC endpoints are for accessing AWS services. Option C is wrong because Network Load Balancer does not inspect traffic.

Option D is wrong because VPC Flow Logs only log traffic metadata.

92
MCQmedium

A company has multiple VPCs across different AWS Regions and wants to enable communication between them using AWS's global network backbone. Which solution meets these requirements with minimal operational overhead?

A.Use AWS Transit Gateway with inter-Region peering.
B.Set up AWS Direct Connect connections to each VPC.
C.Create VPC peering connections between each pair of VPCs.
D.Use AWS Site-to-Site VPN between VPCs.
AnswerA

Simplifies connectivity across Regions.

Why this answer

AWS Transit Gateway with inter-Region peering is correct because it allows you to connect multiple VPCs across different AWS Regions using AWS's global network backbone, providing a hub-and-spoke architecture that scales easily. This solution minimizes operational overhead by centralizing routing and eliminating the need to manage individual connections between each VPC, as Transit Gateway automatically handles route propagation and traffic distribution across peered transit gateways.

Exam trap

AWS often tests the misconception that VPC peering is the simplest solution for multi-VPC connectivity, but the trap here is that VPC peering lacks transitive routing and requires a full mesh for more than two VPCs, making it operationally heavy for multi-region setups, whereas Transit Gateway with inter-Region peering provides a scalable, centrally managed alternative.

How to eliminate wrong answers

Option B is wrong because AWS Direct Connect is a dedicated physical connection from on-premises to AWS, not designed for inter-VPC or inter-Region VPC communication, and would require additional virtual interfaces and complex routing to connect multiple VPCs across regions, increasing operational overhead. Option C is wrong because VPC peering does not support transitive routing, meaning you would need to create a full mesh of peering connections between every pair of VPCs, which becomes unmanageable as the number of VPCs grows and does not leverage AWS's global backbone for inter-Region traffic efficiently. Option D is wrong because AWS Site-to-Site VPN is typically used for connecting on-premises networks to AWS VPCs over the public internet, not for inter-VPC communication within AWS, and it introduces latency and complexity compared to using Transit Gateway peering over the AWS global network.

93
MCQeasy

A solutions architect needs to design a highly available web application that uses an Application Load Balancer (ALB) and spans multiple Availability Zones (AZs) in a single region. The application must be able to handle a sudden increase in traffic without manual intervention. Which feature should the architect enable on the ALB to meet this requirement?

A.Enable connection draining
B.Enable sticky sessions
C.Enable cross-zone load balancing
D.Enable deletion protection
AnswerC

Cross-zone load balancing distributes traffic evenly across instances in all AZs, allowing the ALB to handle spikes by using all healthy instances effectively.

Why this answer

Cross-zone load balancing distributes incoming traffic evenly across all registered targets in all enabled Availability Zones, rather than sending traffic only to targets in the same AZ as the load balancer node. This ensures that if one AZ receives more traffic than another, the ALB can still balance the load across all healthy instances, allowing the application to handle sudden traffic spikes without manual scaling intervention.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing with auto scaling, but cross-zone load balancing is a feature of the ALB itself that distributes existing traffic more evenly, whereas auto scaling handles capacity changes; the question specifically asks for a feature to handle sudden traffic increase without manual intervention, and cross-zone load balancing ensures the ALB can use all available capacity across AZs immediately.

How to eliminate wrong answers

Option A is wrong because connection draining (also known as deregistration delay) is used to complete in-flight requests before an instance is deregistered, not to handle sudden traffic increases. Option B is wrong because sticky sessions (session affinity) bind a user's session to a specific target, which can cause uneven load distribution and does not help with handling traffic spikes. Option D is wrong because deletion protection prevents accidental deletion of the ALB, but has no effect on traffic handling or scalability.

94
MCQhard

A company runs a critical application on Amazon EC2 instances in a VPC. The application receives data from an on-premises data center over an AWS Direct Connect connection. The company wants to add redundant connectivity using a VPN connection over the internet. They need to ensure that traffic from on-premises to AWS uses the Direct Connect connection when it is healthy, and only fails over to the VPN if Direct Connect fails. Which configuration achieves this?

A.Advertise a more specific prefix over Direct Connect and a less specific prefix over VPN, and set a higher MED value on the VPN routes.
B.Advertise the same prefix over both connections but prepend AS_PATH multiple times on the Direct Connect routes.
C.Set a higher BGP weight on the VPN routes.
D.Set a lower BGP local preference on the Direct Connect routes.
AnswerA

BGP prefers more specific prefixes. Higher MED on VPN makes Direct Connect routes preferred when both are available.

Why this answer

Option A is correct. By advertising a more specific prefix (e.g., /24) over Direct Connect and a less specific prefix (e.g., /23) over VPN, BGP will prefer the more specific route. Additionally, setting a higher MED value on the VPN routes makes Direct Connect routes preferred.

Option B is incorrect because longer AS_PATH in BGP makes a route less preferred. Option C is incorrect because a lower local preference makes a route less preferred. Option D is incorrect because a higher weight makes a route more preferred, which would prefer VPN.

95
MCQhard

A network engineer is designing a VPC with public and private subnets. The private subnets must have outbound internet access for software updates but must not be directly reachable from the internet. The company wants to minimize cost and operational overhead. Which solution meets these requirements?

A.Deploy a NAT Gateway in a public subnet and add a route in the private subnet route table pointing 0.0.0.0/0 to the NAT Gateway.
B.Use an egress-only internet gateway and route 0.0.0.0/0 to it from the private subnets.
C.Create a VPC peering connection to a VPC with internet access and route 0.0.0.0/0 through the peering connection.
D.Attach an internet gateway to the VPC and add a route in the private subnet route table pointing 0.0.0.0/0 to the internet gateway.
AnswerA

NAT Gateway allows outbound traffic from private subnets while blocking unsolicited inbound traffic.

Why this answer

A NAT Gateway, deployed in a public subnet with an associated Elastic IP, enables instances in private subnets to initiate outbound IPv4 connections to the internet (e.g., for software updates) while preventing unsolicited inbound connections from the internet. Adding a default route (0.0.0.0/0) in the private subnet route table pointing to the NAT Gateway satisfies the requirement for outbound-only internet access with minimal cost and operational overhead, as NAT Gateway is a managed service that scales automatically.

Exam trap

AWS often tests the misconception that an egress-only internet gateway can be used for IPv4 outbound traffic, or that VPC peering can be used to route internet-bound traffic through another VPC, when in fact both are invalid for this scenario.

How to eliminate wrong answers

Option B is wrong because an egress-only internet gateway is designed for IPv6 traffic only; it cannot provide outbound internet access for IPv4 traffic, which is required for software updates. Option C is wrong because VPC peering does not support transitive routing; routing 0.0.0.0/0 through a peering connection to another VPC would not provide internet access unless that VPC has its own internet gateway and proper routing, and it violates AWS peering rules (cannot route to internet via peering). Option D is wrong because adding a route to an internet gateway in a private subnet route table would make instances directly reachable from the internet (if they have public IPs) or would not work at all for instances without public IPs; an internet gateway requires a public IP on the instance for outbound traffic, and it does not provide the required inbound restriction.

96
MCQhard

A company is designing a multi-account AWS environment using AWS Organizations. The company wants to centralize outbound internet traffic from all VPCs in all accounts through a single VPC in a shared services account. The shared services account has a VPC with a NAT gateway and an internet gateway. Which architecture meets this requirement?

A.Create VPC gateway endpoints for all AWS services in each VPC.
B.Set up a VPN connection from each VPC to the shared services VPC and use the latter's internet gateway.
C.Attach all VPCs to a transit gateway and route traffic through a shared services VPC that has NAT gateway and internet gateway.
D.Peer each VPC to the shared services VPC and configure a default route pointing to the shared services VPC's NAT gateway.
AnswerC

Transit gateway enables transitive routing and centralized internet.

Why this answer

Option B is correct because a transit gateway with a default route to the shared services VPC and a NAT gateway there provides centralized outbound internet access. Option A is incorrect because VPC peering does not support transitive routing. Option C is incorrect because a VPN connection is not needed.

Option D is incorrect because VPC endpoints are for specific services, not general internet.

97
MCQeasy

A company is deploying an internet-facing application in AWS. The application must only accept traffic from specific IP addresses of business partners. Which AWS service should be used to enforce this restriction?

A.Network ACLs with inbound allow rules
B.Security Groups with inbound allow rules
C.Amazon Route 53 geoproximity routing
D.AWS WAF with an IP set rule
AnswerD

AWS WAF can filter traffic based on IP addresses using IP sets.

Why this answer

Option A is correct because AWS WAF allows you to create IP set rules to block or allow traffic from specific IP addresses. Option B is wrong because Security Groups do not support allow lists for specific IP addresses from different sources (they support CIDR blocks but not dynamic IP sets). Option C is wrong because Network ACLs are stateless and operate at the subnet level; they can allow/deny by CIDR but are not as flexible as WAF for partner IP lists.

Option D is wrong because Route 53 is for DNS, not traffic filtering.

98
MCQhard

A company is designing a network for a real-time gaming application that requires the lowest possible latency across AWS Regions. The application uses UDP traffic. Which AWS service should be used to optimize traffic routing?

A.AWS Direct Connect with multiple connections.
B.AWS Global Accelerator.
C.Amazon Route 53 with latency-based routing.
D.Amazon CloudFront with custom origins.
AnswerB

Global Accelerator supports UDP and uses the AWS backbone to reduce latency.

Why this answer

AWS Global Accelerator uses the Anycast IP address concept to route UDP traffic over the AWS global network, minimizing latency by directing traffic to the nearest healthy endpoint. It is specifically designed for real-time applications like gaming that require low latency and jitter, and it supports UDP traffic natively.

Exam trap

AWS often tests the misconception that DNS-based routing (like Route 53 latency routing) provides the same latency optimization as Global Accelerator, but the trap is that DNS routing only affects the initial resolution and does not control the actual network path for ongoing UDP traffic, while Global Accelerator optimizes every packet in real time.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect provides dedicated private connectivity but does not optimize traffic routing across regions for latency; it is a physical connection to a single region and does not use Anycast or global path optimization. Option C is wrong because Amazon Route 53 with latency-based routing operates at the DNS level, which introduces DNS caching and resolution delays, and it does not optimize the actual network path for UDP traffic after the initial DNS lookup. Option D is wrong because Amazon CloudFront is a content delivery network optimized for HTTP/HTTPS traffic and does not support UDP traffic; it is designed for web content acceleration, not real-time gaming UDP streams.

99
MCQhard

A company has a VPC with public and private subnets. The public subnet has a NAT gateway for outbound internet access from private subnets. The private subnets have EC2 instances that need to access an S3 bucket in the same region. The company wants to minimize data transfer costs and avoid traversing the internet. What is the MOST cost-effective solution?

A.Configure an S3 bucket policy that restricts access to the VPC's public IP addresses.
B.Create a VPC Gateway Endpoint for S3 and attach a policy allowing access from the private subnets.
C.Route traffic to the NAT gateway and then to the S3 bucket using a VPC peering connection.
D.Create a VPC Interface Endpoint for S3 and associate with the private subnets.
AnswerB

Gateway endpoints are free and keep traffic within AWS network.

Why this answer

A VPC Gateway Endpoint for S3 allows private subnet instances to access S3 over the AWS network without traversing the internet or a NAT gateway, eliminating data transfer costs for the NAT gateway and avoiding internet egress charges. This is the most cost-effective solution because gateway endpoints are free and use prefix lists in the route table to direct traffic to S3 via the AWS backbone.

Exam trap

AWS often tests the misconception that interface endpoints are always the best choice for AWS service access, but for S3 and DynamoDB, gateway endpoints are the most cost-effective because they are free and avoid the per-GB data processing charges of interface endpoints.

How to eliminate wrong answers

Option A is wrong because restricting access to the VPC's public IP addresses does not address routing; private instances still need a path to S3, and this policy alone does not prevent traffic from going through the NAT gateway or internet. Option C is wrong because routing traffic to the NAT gateway and then to S3 via a VPC peering connection is unnecessary, incurs NAT gateway data processing and hourly charges, and VPC peering is not used for S3 access—S3 is a service endpoint, not a peered VPC. Option D is wrong because a VPC Interface Endpoint for S3 incurs hourly charges and per-GB data processing costs, making it more expensive than a gateway endpoint, which is free and designed for S3 and DynamoDB access within the same region.

100
MCQhard

A company has a VPC with a CIDR block of 10.0.0.0/16. It has two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). Both subnets have a route to an Internet Gateway. An EC2 instance in subnet A has a security group that allows inbound HTTP from 0.0.0.0/0. The instance's network ACL allows inbound HTTP from 0.0.0.0/0. Users report they cannot access the web server. What is the most likely cause?

A.The instance does not have a public IP address
B.The network ACL inbound rule is incorrectly configured
C.The security group is not associated with the instance
D.The route table does not have a route to the Internet Gateway
AnswerA

Without a public IP, the instance is not reachable from the internet.

Why this answer

The instance does not have a public IP address, so it cannot be reached from the internet. Without a public IP or Elastic IP, traffic from the internet cannot be routed to the instance even if security groups and network ACLs allow it.

101
MCQmedium

Based on the route table, which of the following is true?

A.The route table is the main route table for the VPC
B.The subnet is connected to a Transit Gateway
C.The subnet has a VPN connection to a network with CIDR 172.31.0.0/16
D.The subnet is a private subnet with no internet access
AnswerC

The route to vgw for 172.31.0.0/16 indicates a VPN connection.

Why this answer

Option C is correct because the route table has a local route for the VPC CIDR, a default route to an Internet Gateway, and a route to a VPN Gateway (vgw) for a different CIDR (172.31.0.0/16). This indicates a VPN connection to a network with that CIDR. Option A is wrong because there is no route to a Transit Gateway.

Option B is wrong because there is a route to an Internet Gateway, so it is not a private subnet. Option D is wrong because the route table is associated with a subnet, not a VPC.

102
Multi-Selectmedium

Which TWO options are valid methods to connect multiple VPCs together in a hub-and-spoke topology? (Select TWO.)

Select 2 answers
A.VPC peering
B.AWS Direct Connect
C.VPC Endpoints
D.AWS Site-to-Site VPN
E.AWS Transit Gateway
AnswersA, E

Can be used to create hub-and-spoke.

Why this answer

VPC peering (A) is a valid method because it establishes a direct, one-to-one network connection between two VPCs using the AWS global backbone, enabling private IPv4 or IPv6 communication without gateways or VPNs. AWS Transit Gateway (E) is valid because it acts as a central hub that connects multiple VPCs and on-premises networks through a single, scalable gateway, simplifying the hub-and-spoke topology management.

Exam trap

AWS often tests the misconception that AWS Direct Connect or Site-to-Site VPN can directly interconnect multiple VPCs, but these are designed for on-premises connectivity, not VPC-to-VPC peering or transit routing.

103
MCQeasy

A company wants to design a highly available architecture for a web application that runs on EC2 instances in an Auto Scaling group across multiple Availability Zones. The application must be able to handle sudden traffic spikes. Which load balancing solution provides the best combination of high availability, automatic scaling, and SSL offloading?

A.Amazon CloudFront with an origin pointing to the Auto Scaling group
B.Network Load Balancer
C.Application Load Balancer
D.Classic Load Balancer
AnswerC

ALB provides SSL termination, health checks, and integrates with Auto Scaling.

Why this answer

An Application Load Balancer (ALB) is Layer 7, supports SSL termination, and integrates with Auto Scaling for health checks. Option A is correct. Option B is incorrect because Classic Load Balancer is deprecated and less feature-rich.

Option C is incorrect because NLB is Layer 4 and does not natively offload SSL. Option D is incorrect because CloudFront is a CDN, not a load balancer for the application.

104
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They need to connect to two on-premises data centers, each with overlapping CIDR blocks (192.168.0.0/16). The company wants to use AWS Site-to-Site VPN with dynamic routing (BGP). Which design allows the VPC to reach both data centers without route conflicts?

A.Create two VPN connections to a single virtual private gateway and advertise the same CIDR from both data centers. Use BGP AS_PATH prepending to influence routing.
B.Create a single VPN connection with two tunnels to the same virtual private gateway. Use different BGP ASNs for each data center.
C.Create two separate virtual private gateways, each in a different VPC, and use VPC peering. Alternatively, use a transit gateway with separate VPN attachments and BGP communities to tag routes.
D.Create two VPN connections to the same virtual private gateway. Use static routes with different metric values.
AnswerC

Transit gateway with separate attachments and BGP communities can handle overlapping CIDRs by using route priority or filtering.

Why this answer

Option C is correct because overlapping CIDR blocks cannot be advertised to the same virtual private gateway (VPG) without causing route conflicts. By using a transit gateway with separate VPN attachments, each data center's routes are isolated in separate route tables, and BGP communities can be used to tag and differentiate routes. This design allows the VPC to reach both data centers by leveraging the transit gateway's ability to manage overlapping prefixes through separate route tables and path selection.

Exam trap

AWS often tests the misconception that a single virtual private gateway can handle overlapping CIDRs by using BGP attributes like AS_PATH prepending, but the fundamental limitation is that the VPG's route table cannot store duplicate prefixes, regardless of BGP attributes.

How to eliminate wrong answers

Option A is wrong because advertising the same CIDR from both data centers to a single VPG will cause the VPG to see duplicate routes, and AS_PATH prepending only influences route preference, not route uniqueness; the VPG cannot distinguish between the two overlapping prefixes, leading to routing conflicts. Option B is wrong because a single VPN connection with two tunnels still terminates on one VPG, and using different BGP ASNs does not resolve the issue of overlapping CIDRs; the VPG will still receive identical prefixes from both tunnels and cannot differentiate them. Option D is wrong because static routes with different metric values cannot be used with dynamic routing (BGP) as specified in the question; moreover, static routes to the same VPG for overlapping CIDRs would create ambiguity and the VPG would not know which tunnel to use for a given destination.

105
MCQhard

A large financial services company is migrating its on-premises data center to AWS. The network design must meet strict low-latency requirements for trading applications that communicate with external exchanges. The company has two AWS Direct Connect connections from two different providers to two different AWS Direct Connect locations in the same region. They have a VPC with multiple subnets across three Availability Zones. The trading applications are deployed on EC2 instances in private subnets and need to communicate with external exchanges over the Direct Connect connections. The company also requires high availability and automatic failover if one Direct Connect connection fails. The network team has configured two virtual interfaces (VIFs) for private connectivity to the VPC, one on each Direct Connect connection, and has set up BGP sessions. However, during a failover test, traffic does not fail over as expected. The team notices that the VPC route tables have static routes pointing to the virtual private gateway (VGW) with the same prefix, but no BGP routes are propagated. What is the most likely cause of the failover issue, and what should be done to resolve it?

A.The VPC route tables do not have route propagation enabled for the VGW. Enable route propagation in the route tables.
B.The BGP timers are set too high, causing slow convergence. Reduce the BGP keepalive and hold timers.
C.The VPC route tables have static routes that are overriding the BGP routes. Remove the static routes and rely on BGP routes propagated through the VGW.
D.The BGP configuration on the on-premises router is using AS_PATH prepending, making the backup path less preferred. Remove AS_PATH prepending.
AnswerC

Static routes have higher priority than BGP routes, preventing failover.

Why this answer

The failover issue occurs because static routes in the VPC route tables take precedence over BGP-propagated routes, even when the BGP session goes down. Since the static routes point to the virtual private gateway (VGW) with the same prefix, traffic continues to use the failed Direct Connect connection instead of failing over to the active one. Removing the static routes and enabling route propagation allows BGP to dynamically update the route tables based on the availability of the Direct Connect connections.

Exam trap

AWS often tests the misconception that enabling route propagation alone ensures failover, but the trap here is that static routes in the VPC route table take precedence over BGP-propagated routes, so they must be removed for automatic failover to work.

How to eliminate wrong answers

Option A is wrong because route propagation is already implied to be disabled or not the primary issue; the problem is that static routes override BGP routes, not that propagation is missing. Option B is wrong because BGP timers affect convergence speed but do not prevent failover entirely; the core issue is route precedence, not timer values. Option D is wrong because AS_PATH prepending influences path selection on the on-premises side, not within the VPC route tables; the failover failure is due to static routes in the VPC, not BGP path preference.

106
MCQmedium

A company is designing a multi-region active-active architecture using Application Load Balancers (ALBs) and AWS Global Accelerator. The application servers are in private subnets behind Network Load Balancers (NLBs). The company needs to ensure that traffic from a client is consistently routed to the same ALB endpoint for the duration of a session. Which configuration should be used?

A.Configure cross-zone load balancing on the NLBs and enable stickiness on the target groups.
B.Enable proxy protocol on the NLB target groups and configure stickiness on the NLB.
C.Enable stickiness on the ALB target groups with a duration of 1 second.
D.Enable client IP address preservation on the Global Accelerator endpoint groups and configure stickiness on the ALB based on the client IP.
AnswerD

This ensures sessions are consistently routed to the same ALB based on the client's IP.

Why this answer

Option D is correct because Global Accelerator preserves the client IP address when client IP address preservation is enabled on the endpoint group, allowing the ALB to see the original client IP. Configuring stickiness on the ALB based on the client IP ensures that all requests from the same client IP are routed to the same ALB endpoint for the duration of the session, which is essential for session persistence in an active-active multi-region architecture.

Exam trap

The trap here is that candidates often assume stickiness must be configured on the NLB or that proxy protocol is required, but they overlook that Global Accelerator can preserve the client IP, which is the key to enabling ALB-based stickiness using the client IP as the persistence key.

How to eliminate wrong answers

Option A is wrong because cross-zone load balancing and stickiness on the NLB target groups would only ensure persistence at the NLB level, not at the ALB level, and the NLB is not the endpoint that needs session affinity—the ALB is. Option B is wrong because enabling proxy protocol on the NLB target groups passes the client IP in a header, but stickiness on the NLB does not guarantee that the ALB will consistently route traffic to the same ALB endpoint; the ALB must handle stickiness itself. Option C is wrong because setting stickiness duration to 1 second is effectively disabling stickiness, as sessions would not persist long enough to maintain affinity for a meaningful session duration.

107
MCQeasy

A company is migrating an on-premises application to AWS. The application requires low-latency, high-throughput connectivity between the on-premises data center and the AWS VPC. The company wants a dedicated, private connection that bypasses the internet. Which AWS service should they use?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.VPC Peering
AnswerA

Dedicated, private, high-bandwidth connection.

Why this answer

AWS Direct Connect provides a dedicated, private network connection from an on-premises data center to AWS, bypassing the internet entirely. This ensures low-latency, high-throughput connectivity ideal for latency-sensitive or high-volume workloads, as it uses a physical cross-connect or hosted virtual interface over a private circuit.

Exam trap

The trap here is that candidates often confuse AWS Transit Gateway as a connectivity method itself, when it is actually a hub that requires an underlying connection (Direct Connect or VPN) to reach on-premises networks.

How to eliminate wrong answers

Option B (AWS Transit Gateway) is wrong because it is a network transit hub that interconnects VPCs and on-premises networks via VPN or Direct Connect, but it does not itself provide a dedicated private connection; it requires an underlying connectivity method like Direct Connect or VPN. Option C (AWS Site-to-Site VPN) is wrong because it uses the public internet, encrypted over IPsec tunnels, which introduces latency and throughput variability, failing the requirement to bypass the internet. Option D (VPC Peering) is wrong because it connects two VPCs within AWS using private IP addresses, not an on-premises data center, and cannot extend to external networks.

108
MCQhard

A company is designing a hybrid network with AWS Direct Connect. They have multiple VPCs in the same Region and want to use a single Direct Connect connection to access all VPCs. Which AWS resource should be used?

A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.Direct Connect Gateway
D.Virtual Private Gateway
AnswerC

Enables multi-VPC access.

Why this answer

A Direct Connect Gateway allows you to associate up to 10 Virtual Private Gateways (VGWs) or Transit Gateways in the same or different AWS accounts, enabling a single Direct Connect connection to reach multiple VPCs in the same Region. This is the correct resource because it acts as a hub that terminates the Direct Connect virtual interfaces (VIFs) and propagates routes to the associated VPCs via their VGWs or Transit Gateways.

Exam trap

The trap here is that candidates often confuse the Direct Connect Gateway with the Transit Gateway, thinking the Transit Gateway alone can terminate the Direct Connect connection, but the Transit Gateway requires a Direct Connect Gateway (via a transit VIF) to be attached to the Direct Connect link.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a regional network transit hub that can interconnect VPCs and on-premises networks, but it does not directly terminate a Direct Connect connection; you still need a Direct Connect Gateway to attach the Transit Gateway to the Direct Connect link. Option B is wrong because AWS Site-to-Site VPN is an IPsec-based connection over the internet, not a dedicated private connection, and it cannot replace the Direct Connect Gateway for aggregating multiple VPCs over a single Direct Connect link. Option D is wrong because a Virtual Private Gateway is a per-VPC attachment point for VPN or Direct Connect, but it cannot be shared across multiple VPCs; using a single VGW would only provide access to one VPC, not all VPCs.

109
MCQeasy

A company wants to ensure that all traffic to and from its VPC is inspected by a security appliance. The appliance must be able to inspect traffic between subnets within the VPC. Which architecture should the company use?

A.Use a Gateway Load Balancer with security appliances in a separate inspection VPC and configure route tables to send traffic to the GWLB endpoint.
B.Deploy a NAT Gateway and route all internet traffic through it.
C.Create a VPC Peering connection to a centralized VPC with security appliances.
D.Attach an Internet Gateway and use Security Groups to log traffic.
AnswerA

GWLB provides transparent inspection of all traffic.

Why this answer

Option A is correct because a Gateway Load Balancer (GWLB) with security appliances in a separate inspection VPC allows you to centrally inspect all traffic, including east-west traffic between subnets within the same VPC. By configuring route tables to send traffic to the GWLB endpoint, you can enforce stateful inspection for all inbound, outbound, and inter-subnet traffic without introducing a single point of failure or complex routing.

Exam trap

AWS often tests the misconception that a NAT Gateway or Internet Gateway can provide full traffic inspection, but they only handle specific traffic types and lack the ability to inspect east-west traffic within a VPC.

How to eliminate wrong answers

Option B is wrong because a NAT Gateway only handles outbound internet traffic from private subnets and cannot inspect inbound traffic or traffic between subnets within the VPC. Option C is wrong because a VPC Peering connection does not inherently route traffic through a central inspection point; it simply connects two VPCs, and you would still need additional routing and appliances to force traffic through the security stack. Option D is wrong because an Internet Gateway provides internet access but does not inspect traffic, and Security Groups are stateful firewalls that operate at the instance level, not as inline inspection appliances for all traffic flows.

110
MCQeasy

A company wants to connect multiple VPCs across different AWS accounts to a common on-premises network using AWS Transit Gateway. Which resource should be used to allow cross-account VPC attachments?

A.AWS PrivateLink
B.VPC peering connection
C.AWS Organizations
D.AWS Resource Access Manager (RAM)
AnswerD

RAM enables sharing Transit Gateways with other accounts.

Why this answer

AWS Resource Access Manager (RAM) allows sharing Transit Gateways across accounts. VPC peering does not attach to Transit Gateway. AWS Organizations is an organization management service but does not directly share Transit Gateways.

AWS PrivateLink is for private connectivity to services.

111
Multi-Selecteasy

A solutions architect is designing a VPC with public and private subnets. The application in the private subnet needs to download patches from the internet. Which TWO options allow outbound internet access while keeping the EC2 instance in the private subnet without a public IP address?

Select 2 answers
A.Attach an Internet Gateway to the VPC and assign a public IP to the instance.
B.Set up a Direct Connect connection to an on-premises data center.
C.Create a VPC endpoint for Amazon S3 and update the route table.
D.Establish a VPN connection to a third-party proxy service.
E.Deploy a NAT Gateway in a public subnet and update the private subnet route table to point 0.0.0.0/0 to the NAT Gateway.
AnswersC, E

VPC endpoint allows private access to S3 without internet.

Why this answer

Options A and D are correct. A NAT Gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet. A VPC endpoint for S3 allows private access to S3 buckets.

Option B (Internet Gateway) requires a public IP. Option C (Direct Connect) is for dedicated private connections. Option E (VPN) is for hybrid connectivity.

112
MCQeasy

A company needs to allow a specific IP address range (203.0.113.0/24) to access an Amazon RDS database in a private subnet. The RDS instance is deployed in a VPC with no public access. Which configuration step is required?

A.Add a security group rule allowing inbound traffic from 203.0.113.0/24
B.Create an AWS Site-to-Site VPN connection and update route tables to route the on-premises CIDR to the virtual private gateway
C.Assign a public IP address to the RDS instance
D.Modify the network ACL of the private subnet to allow inbound traffic from 203.0.113.0/24
AnswerB

A VPN provides a secure tunnel from on-premises to the VPC, and route tables direct traffic to the VPN gateway.

Why this answer

RDS instances in a private subnet are not directly accessible from the internet. To allow access from an on-premises network, a VPN or Direct Connect connection is needed. The security group must allow inbound traffic from the on-premises CIDR, and the route tables must route traffic to the VPN/Direct Connect.

Simply adding a security group rule does not provide connectivity; a network path is required.

113
Multi-Selecthard

A company is designing a multi-account AWS environment using AWS Transit Gateway. They have 10 VPCs in separate accounts that need to communicate with each other and with an on-premises network via Direct Connect. Which three components are required to enable this connectivity? (Choose three.)

Select 3 answers
A.AWS Resource Access Manager to share the Transit Gateway with other accounts
B.Direct Connect Gateway attached to the Transit Gateway
C.AWS Transit Gateway in the network account
D.VPC Peering connections between each pair of VPCs
E.AWS Site-to-Site VPN connection from the Transit Gateway to the on-premises network
AnswersA, B, C

RAM allows sharing the Transit Gateway with VPCs in other accounts.

Why this answer

Options A, C, and E are correct. A Transit Gateway in the network account acts as a hub. Resource Access Manager (RAM) is used to share the Transit Gateway with other accounts.

A Direct Connect Gateway allows connecting the Transit Gateway to the on-premises network via Direct Connect. Option B is wrong because VPC Peering is not needed when using Transit Gateway. Option D is wrong because a VPN Connection is not required if Direct Connect is used.

114
MCQmedium

A company needs to provide secure access to an Amazon S3 bucket for a third-party partner. The partner has their own AWS account. The company wants to avoid exposing the bucket to the public internet. Which solution meets these requirements?

A.Set up Amazon CloudFront with an origin access identity (OAI)
B.Use pre-signed URLs generated by AWS Lambda
C.Configure an S3 bucket policy that grants access to the partner's AWS account
D.Create a VPC Gateway Endpoint for S3 in your VPC and allow the partner to access the bucket through a VPC peering connection
AnswerD

The endpoint keeps traffic within AWS network; VPC Peering extends access to partner VPC.

Why this answer

Option D is correct because an S3 VPC Gateway Endpoint allows access from a VPC, and the partner can connect to that VPC via VPC Peering or Direct Connect. Option A is wrong because bucket policies with Principal set to partner's account allow access from anywhere, not just from a specific VPC. Option B is wrong because Pre-signed URLs expire and are not a permanent solution.

Option C is wrong because CloudFront requires public internet access to the origin.

115
MCQhard

A company has deployed a multi-tier application across three VPCs (VPC-A, VPC-B, VPC-C) in the us-east-1 region. Each VPC has its own CIDR block (10.0.0.0/16, 10.1.0.0/16, 10.2.0.0/16 respectively). All VPCs are attached to an AWS Transit Gateway. The web tier is in VPC-A, the application tier is in VPC-B, and the database tier is in VPC-C. The application servers in VPC-B need to connect to the database servers in VPC-C on TCP port 3306. The database servers are in a private subnet with a security group (sg-db) that allows inbound traffic from the application server security group (sg-app). The application servers have a security group (sg-app) that allows outbound traffic to the database servers. However, the application servers cannot connect to the database servers. The route tables in VPC-B and VPC-C have routes pointing to the Transit Gateway for the other VPC CIDRs. The Transit Gateway has attachments in all three VPCs and has a default route table with propagation enabled. What is the MOST likely cause of the connectivity failure?

A.The Transit Gateway attachments are not associated with the same route table
B.The network ACLs in VPC-B or VPC-C are blocking the traffic
C.The Transit Gateway does not support transitive routing between VPCs
D.The security group sg-app does not allow outbound traffic to the database server's security group
AnswerA

Correct; without association, routes are not propagated to the attachments.

Why this answer

The most likely cause is that the Transit Gateway attachments are not associated with the same route table. In AWS Transit Gateway, for traffic to flow between VPCs, the attachments must be associated with a route table that contains routes for the destination VPC CIDRs. Even though propagation is enabled on the default route table, if the attachments are associated with different route tables (or the default route table is not shared), transitive routing will fail.

Without a common route table association, the Transit Gateway cannot forward traffic between VPC-B and VPC-C.

Exam trap

The trap here is that candidates assume enabling propagation on the default route table automatically allows all inter-VPC traffic, but they overlook the requirement that all attachments must be associated with the same route table for transitive routing to work.

How to eliminate wrong answers

Option B is wrong because network ACLs are stateless and, by default, allow all inbound and outbound traffic; unless explicitly modified, they would not block TCP port 3306 traffic. Option C is wrong because AWS Transit Gateway natively supports transitive routing between all attached VPCs when route tables are properly configured; this is a core feature of the service. Option D is wrong because the security group sg-app allows outbound traffic to the database servers, as stated in the question; the issue is not with outbound rules but with the Transit Gateway routing configuration.

116
MCQmedium

A network engineer has configured an AWS Site-to-Site VPN connection between a VPC and an on-premises network. The engineer checks the VPN status and sees the output above. What is the MOST likely cause of Tunnel2 being down?

A.The BGP ASN on the on-premises device is misconfigured.
B.The route tables in the VPC do not have a route to the on-premises network.
C.The IKE pre-shared key used for Tunnel2 is incorrect.
D.The IPsec encryption or integrity algorithms do not match between the AWS VPN endpoint and the on-premises device.
AnswerD

Mismatched IPsec parameters cause Phase 2 negotiation failure.

Why this answer

Tunnel2 is down while Tunnel1 is up, indicating a per-tunnel configuration mismatch. The most common cause is a mismatch in IPsec security parameters (encryption, integrity, or DH group) between the AWS VPN endpoint and the on-premises device for that specific tunnel. AWS uses separate pre-shared keys and IPsec settings per tunnel, so a mismatch in algorithms would affect only the misconfigured tunnel.

Exam trap

AWS often tests the distinction between IKE phase 1 (pre-shared key, authentication) and IPsec phase 2 (encryption/integrity algorithms); candidates mistakenly attribute a single tunnel failure to a pre-shared key mismatch, but AWS assigns unique keys per tunnel, so a key error would affect only that tunnel—making algorithm mismatch the more subtle and likely cause when only one tunnel is down.

How to eliminate wrong answers

Option A is wrong because a misconfigured BGP ASN would affect BGP session establishment, but the tunnel itself (IPsec phase 1 and 2) would still come up; the tunnel status shows IPsec layer status, not BGP peering. Option B is wrong because VPC route tables do not affect the tunnel's IPsec negotiation; they only control traffic forwarding once the tunnel is established. Option C is wrong because an incorrect IKE pre-shared key would prevent both IKE phase 1 authentication and the tunnel from coming up, but the question states Tunnel1 is up, and each tunnel uses a unique pre-shared key; if Tunnel2's key were wrong, it would fail, but the more precise cause given the output is an algorithm mismatch, as AWS generates unique keys per tunnel and the key mismatch would be equally likely to affect either tunnel.

117
Multi-Selecthard

A company has a Direct Connect connection with a private VIF to a VPC. They want to add redundant connectivity using a second Direct Connect connection from a different provider. They need to ensure that if the primary connection fails, traffic automatically fails over to the secondary. Which THREE components are required?

Select 3 answers
A.An AWS Site-to-Site VPN as a backup
B.A second private VIF on the same Direct Connect connection
C.A second Direct Connect connection from a different provider
D.A Direct Connect Gateway
E.BGP sessions on both connections advertising the same prefixes
AnswersC, D, E

Diverse provider ensures no single point of failure.

Why this answer

To achieve automatic failover, BGP is required to advertise the same prefixes over both connections. A Direct Connect Gateway aggregates the VIFs and propagates routes to the VPC. A Transit Gateway can be used to manage multiple VIFs, but is not strictly required if using Direct Connect Gateway.

VPN is not involved. A second VIF on the same connection does not provide provider diversity.

118
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add IPv6 connectivity to the VPC and allow resources in a private subnet to access the internet via IPv6. Which design should be used?

A.Allocate an IPv6 CIDR block and add a route to an Internet Gateway from the private subnet.
B.Use a NAT instance with IPv6 support in a public subnet.
C.Allocate an IPv6 CIDR block and use a NAT Gateway for IPv6 traffic.
D.Allocate an IPv6 CIDR block, create an egress-only Internet Gateway, and add a route to it from the private subnet.
AnswerD

Egress-only IGW allows outbound IPv6 traffic but blocks inbound.

Why this answer

An egress-only Internet Gateway (EIGW) is the correct AWS-managed service for enabling outbound-only IPv6 traffic from a VPC's private subnet to the internet, while preventing any unsolicited inbound connections. Unlike an Internet Gateway (IGW), which allows bidirectional traffic, an EIGW is specifically designed for IPv6 and ensures that resources in private subnets can initiate outbound connections without being directly reachable from the internet.

Exam trap

The trap here is that candidates confuse the egress-only Internet Gateway with a NAT Gateway or assume that a standard Internet Gateway can be used for private subnets, not realizing that IPv6 requires a different outbound-only mechanism to maintain subnet privacy.

How to eliminate wrong answers

Option A is wrong because adding a route to an Internet Gateway from a private subnet would make the subnet effectively public, allowing inbound IPv6 traffic and violating the requirement for a private subnet. Option B is wrong because NAT instances do not support IPv6; NAT is an IPv4-only function, and AWS NAT Gateways/instances cannot translate IPv6 traffic. Option C is wrong because a NAT Gateway is designed for IPv4 traffic only and does not support IPv6; using it for IPv6 would fail to provide connectivity.

119
MCQhard

A company has a VPC with public and private subnets. They want to provide outbound internet access to instances in private subnets while preventing inbound internet traffic. The solution must be highly available and scale automatically. Which combination of services should be used?

A.NAT instances in each Availability Zone
B.VPC endpoint for S3 and DynamoDB
C.Internet Gateway attached to the VPC with route tables pointing to the Internet Gateway
D.NAT Gateway in each Availability Zone with route tables pointing to the NAT Gateway
AnswerD

NAT Gateways are managed, highly available within an AZ, and scale automatically. Using one per AZ provides AZ-level redundancy.

Why this answer

A NAT Gateway in each AZ provides high availability and scales automatically. Route tables direct private subnet traffic to the NAT Gateway. An Internet Gateway is needed for the NAT Gateway to reach the internet.

A NAT instance is single point of failure and requires manual scaling. VPC endpoint is for accessing AWS services privately, not for general internet. Egress-Only Internet Gateway is for IPv6 only.

120
MCQeasy

A network engineer runs the AWS CLI command shown in the exhibit. The VPC has an Amazon Route 53 private hosted zone associated. What is the impact of this setting?

A.No instances in the VPC can resolve DNS records from the private hosted zone.
B.Only instances in public subnets can resolve private hosted zone records.
C.The DHCP option set must be updated to provide DNS resolution.
D.The private hosted zone is automatically deleted.
AnswerA

DNS support disabled means no DNS resolution via VPC.

Why this answer

Option B is correct because when DNS support is disabled, instances in the VPC cannot use the DNS resolution provided by the VPC's Route 53 Resolver, including private hosted zones. Option A is incorrect because the VPC's DNS resolution affects all resources. Option C is incorrect because the private hosted zone is still associated but not resolvable.

Option D is incorrect because the DHCP option set is separate.

121
MCQmedium

A company has an AWS Site-to-Site VPN connection between its on-premises network and a VPC. The tunnel status is up, but traffic from on-premises cannot reach an EC2 instance in the VPC. The instance's security group allows inbound traffic from the on-premises CIDR. Which configuration should be checked first?

A.Ensure the VPN connection is attached to a transit gateway instead of a virtual private gateway.
B.Check the network ACL associated with the EC2 instance's subnet to ensure it allows inbound traffic from on-premises.
C.Verify that the VPC route table includes a route to the on-premises CIDR with the VPN gateway as target.
D.Confirm that BGP session is established and exchanging routes.
AnswerC

Traffic from on-premises enters the VPC via VPN, but the return traffic needs a route back to the VPN gateway.

Why this answer

Option A is correct. The VPC's route table must have a route pointing to the VPN gateway for the on-premises CIDR. If missing, traffic will not be forwarded to the VPN tunnel.

Option B is wrong because network ACLs are stateless and need both inbound and outbound rules; but first check routing. Option C is wrong because the VPN connection uses a virtual private gateway, not a transit gateway, unless specifically designed. Option D is wrong because the VPN tunnel being up indicates BGP is working; the issue is likely routing.

122
MCQmedium

A company has a VPC with multiple subnets. They want to monitor all network traffic to and from an EC2 instance for troubleshooting. Which AWS service should they use?

A.Amazon Inspector
B.AWS Config
C.VPC Flow Logs
D.AWS CloudTrail
AnswerC

VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC.

Why this answer

VPC Flow Logs capture IP traffic information and can be used to monitor network traffic. AWS CloudTrail records API calls, not network traffic. Amazon Inspector is for security assessments.

AWS Config tracks resource configuration. Amazon GuardDuty is for threat detection.

123
MCQeasy

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking a suboptimal path through the on-premises network instead of staying within AWS. What is the MOST likely cause?

A.The Transit Gateway route tables do not have a route for the destination VPC CIDR, so traffic is sent to the on-premises network via a default route.
B.The subnet route tables in each VPC have a route pointing to the other VPC's CIDR via the Internet Gateway.
C.The VPCs are peered directly, bypassing the Transit Gateway.
D.Security groups are blocking traffic between the VPCs.
AnswerA

Correct: Missing route causes blackhole or fallback to default route.

Why this answer

When a Transit Gateway route table lacks a specific route for the destination VPC CIDR, traffic destined for that VPC is evaluated against the remaining routes. If a default route (0.0.0.0/0) exists pointing to an on-premises network attachment (e.g., a VPN or Direct Connect), the traffic will be forwarded over that path, resulting in a suboptimal route that leaves AWS and re-enters through the on-premises network. This is the most likely cause because the Transit Gateway performs destination-based routing, and missing a specific VPC route forces fallback to the default route.

Exam trap

The trap here is that candidates often assume suboptimal routing is caused by asymmetric routing or security group misconfigurations, but the real issue is a missing specific route in the Transit Gateway route table, causing fallback to a default route that sends traffic on-premises.

How to eliminate wrong answers

Option B is wrong because a subnet route table pointing to an Internet Gateway for another VPC's CIDR would send traffic to the internet, not to the other VPC, and would not cause suboptimal routing through on-premises; it would simply break connectivity. Option C is wrong because if the VPCs were peered directly, traffic would stay within AWS and not traverse the on-premises network, contradicting the observed suboptimal path. Option D is wrong because security groups operate at the instance level (stateful packet filtering) and do not influence routing decisions; they can block traffic but cannot cause traffic to take a different network path.

124
Multi-Selecthard

Which THREE are benefits of using AWS Transit Gateway over VPC peering in a multi-VPC environment? (Select THREE.)

Select 3 answers
A.Centralized management of network policies
B.Higher bandwidth per connection
C.Simpler configuration for a few VPCs
D.Lower cost compared to VPC peering
E.Transitive routing between all attached VPCs
.Ability to attach VPN and Direct Connect connections
AnswersA, E

Single point of control.

Why this answer

AWS Transit Gateway provides a centralized hub for managing network policies across multiple VPCs, allowing you to apply consistent routing, security, and access controls from a single point. This eliminates the need to manage individual VPC peering connections and their route tables, reducing operational overhead and the risk of misconfiguration.

Exam trap

AWS often tests the misconception that Transit Gateway always reduces cost or complexity compared to VPC peering, but the trap here is that for small numbers of VPCs (e.g., 2-3), VPC peering is simpler and cheaper, while Transit Gateway's benefits (centralized management, transitive routing, hybrid connectivity) only become advantageous at scale.

125
MCQeasy

A company is designing a network for a three-tier web application in a single VPC. The web tier must be accessible from the internet, but the application and database tiers must not have direct internet access. The application servers need to make outbound calls to a third-party API. Which architecture meets these requirements?

A.Web servers in public subnets, application and database servers in private subnets with an internet gateway for outbound traffic.
B.All servers in public subnets with security groups restricting access.
C.Web servers in public subnets with an Application Load Balancer, application servers in private subnets with a NAT gateway, and database servers in private subnets.
D.All servers in private subnets and a VPN connection to the internet.
AnswerC

This follows best practices for a three-tier architecture.

Why this answer

Option C is correct because it places web servers in public subnets with an Application Load Balancer for inbound internet traffic, while application and database servers reside in private subnets without direct internet access. A NAT gateway in a public subnet enables the application servers to initiate outbound connections to a third-party API, with return traffic automatically routed back, meeting the requirement for outbound-only internet access.

Exam trap

The trap here is that candidates often confuse an internet gateway with a NAT gateway, assuming an internet gateway can provide outbound-only access from private subnets, but an internet gateway requires public IPs and allows bidirectional traffic, while a NAT gateway specifically enables outbound-only traffic from private subnets.

How to eliminate wrong answers

Option A is wrong because an internet gateway in a private subnet does not provide outbound-only access; internet gateways require a public IP and route table entry for bidirectional traffic, which would expose private instances to inbound internet traffic, violating the no-direct-internet-access requirement. Option B is wrong because placing all servers in public subnets, even with security groups, still assigns public IPs and allows potential inbound internet access to application and database servers, failing the requirement to restrict their internet access. Option D is wrong because a VPN connection to the internet would route all traffic through a VPN, but private subnets without a NAT gateway or internet gateway cannot initiate outbound connections to the internet; the VPN alone does not provide outbound internet access for private instances.

126
MCQhard

A company is designing a hybrid network with a Direct Connect connection. The VPC has multiple subnets that need to communicate with on-premises. The company wants to use a single VIF for both private and public traffic. Which type of VIF should be used?

A.Public VIF
B.Hosted VIF
C.A single VIF cannot carry both private and public traffic
D.Private VIF
AnswerC

Private and public VIFs are separate; you need two VIFs.

Why this answer

Option D is correct because a private VIF allows access to VPCs via private IP addresses. A public VIF is for accessing public AWS services. Option A is wrong because a private VIF is for VPC access, but the question asks for both private and public traffic.

Option B is wrong because a public VIF only provides access to public AWS services, not VPCs. Option C is wrong because a hosted VIF is a type of private VIF but still only private.

127
MCQeasy

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via AWS Direct Connect. They need to ensure that traffic between VPCs is inspected by a centralized security appliance. How should they design the routing?

A.Use Network ACLs on the subnets to restrict traffic and allow inspection.
B.Create VPC peering connections between all VPCs and route traffic through a security appliance in a central VPC.
C.Use security groups on the security appliance to inspect traffic.
D.Create a Transit Gateway with separate route tables. Attach each VPC and the Direct Connect virtual interface to the Transit Gateway. In the route tables, propagate routes and add static routes to send inter-VPC traffic to the security appliance VPC.
AnswerD

Transit Gateway route tables allow you to centralize routing through an inspection VPC.

Why this answer

Option D is correct because AWS Transit Gateway supports separate route tables, allowing you to isolate traffic domains. By attaching each VPC and the Direct Connect virtual interface to the Transit Gateway, you can create a centralized inspection VPC. Static routes in the Transit Gateway route tables direct inter-VPC traffic to the security appliance VPC, ensuring all traffic between VPCs is inspected before reaching its destination.

Exam trap

The trap here is that candidates often confuse the transitive routing capability of Transit Gateway with VPC peering, assuming VPC peering can route through a central VPC, but VPC peering does not support transitive routing, making Option B invalid.

How to eliminate wrong answers

Option A is wrong because Network ACLs are stateless and operate at the subnet level, not at the routing level; they cannot redirect traffic to a centralized security appliance for inspection. Option B is wrong because VPC peering connections do not support transitive routing, meaning traffic between VPCs cannot be routed through a central VPC without complex and non-scalable configurations. Option C is wrong because security groups are stateful and apply to individual ENIs, not to routing; they can filter traffic but cannot force traffic to traverse a security appliance for inspection.

128
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to communicate with an on-premises server using an IPsec VPN. The company has set up a Virtual Private Gateway (VGW) and a Customer Gateway (CGW) with a Site-to-Site VPN connection. The VPN tunnel is established. However, the EC2 instance cannot ping the on-premises server. The security groups and network ACLs allow all traffic. What is the most likely cause?

A.The VGW is not configured with the correct BGP ASN
B.The VGW is not attached to the VPC
C.The VPN tunnel is not in the UP state
D.The private subnet route table does not have a route for the on-premises CIDR pointing to the VGW
AnswerD

Without this route, traffic from the instance to on-premises is dropped.

Why this answer

Option B is correct because the private subnet route table must include a route for the on-premises CIDR pointing to the VGW. Option A is wrong because the VGW is attached and the VPN is established. Option C is wrong because the VPN is up.

Option D is wrong because the VPN is established.

129
MCQhard

A company has a VPC with multiple subnets across two AZs. The VPC is connected to an on-premises data center via AWS Direct Connect. The company wants to ensure that traffic between the VPC and on-premises is load-balanced across two Direct Connect virtual interfaces (VIFs) for high availability. Which configuration should be used?

A.Configure two VIFs and use BGP to advertise the same prefixes with equal metrics to enable ECMP.
B.Configure a VPN connection over each VIF and use equal-cost routes between the VPN tunnels.
C.Configure a single Direct Connect VIF with a 10 Gbps connection and a single BGP session.
D.Configure two VIFs with static routes pointing to different on-premises IPs.
AnswerA

BGP ECMP allows load balancing across multiple VIFs.

Why this answer

Option D is correct because using BGP routing with equal-cost multipath (ECMP) across two VIFs allows traffic to be load-balanced. Option A is wrong because a single VIF is a single point of failure. Option B is wrong because static routes do not provide load balancing; one route is typically preferred.

Option C is wrong because a VPN over the VIFs adds overhead and does not provide native load balancing.

130
MCQmedium

A company is designing a multi-account architecture using AWS Transit Gateway. They need to isolate development and production environments but allow shared services account access to both. What is the most scalable and secure design?

A.Use a single Transit Gateway and configure separate route tables for each environment, attaching VPCs from each account.
B.Use a single Transit Gateway with one route table for all environments and implement security groups to isolate traffic.
C.Create two Transit Gateways: one for development and one for production. Share the Transit Gateways with the shared services account via AWS Resource Access Manager.
D.Use VPC Peering between each VPC and the shared services VPC, and set up Internet Gateway for each environment.
AnswerC

Correct: Separate Transit Gateways provide full isolation, and RAM enables shared services.

Why this answer

Option B is correct because separate Transit Gateways with resource sharing provide complete isolation. Option A is wrong because a single Transit Gateway with separate route tables still has a shared control plane. Option C is wrong because VPC Peering does not scale.

Option D is wrong because a single Transit Gateway with centralized inspection does not isolate traffic.

131
MCQeasy

A company is designing a VPC for a three-tier application (web, application, database). The database tier should not be accessible from the internet, but the web tier must be accessible. Which subnet design should the network engineer use?

A.Place web and app servers in public subnets, and database servers in private subnets.
B.Place all servers in private subnets and use a NAT Gateway for internet access.
C.Place web servers in public subnets with an internet gateway, and app and database servers in private subnets.
D.Place all servers in public subnets and rely on security group rules to restrict access.
AnswerC

This follows the traditional security model of isolation for backend tiers.

Why this answer

Option C is correct because it places the web servers in a public subnet with an Internet Gateway (IGW) to allow inbound HTTP/HTTPS traffic from the internet, while the application and database servers are placed in private subnets with no direct internet path. This design ensures the database tier is isolated from the internet, meeting the security requirement, while the web tier remains accessible. The application servers can communicate with the database via private IP addresses within the VPC, and outbound internet access for the private subnets (if needed) can be provided through a NAT Gateway in a public subnet.

Exam trap

The trap here is that candidates often assume placing all servers in private subnets with a NAT Gateway provides inbound internet access, confusing outbound-only NAT with the inbound access required for the web tier, or they mistakenly think security groups alone can fully replace subnet-level isolation in a public subnet.

How to eliminate wrong answers

Option A is wrong because placing both web and app servers in public subnets exposes the application tier to the internet unnecessarily, increasing the attack surface and violating the principle of least privilege; the app tier should remain private to mediate traffic between web and database tiers. Option B is wrong because placing all servers in private subnets with a NAT Gateway only provides outbound internet access, not inbound access from the internet; the web tier would not be accessible to external users without an Internet Gateway and a public subnet. Option D is wrong because placing all servers in public subnets and relying solely on security group rules does not prevent direct internet access to the application and database tiers; security groups are stateful firewalls but do not replace the network-level isolation provided by private subnets, and a misconfiguration could expose sensitive tiers.

132
MCQhard

A Network Engineer is troubleshooting a cross-account VPC endpoint connection. The service provider account (123456789012) has the above IAM policy attached to the endpoint service. The consumer account (111111111111) has created a VPC endpoint (vpce-abc123) and is trying to accept the connection. The consumer receives an 'AccessDenied' error when calling ec2:AcceptVpcEndpointConnections. What is the MOST likely cause?

A.The policy action should be 'ec2:CreateVpcEndpoint' instead.
B.The policy condition 'aws:SourceArn' does not match the consumer's endpoint ARN.
C.The policy resource ARN is incorrect; it should be the endpoint service ARN.
D.The consumer account does not have permission to accept the connection; only the service provider can accept.
AnswerD

The AcceptVpcEndpointConnections API is called by the service provider, not the consumer. The consumer must wait for the provider to accept.

Why this answer

Option D is correct. The policy allows the ec2:AcceptVpcEndpointConnections action, but that action is performed by the service provider, not the consumer. The consumer needs to create the endpoint, but the acceptance is done by the provider.

The error likely occurs because the consumer does not have permission to call AcceptVpcEndpointConnections on the provider's endpoint service. The policy in the provider account allows the provider to accept connections from the specified consumer endpoint. However, the consumer is trying to accept the connection themselves, which is not allowed.

The provider must accept the connection using the provider account. Alternatively, the consumer might be trying to modify the endpoint to auto-accept, but that requires permissions. The most likely cause is that the consumer is attempting to accept the connection, but only the provider can accept.

So the answer is D: The consumer does not have the required permissions to accept the connection on the provider's endpoint service.

133
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16. It has two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). The company hosts a web application on EC2 instances in the private subnets behind an Application Load Balancer (ALB) in the public subnets. The ALB is internet-facing. The company wants to add a second ALB in the same VPC for a different application but using the same public subnets. The new ALB also needs to be internet-facing. However, when the company tries to create the new ALB, they receive an error: 'The subnet 'subnet-xxxxxxxx' does not have enough free IP addresses to satisfy the request.' The network engineer checks the subnets and finds that the public subnets have only 2 free IP addresses each. The private subnets have plenty of free IP addresses. The company wants to resolve this error without changing the architecture of the existing applications. What should the network engineer do?

A.Create new public subnets with larger CIDR blocks (e.g., /23) and associate them with the same route table.
B.Use the private subnets for the new ALB and add a NAT gateway for internet access.
C.Reduce the size of the existing public subnets by modifying their CIDR blocks.
D.Launch a NAT gateway in one public subnet to free up IP addresses.
AnswerA

New public subnets provide more IP addresses.

Why this answer

Option B is correct. The public subnets are running out of IP addresses. Adding new public subnets with larger CIDR blocks (e.g., /23) will provide more IP addresses without affecting the existing subnets.

Option A is incorrect because the private subnets cannot be used for internet-facing ALBs. Option C is incorrect because shrinking existing subnets would disrupt running resources. Option D is incorrect because launching a NAT gateway does not add IP addresses to subnets.

134
Multi-Selectmedium

A company is deploying a web application across multiple Availability Zones in a single AWS Region. The application consists of an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group, and an Amazon RDS Multi-AZ database. The company needs to ensure that the application can survive the loss of an entire Availability Zone. Which THREE actions should they take? (Select THREE.)

Select 3 answers
A.Use larger EC2 instance types to handle the load
B.Configure the Auto Scaling group to launch instances in at least two Availability Zones
C.Configure the Application Load Balancer to be internet-facing and enable cross-zone load balancing
D.Enable Multi-AZ deployment for the RDS database
E.Deploy a single NAT Gateway in one AZ for outbound traffic
AnswersB, C, D

Ensures instances are spread across AZs.

Why this answer

Option B is correct because configuring the Auto Scaling group to launch instances in at least two Availability Zones ensures that if one AZ fails, the remaining AZ(s) still have healthy EC2 instances to serve traffic. This is a fundamental requirement for multi-AZ high availability, as the Auto Scaling group will automatically replace failed instances in the remaining AZs.

Exam trap

AWS often tests the misconception that simply enabling cross-zone load balancing on the ALB (Option C) alone is sufficient for AZ resilience, but without the Auto Scaling group spanning multiple AZs (Option B), there would be no healthy targets in the surviving AZs to route traffic to.

135
Multi-Selecteasy

A company wants to enable communication between two VPCs (VPC A and VPC B) in the same AWS account and region. They want to use private IP addresses and avoid using the internet. Which THREE options can achieve this?

Select 3 answers
A.VPC peering connection
B.AWS Site-to-Site VPN connection between VPCs
C.Internet gateway attached to both VPCs
D.AWS Transit Gateway
E.NAT gateway in each VPC
AnswersA, B, D

Direct private connection between VPCs.

Why this answer

VPC peering connection (Option A) allows direct, private IP connectivity between two VPCs using the AWS global network, with no internet gateway or VPN required. Traffic stays within AWS's internal infrastructure, meeting the requirement for private IP addresses and avoiding the internet.

Exam trap

The trap here is that candidates confuse a NAT gateway with a VPC-to-VPC connectivity solution, but NAT gateways only handle outbound internet traffic and cannot forward traffic between VPCs.

136
MCQhard

A company uses AWS Direct Connect with a private VIF to connect its data center to a VPC. The VPC has multiple subnets. The on-premises network team reports that they can ping the VPC's private IP addresses but cannot connect to an EC2 instance's port 443. The EC2 instance's security group allows HTTPS from the on-premises CIDR. What should the engineer check NEXT?

A.Check the security group's inbound rules for port 443.
B.Confirm that the Direct Connect virtual interface is in the 'up' state.
C.Check the EC2 instance's operating system firewall (e.g., iptables, Windows Firewall) to see if port 443 is blocked.
D.Verify that the route tables in the VPC have a route back to the on-premises CIDR.
AnswerC

OS firewall can block even if security group allows.

Why this answer

Option C is correct because the instance may have a host-based firewall blocking the port; this is a common issue. Option A is wrong because route tables are for routing, not port filtering. Option B is wrong because security group already allows the traffic.

Option D is wrong because the virtual interface is up (ping works).

137
MCQmedium

A company has a web application behind an Application Load Balancer (ALB) in a VPC. The ALB is internet-facing and has a security group that allows inbound HTTP/HTTPS from 0.0.0.0/0. The EC2 instances are in a private subnet with a security group that allows inbound traffic only from the ALB's security group. The application works correctly. However, the security team wants to add an additional layer of protection by using AWS WAF. What is the best way to integrate AWS WAF with the ALB to filter malicious requests?

A.Create a web ACL in AWS WAF and associate it with the ALB.
B.Replace the ALB with a Network Load Balancer and use AWS WAF with it.
C.Configure the security group of the ALB to only allow traffic that passes AWS WAF inspection.
D.Use AWS WAF in front of Amazon CloudFront and then forward requests to the ALB.
AnswerA

WAF can be associated with ALB to filter HTTP/HTTPS requests.

Why this answer

Option A is correct. AWS WAF can be associated directly with an ALB to filter incoming requests before they reach the ALB. Option B is incorrect because WAF works at the application layer, not at CloudFront unless CloudFront is used.

Option C is incorrect because WAF is not applied at the security group level. Option D is incorrect because WAF is not a Network Load Balancer feature.

138
MCQeasy

A company is deploying an application that must use IPv6 for internet-facing traffic. The VPC is currently using IPv4 only. What is the simplest way to enable IPv6?

A.Use an egress-only internet gateway for IPv6 traffic.
B.Associate an IPv6 CIDR block with the VPC and subnets, and update route tables to route IPv6 traffic to an internet gateway.
C.Deploy a NAT64 device to translate IPv6 to IPv4.
D.Set up a VPN connection to an ISP that provides IPv6.
AnswerB

Simplest way to enable IPv6.

Why this answer

Option A is correct because you can assign an IPv6 CIDR block to the VPC and subnets, and then update route tables. Option B is wrong because a NAT device is for IPv4. Option C is wrong because an egress-only internet gateway is for outbound-only IPv6.

Option D is wrong because a VPN does not provide IPv6 internet access.

139
MCQmedium

A company is designing a multi-VPC architecture with VPC peering. They need to ensure that traffic between VPCs in different AWS Regions is encrypted. Which solution should they use?

A.Direct Connect gateway with VIFs
B.Transit Gateway VPN attachments
C.VPC peering with VPN encryption
D.Transit Gateway inter-Region peering
AnswerD

Transit Gateway inter-Region peering encrypts traffic automatically.

Why this answer

Transit Gateway inter-Region peering is the correct solution because it provides encrypted traffic between VPCs in different AWS Regions natively, using the AWS global network infrastructure with automatic encryption at the transport layer. This feature supports transitive routing and does not require additional VPN tunnels or third-party appliances, making it the most efficient and scalable option for multi-region VPC connectivity.

Exam trap

AWS often tests the misconception that VPC peering alone provides encryption, or that VPN attachments are required for inter-Region encryption, when in fact Transit Gateway inter-Region peering natively encrypts traffic without additional VPN layers.

How to eliminate wrong answers

Option A is wrong because Direct Connect gateway with VIFs provides private connectivity to AWS but does not inherently encrypt traffic between VPCs in different Regions; it requires additional VPN or MACsec for encryption. Option B is wrong because Transit Gateway VPN attachments are designed for site-to-site VPN connections between on-premises networks and AWS, not for inter-Region VPC peering, and they would introduce unnecessary complexity and latency. Option C is wrong because VPC peering with VPN encryption is not a native AWS feature; VPC peering itself does not support encryption, and adding a VPN overlay would require manual configuration of VPN appliances, which is not a recommended or scalable solution for inter-Region traffic.

140
MCQmedium

A company is designing a hybrid network with an AWS Direct Connect connection. They have two virtual interfaces (VIFs): a private VIF to a VPC and a public VIF to access AWS public services. They want to ensure that traffic to Amazon S3 in the same region uses the Direct Connect connection and not the internet. Which configuration should be applied?

A.Advertise the S3 prefix via BGP on the public VIF and ensure the VPC route table has a more specific route for S3 pointing to the virtual private gateway.
B.Add a route in the VPC route table for S3 prefix with target as the internet gateway.
C.Create a VPC endpoint for S3 and attach it to the VPC route table.
D.Create a VPN connection to the VPC and route S3 traffic through the VPN.
AnswerA

This directs S3 traffic over Direct Connect.

Why this answer

To force traffic to Amazon S3 in the same region over the Direct Connect public VIF, you must advertise the S3 prefix (e.g., 52.216.0.0/15) via BGP on the public VIF. This makes the Direct Connect path the most specific route for S3 in the VPC route table when combined with a more specific route pointing to the virtual private gateway, overriding the default internet route.

Exam trap

AWS often tests the misconception that a VPC endpoint for S3 is the correct way to route S3 traffic over Direct Connect, but a VPC endpoint does not use the Direct Connect public VIF; it uses private connectivity within AWS, so it cannot force traffic over the Direct Connect connection when a public VIF is already in place.

How to eliminate wrong answers

Option B is wrong because adding a route for the S3 prefix with the internet gateway as target would send S3 traffic over the internet, not over Direct Connect, defeating the purpose of using the dedicated connection. Option C is wrong because a VPC endpoint for S3 uses AWS private networking within the region and does not route traffic through Direct Connect; it bypasses the internet but also bypasses the Direct Connect public VIF. Option D is wrong because a VPN connection would route S3 traffic over the internet (or over Direct Connect if using a VPN over Direct Connect, but the question specifies a public VIF is already available, and a VPN adds unnecessary complexity and latency without leveraging the public VIF's BGP advertisement for S3 prefixes.

141
MCQhard

A company runs a multi-tier web application in a VPC with public and private subnets across two Availability Zones. The web tier uses an Application Load Balancer (ALB) in the public subnets, and the application tier uses EC2 instances in private subnets. The database tier uses an RDS MySQL Multi-AZ instance in private subnets. The company has implemented a network ACL (NACL) on the private subnets to allow only traffic from the ALB security group. Recently, the application tier instances are unable to connect to the RDS database. The security group for RDS allows inbound traffic on port 3306 from the application tier security group. The network team has verified that the application tier instances can reach the internet through a NAT Gateway. What is the MOST likely cause of the connectivity issue?

A.The NACL on the private subnets is blocking outbound traffic from the application tier to the RDS database.
B.The application tier instances are in a different Availability Zone than the RDS primary instance.
C.The NAT Gateway is blocking traffic to the RDS endpoint.
D.The RDS security group is not allowing inbound traffic from the application tier security group.
AnswerA

Correct: NACL's stateless nature requires explicit outbound rules for ephemeral ports.

Why this answer

The NACL on the private subnets is stateful only for inbound rules; outbound traffic is evaluated separately. Since the NACL allows only inbound traffic from the ALB security group but does not have an outbound rule permitting traffic from the application tier to the RDS database (port 3306), the outbound SYN packets from the application instances are dropped, preventing the TCP handshake from completing.

Exam trap

The trap here is that candidates assume NACLs are stateful like security groups, leading them to overlook the need for explicit outbound rules for traffic initiated from within the subnet.

How to eliminate wrong answers

Option B is wrong because RDS Multi-AZ automatically handles failover across Availability Zones, and the application tier instances can connect to the RDS endpoint regardless of which AZ the primary instance is in; the issue is not AZ-specific. Option C is wrong because the NAT Gateway is used for outbound internet traffic, not for traffic within the VPC to RDS (which uses private IPs); the NAT Gateway is not in the path between the application tier and RDS. Option D is wrong because the question explicitly states that the RDS security group allows inbound traffic on port 3306 from the application tier security group, so this is not the cause.

142
MCQeasy

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs is inspected by a network virtual appliance. Which architecture should they use?

A.Use a Network Load Balancer in each VPC to forward traffic to the appliance.
B.Attach the appliance directly to each VPC using VPC Peering.
C.Create an inspection VPC with the appliance. Configure Transit Gateway route tables to send inter-VPC traffic to the inspection VPC attachment.
D.Place the appliance in each VPC and configure VPC Peering.
AnswerC

This allows traffic to be routed through the appliance for inspection.

Why this answer

Option C is correct because it uses an inspection VPC as a central point for traffic inspection. By attaching the network virtual appliance to a dedicated inspection VPC and configuring Transit Gateway route tables to route inter-VPC traffic to that attachment, all traffic between VPCs is forced through the appliance for inspection. This leverages Transit Gateway's ability to route traffic between attachments based on route table entries, enabling centralized security enforcement without complex peering or per-VPC appliance deployments.

Exam trap

AWS often tests the misconception that you can simply attach a virtual appliance to a Transit Gateway and have it automatically inspect all traffic, but the trap here is that you must explicitly configure Transit Gateway route tables to route inter-VPC traffic to the inspection VPC attachment, otherwise traffic will flow directly between VPC attachments without inspection.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer (NLB) distributes traffic to targets but does not inherently inspect or route traffic between VPCs; it would require additional configuration and does not solve the need for centralized inspection across multiple VPCs. Option B is wrong because attaching the appliance directly to each VPC using VPC Peering creates a mesh of peering connections that is not scalable, does not centralize inspection, and violates the hub-and-spoke model that Transit Gateway is designed to provide. Option D is wrong because placing the appliance in each VPC and configuring VPC Peering leads to redundant appliances, increased management overhead, and does not leverage Transit Gateway's centralized routing capabilities, making it inefficient and costly.

143
MCQhard

A company is designing a network for a multi-account architecture using AWS Resource Access Manager (RAM) to share VPC subnets across accounts. They want to ensure that instances in shared subnets can communicate with instances in the owner's VPC using private IP addresses. What is required?

A.Establish a VPC peering connection between the owner and participant accounts.
B.Configure a VPC endpoint for Amazon EC2 to allow cross-account private communication.
C.No additional networking configuration is required; the shared subnet is part of the same VPC.
D.Create a transit gateway and attach both VPCs to it.
AnswerC

Shared subnets are within the same VPC, so routing is inherent.

Why this answer

When you share a subnet using AWS Resource Access Manager (RAM), the shared subnet is part of the owner's VPC. Instances launched into that shared subnet reside in the same VPC as the owner's instances, so they can communicate using private IP addresses by default, with no additional networking configuration required. This is because VPC subnets are a logical subdivision of the VPC's CIDR block, and all instances within the same VPC can route to each other via the VPC's internal router.

Exam trap

The trap here is that candidates mistakenly think cross-account subnet sharing requires additional connectivity like VPC peering or a transit gateway, when in fact the shared subnet is logically part of the same VPC, so no extra networking is needed for private IP communication.

How to eliminate wrong answers

Option A is wrong because VPC peering is used to connect two separate VPCs, but a shared subnet is part of the same VPC as the owner, so peering is unnecessary and would add complexity without benefit. Option B is wrong because a VPC endpoint for EC2 is used to privately access EC2 APIs (e.g., for managing instances) and does not enable instance-to-instance private IP communication; it is a gateway for API calls, not for data-plane traffic between instances. Option D is wrong because a transit gateway is designed to interconnect multiple VPCs or on-premises networks, but since the shared subnet is already within the same VPC, there is no need for a transit gateway; it would introduce unnecessary cost and administrative overhead.

144
Multi-Selecthard

A company has a VPC with public and private subnets. The public subnet contains a NAT gateway and a bastion host. The private subnet contains application servers. The company wants to ensure that the application servers can download patches from the internet. Which TWO steps should be taken to allow this while maintaining security? (Choose two.)

Select 2 answers
A.Allow outbound HTTPS (port 443) traffic from the application servers in the security group
B.Modify the network ACL of the private subnet to allow all outbound traffic
C.Add a route in the public subnet route table that points 0.0.0.0/0 to the NAT gateway
D.Add a route in the private subnet route table that points 0.0.0.0/0 to the NAT gateway
E.Associate an Elastic IP address with the NAT gateway
AnswersA, D

Correct; security groups must allow outbound traffic.

Why this answer

Option A is correct because the application servers need to initiate outbound HTTPS connections (port 443) to download patches from the internet. By allowing outbound HTTPS traffic in the security group associated with the application servers, you permit the necessary traffic while maintaining stateful filtering and restricting other outbound traffic. This is a security best practice that follows the principle of least privilege.

Exam trap

AWS often tests the distinction between where routes are added (public vs. private subnet route tables) and the role of security groups versus network ACLs, leading candidates to incorrectly modify the public subnet's route table or use overly permissive network ACL rules.

145
MCQeasy

A company is using AWS Client VPN to allow remote employees to access resources in a VPC. The VPN is configured with a server certificate and mutual authentication. Some users report that they cannot connect to the VPN. What should the administrator check FIRST?

A.Check the security group associated with the VPN endpoint.
B.Verify that the server certificate is uploaded to AWS Certificate Manager (ACM).
C.Confirm that the VPN endpoint is associated with all subnets in the VPC.
D.Verify that each user has a valid client certificate installed on their device.
AnswerD

Correct: Mutual authentication requires client certificates.

Why this answer

The question states that mutual authentication is configured, which requires both a server certificate and a valid client certificate on each user's device. Since some users cannot connect while others presumably can, the most likely issue is that the affected users lack a valid client certificate. The administrator should first verify that each user has a valid client certificate installed, as this is a common point of failure in mutual TLS authentication.

Exam trap

AWS often tests the distinction between server-side and client-side authentication requirements in mutual TLS; the trap here is that candidates assume the issue is with the server certificate or network configuration, overlooking that each user must have a valid client certificate for mutual authentication to succeed.

How to eliminate wrong answers

Option A is wrong because security groups are stateful and, by default, allow all outbound traffic; the VPN endpoint's security group controls inbound/outbound traffic but is not the first thing to check when users cannot connect, especially since the issue is likely client-side. Option B is wrong because the server certificate must be uploaded to ACM for the VPN endpoint to function, but if the VPN is already configured and working for some users, the server certificate is already in place; this would be a global issue, not a per-user issue. Option C is wrong because the VPN endpoint does not need to be associated with all subnets in the VPC; it only needs to be associated with at least one subnet to function, and associating it with all subnets is not required and would not cause per-user connectivity failures.

146
MCQhard

A financial services company must meet PCI DSS compliance requirements. They have a VPC with public and private subnets. The web servers in the public subnets must only accept traffic from the internet on ports 80 and 443. The application servers in the private subnets must only accept traffic from the web servers. Which network design ensures least-privilege access?

A.Use security groups on web servers allowing 0.0.0.0/0 on ports 80/443, and on app servers allowing the web servers' CIDR block
B.Use a Network ACL on the public subnet allowing inbound ports 80 and 443 from 0.0.0.0/0, and security groups on web and app servers with the app servers' security group referencing the web servers' security group
C.Use a single Network ACL for both public and private subnets with allow rules for ports 80 and 443
D.Use a single Network ACL on the private subnet allowing inbound ports 80 and 443 from the public subnet CIDR
AnswerB

This provides least-privilege with stateful security groups and stateless NACL.

Why this answer

Option B is correct because it uses security groups for stateful, least-privilege access control. The web servers' security group allows inbound ports 80 and 443 from 0.0.0.0/0, and the app servers' security group references the web servers' security group as the source, ensuring only traffic from the web servers is permitted. This design leverages security group chaining, which automatically handles return traffic and avoids the need for explicit CIDR management, aligning with PCI DSS least-privilege requirements.

Exam trap

The trap here is that candidates often default to using Network ACLs for subnet-level control, forgetting that security groups provide stateful, instance-level filtering with the ability to reference other security groups, which is more aligned with least-privilege and PCI DSS requirements.

How to eliminate wrong answers

Option A is wrong because allowing the web servers' CIDR block on the app servers' security group is less flexible and scalable than referencing the web servers' security group; it also fails to leverage stateful security group chaining, potentially requiring manual updates if web server IPs change. Option C is wrong because using a single Network ACL for both subnets would apply the same rules to all subnets, violating least-privilege by allowing inbound traffic from the internet to the private subnet and not differentiating between web and app server traffic. Option D is wrong because a Network ACL on the private subnet allowing inbound ports 80 and 443 from the public subnet CIDR is stateless, requiring explicit outbound rules for return traffic, and does not provide the granularity of security group references; it also unnecessarily exposes the private subnet to the entire public subnet CIDR.

147
MCQhard

A company is designing a network for a real-time gaming application that requires low latency and high throughput between game servers in multiple regions. The application uses UDP traffic. Which AWS service should be used to route traffic between regions?

A.AWS Transit Gateway
B.AWS Global Accelerator
C.Amazon CloudFront
D.Amazon Route 53
AnswerB

Supports UDP and TCP, provides anycast IPs.

Why this answer

AWS Global Accelerator uses the Anycast IP address and the AWS global network to route UDP traffic from users to the optimal regional endpoint, minimizing latency and jitter. It is designed for real-time applications like gaming that require low-latency and high-throughput UDP traffic between regions, as it bypasses the public internet and leverages AWS's internal backbone.

Exam trap

The trap here is that candidates often confuse Amazon Route 53's latency-based routing with actual network path optimization, but Route 53 only controls DNS resolution and does not accelerate or route the UDP traffic itself after the initial connection.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a hub-and-spoke connectivity service for VPC-to-VPC or on-premises routing within a single region, not designed for inter-region traffic optimization or low-latency UDP routing. Option C is wrong because Amazon CloudFront is a content delivery network (CDN) optimized for HTTP/HTTPS traffic and does not support UDP traffic for real-time gaming applications. Option D is wrong because Amazon Route 53 is a DNS service that resolves domain names to IP addresses and can route traffic via policies like latency-based routing, but it does not optimize the network path or provide any acceleration for UDP traffic; it only controls initial DNS resolution.

148
MCQhard

A company has a VPC with a public subnet and a private subnet. They have a NAT Gateway in the public subnet. Instances in the private subnet need to download patches from the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, instances cannot reach the internet. What is a possible cause?

A.The route table for the NAT Gateway's subnet does not have a route to an Internet Gateway.
B.The NAT Gateway is in a private subnet.
C.The network ACL on the private subnet is blocking outbound traffic.
D.The NAT Gateway does not have a security group allowing outbound traffic.
AnswerA

NAT Gateway needs a route to IGW for internet access.

Why this answer

For a NAT Gateway to route traffic to the internet, its subnet must have a route to an Internet Gateway (IGW). The NAT Gateway resides in the public subnet, and the public subnet's route table must include a default route (0.0.0.0/0) pointing to the IGW. Without this route, the NAT Gateway cannot forward traffic from the private subnet to the internet, even though the private subnet's route table correctly points to the NAT Gateway.

Exam trap

AWS often tests the misconception that configuring the private subnet's route table to point to the NAT Gateway is sufficient, while ignoring that the NAT Gateway's own subnet must have a route to the Internet Gateway for outbound connectivity.

How to eliminate wrong answers

Option B is wrong because the NAT Gateway is explicitly stated to be in the public subnet, and placing it in a private subnet would prevent it from reaching the internet, but that is not the scenario here. Option C is wrong because network ACLs are stateless and, by default, allow all outbound traffic; unless explicitly modified to block outbound traffic, they would not prevent internet access. Option D is wrong because NAT Gateways do not have security groups; they are managed by AWS and cannot be associated with security groups, so this is not a possible cause.

149
MCQeasy

A company wants to provide internet access to instances in a private subnet using a NAT gateway. The NAT gateway is deployed in a public subnet with an Elastic IP. The private subnet route table has a default route pointing to the NAT gateway. However, instances in the private subnet cannot access the internet. What is the most likely cause?

A.The public subnet route table does not have a route to the internet gateway.
B.The security group assigned to the NAT gateway blocks outbound traffic.
C.The private subnet route table has a route to the internet gateway instead of the NAT gateway.
D.The NAT gateway does not have an Elastic IP associated.
AnswerA

NAT gateway needs internet gateway route in its subnet.

Why this answer

The NAT gateway is deployed in a public subnet, but for it to route traffic to the internet, the public subnet's route table must have a default route (0.0.0.0/0) pointing to an internet gateway (IGW). Without this route, the NAT gateway cannot forward traffic from the private subnet to the internet, even though the private subnet's route table correctly points to the NAT gateway. This is the most likely cause because the NAT gateway itself needs internet access via the IGW to translate and forward traffic.

Exam trap

AWS often tests the misconception that a NAT gateway automatically has internet access simply because it is in a public subnet, but the critical missing piece is the explicit route to the internet gateway in that subnet's route table.

How to eliminate wrong answers

Option B is wrong because security groups are not assigned to NAT gateways; NAT gateways are controlled by network ACLs, not security groups, and security groups cannot be attached to NAT gateways. Option C is wrong because if the private subnet route table had a route to the internet gateway, instances would attempt direct internet access, which would fail since they are in a private subnet without a public IP, but the question states the route points to the NAT gateway, so this is not the issue. Option D is wrong because the question explicitly states the NAT gateway has an Elastic IP associated, so this cannot be the cause of the failure.

150
MCQeasy

A company wants to connect an on-premises data center to AWS using a dedicated private connection that does not traverse the internet. Which AWS service should they use?

A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.AWS Direct Connect
D.VPC Peering
AnswerC

Dedicated private connection.

Why this answer

AWS Direct Connect is the correct choice because it provides a dedicated, private network connection from an on-premises data center to AWS, bypassing the internet entirely. This service uses industry-standard 802.1Q VLANs to create a private virtual interface (VIF) that connects directly to a virtual private gateway or AWS Transit Gateway, ensuring low latency, consistent bandwidth, and compliance with data sovereignty requirements.

Exam trap

AWS often tests the misconception that AWS Transit Gateway itself provides a dedicated private connection, but it is a routing service that requires an underlying physical or virtual link to extend to on-premises networks.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it is not a dedicated private connection service; it requires an underlying connection like Direct Connect or VPN to extend to on-premises. Option B is wrong because AWS Site-to-Site VPN creates an encrypted tunnel over the public internet, which does not meet the requirement of a dedicated private connection that does not traverse the internet. Option D is wrong because VPC Peering connects VPCs within AWS using the AWS global network, but it cannot connect an on-premises data center to AWS.

← PreviousPage 2 of 7 · 504 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Design questions.