CCNA Network Design Questions

75 of 504 questions · Page 5/7 · Network Design · Answers revealed

301
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs. They notice that traffic between two VPCs in different Availability Zones is taking a suboptimal path, resulting in cross-AZ data transfer costs. How can they optimize the path and reduce costs?

A.Replace Transit Gateway with VPC Peering between the VPCs.
B.Use Availability Zone affinity by launching resources in the same AZ and using Transit Gateway to route within the same AZ.
C.Enable Transit Gateway multicast to replicate traffic across AZs.
D.Configure the Transit Gateway to use a single Availability Zone for all attachments.
AnswerB

Correct: Keeps traffic within AZ, avoiding cross-AZ charges.

Why this answer

Option C is correct because ensuring traffic stays within the same AZ avoids cross-AZ data transfer costs. Option A is wrong because Transit Gateway does not have AZ awareness. Option B is wrong because VPC Peering still incurs cross-AZ costs if traffic crosses AZs.

Option D is wrong because moving instances to single AZ reduces availability.

302
MCQmedium

A company has a VPC with CIDR 172.16.0.0/16. They have two subnets: 172.16.1.0/24 (public) and 172.16.2.0/24 (private) in us-west-2a. They have an EC2 instance in the private subnet that needs to access an S3 bucket for log uploads. The company wants to avoid using a NAT Gateway to reduce costs. The S3 bucket is in the same region. Which solution should the network engineer implement?

A.Assign an IAM instance profile to the EC2 instance that allows S3 access.
B.Set up a VPN connection from the VPC to the S3 bucket.
C.Create a VPC Gateway Endpoint for S3 and add a route from the private subnet to the endpoint.
D.Create an S3 access point and configure the VPC to use it.
AnswerC

A gateway endpoint provides private connectivity to S3 without a NAT.

Why this answer

Option C is correct because a VPC Gateway Endpoint for S3 allows private subnet resources to access S3 without traversing the internet or requiring a NAT Gateway. The endpoint uses AWS PrivateLink to route traffic directly to S3 over the AWS network, and you must add a route in the private subnet's route table pointing to the endpoint (prefix list ID) to enable connectivity.

Exam trap

AWS often tests the misconception that an IAM role alone provides network access, but the trap here is that private subnets require a route to S3, and without a NAT Gateway or VPC endpoint, traffic cannot leave the subnet even with correct IAM permissions.

How to eliminate wrong answers

Option A is wrong because an IAM instance profile grants permissions but does not provide network connectivity; the EC2 instance still needs a route to reach S3, and without a NAT Gateway or VPC endpoint, traffic from a private subnet cannot reach S3. Option B is wrong because a VPN connection is used to connect on-premises networks to a VPC, not to access AWS services like S3; S3 does not support VPN termination. Option D is wrong because an S3 access point is a feature for managing data access with specific policies and network controls, but it does not create a network path; you still need a VPC endpoint or other connectivity to route traffic from the private subnet to the access point.

303
Multi-Selectmedium

A company has a VPC with public and private subnets. The private subnets must access an S3 bucket without traversing the internet. Which TWO methods can achieve this? (Choose TWO.)

Select 2 answers
A.Attach an internet gateway to the VPC and route traffic through it.
B.Create a VPC gateway endpoint for S3 and associate it with the private subnet route tables.
C.Set up a VPN connection to the on-premises network and access S3 from there.
D.Use AWS PrivateLink to create a VPC endpoint for the S3 bucket.
E.Place a NAT gateway in the public subnet and route traffic through it.
AnswersB, D

Gateway endpoint provides private access to S3.

Why this answer

Option A is correct: A VPC gateway endpoint for S3 allows private subnet instances to access S3 privately. Option B is correct: AWS PrivateLink (VPC endpoint services) can also provide private access to S3 if the bucket is configured as an endpoint service. Option C is wrong because NAT gateway routes through the internet.

Option D is wrong because a VPN does not provide private S3 access. Option E is wrong because an internet gateway exposes traffic to the internet.

304
MCQmedium

A company is designing a network for a containerized microservices application running on Amazon ECS. The application consists of several microservices that need to communicate with each other. The company wants to use service discovery so that services can find each other by name. They also want to ensure that traffic between services is encrypted in transit. The microservices are deployed across multiple Availability Zones. Which combination of services should the company use?

A.Use AWS Cloud Map for service discovery and AWS App Mesh for encryption in transit
B.Use an Application Load Balancer for each service and configure HTTPS listeners
C.Use VPC peering between each service's VPC
D.Use Amazon Route 53 private hosted zones for service discovery and enable encryption at the application layer
AnswerA

Cloud Map provides service discovery; App Mesh provides encryption.

Why this answer

AWS Cloud Map provides service discovery by registering microservices with DNS names and health checks, allowing ECS tasks to resolve each other by name. AWS App Mesh uses Envoy sidecar proxies to enforce mutual TLS (mTLS) encryption between services, ensuring traffic is encrypted in transit without requiring changes to application code. This combination meets the requirements for name-based discovery and encrypted inter-service communication across multiple Availability Zones.

Exam trap

The trap here is that candidates often confuse service discovery with load balancing or assume that a private hosted zone alone provides encryption, when in fact DNS-based discovery (Route 53) only resolves names and requires a separate mechanism like App Mesh or mTLS to encrypt traffic in transit.

How to eliminate wrong answers

Option B is wrong because using an Application Load Balancer for each service introduces unnecessary complexity and cost, and ALBs operate at the application layer (HTTP/HTTPS), which does not provide encryption for all inter-service traffic (e.g., gRPC or TCP-based services) and does not natively provide service discovery by name without additional DNS integration. Option C is wrong because VPC peering connects entire VPCs, not individual services, and does not provide service discovery or encryption; it only enables network-layer connectivity between VPCs. Option D is wrong because Amazon Route 53 private hosted zones can provide DNS-based service discovery, but they do not encrypt traffic; encryption at the application layer must be implemented separately by the application code, which violates the requirement for transparent encryption in transit.

305
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is behind a NAT Gateway in the public subnet. The download is failing. Which configuration should the network engineer check FIRST?

A.The network ACL for the private subnet allows inbound HTTP/HTTPS traffic.
B.The EC2 instance has a public IP address assigned.
C.The Internet Gateway is attached to the private subnet.
D.The route table associated with the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway.
AnswerD

Correct: Without this route, traffic cannot reach the NAT Gateway.

Why this answer

Option D is correct because for an EC2 instance in a private subnet to reach the internet via a NAT Gateway, the private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway. Without this route, traffic from the instance destined for the internet has no path to the NAT Gateway, causing the download to fail.

Exam trap

AWS often tests the misconception that a private instance needs a public IP or that NACLs are the primary cause of outbound internet failures, when in fact the missing default route to the NAT Gateway is the most common misconfiguration.

How to eliminate wrong answers

Option A is wrong because network ACLs are stateless and must allow both inbound and outbound traffic; however, the default NACL already allows all traffic, and the failure is more likely due to routing, not ACLs. Option B is wrong because an EC2 instance in a private subnet does not need a public IP address to access the internet through a NAT Gateway; the NAT Gateway itself uses an Elastic IP, and the instance uses the NAT's public IP for outbound traffic. Option C is wrong because an Internet Gateway is attached to the VPC, not to a subnet, and it is used by public subnets; private subnets route through the NAT Gateway, not directly through the Internet Gateway.

306
MCQhard

A company runs a multi-tier web application on AWS. The web servers in public subnets need to send traffic to the application servers in private subnets. The application servers must only accept traffic from the web servers. Both tiers are in the same VPC. Which design meets these requirements without introducing a single point of failure or unnecessary complexity?

A.Place the web servers in a public subnet with a security group that allows inbound from 0.0.0.0/0 on port 443. Place the app servers in a private subnet with a security group that allows inbound from the web server security group on the application port.
B.Place the web servers and app servers in the same private subnet behind an internal Network Load Balancer. Route web traffic through the NLB.
C.Place the web servers in a public subnet with an Internet Gateway. Place the app servers in a private subnet with a NAT Gateway for outbound traffic. Use NACLs to allow inbound from the web subnet CIDR.
D.Place the web servers in a public subnet with a NACL allowing inbound on port 443. Place the app servers in a private subnet with a NACL allowing inbound from the web subnet CIDR on the application port.
AnswerA

This is correct because it uses security group references for fine-grained, stateful filtering without introducing a single point of failure.

Why this answer

Option A is correct because it uses security group referencing, which allows the app servers' security group to dynamically allow traffic from any instance associated with the web servers' security group, regardless of IP address changes. This design avoids a single point of failure by not introducing any load balancer or gateway, and it minimizes complexity by leveraging native VPC security group behavior within the same VPC.

Exam trap

The trap here is that candidates often overcomplicate the solution by introducing load balancers or NAT gateways, or they incorrectly choose NACLs over security groups, not realizing that security group referencing provides a simpler, more dynamic, and more secure solution without single points of failure.

How to eliminate wrong answers

Option B is wrong because placing both tiers in the same private subnet behind an internal Network Load Balancer introduces a single point of failure (the NLB) and unnecessary complexity, as the requirement can be met with simple security group rules without a load balancer. Option C is wrong because using a NAT Gateway for outbound traffic is irrelevant to the requirement of allowing inbound traffic from web servers to app servers; it also introduces a single point of failure and unnecessary complexity. Option D is wrong because using NACLs to allow inbound from the web subnet CIDR is less secure and less dynamic than security group referencing, and NACLs are stateless, requiring separate rules for return traffic, which adds complexity and potential misconfiguration.

307
Multi-Selecthard

A company has multiple VPCs connected via a Transit Gateway. They want to implement network segmentation so that only specific VPCs can communicate with each other. Which TWO methods can achieve this? (Choose two.)

Select 2 answers
A.Deploy AWS Network Firewall in a centralized inspection VPC
B.Use Transit Gateway route tables with specific associations and propagations
C.Assign instances to different security groups
D.Configure network ACLs on each subnet
E.Create separate VPC peering connections
AnswersA, B

Network Firewall can filter traffic between VPCs.

Why this answer

AWS Network Firewall can be deployed in a centralized inspection VPC to filter traffic between VPCs attached to a Transit Gateway. By routing inter-VPC traffic through the firewall appliance, you can enforce stateful inspection and allow or deny traffic based on source/destination VPCs, achieving network segmentation.

Exam trap

AWS often tests the misconception that security groups or network ACLs can control inter-VPC traffic across a Transit Gateway, but these constructs are limited to within a single VPC and do not affect transit routing.

308
MCQmedium

A media company is designing a network for a new AWS environment. They have a VPC with public and private subnets in three Availability Zones. In the private subnets, they run a fleet of Amazon EC2 instances that process video files from an Amazon S3 bucket. The S3 bucket is in the same region. The company wants to ensure that all traffic to S3 stays within the AWS network and does not traverse the internet. They also need to allow the EC2 instances to access the internet for software updates, but only through a centralized NAT gateway. Currently, there is one NAT gateway in AZ1. The network engineer has created a VPC endpoint for S3 (Gateway type) and associated it with the route tables for the private subnets. However, the EC2 instances in AZ2 and AZ3 cannot reach the NAT gateway for internet access. What is the most likely cause?

A.The route table for private subnets now has a more specific route for S3 that overrides the default route to the NAT gateway
B.The VPC endpoint needs to be created in each Availability Zone
C.The NAT gateway is only available in the AZ where it is deployed
D.The S3 VPC endpoint is only accessible from the AZ where it was created
AnswerA

The endpoint adds a route for the S3 prefix list, but if the prefix list includes 0.0.0.0/0 erroneously, or if the endpoint route is not properly scoped, it can cause issues. More commonly, the endpoint adds a route for the S3 service (e.g., com.amazonaws.<region>.s3) which does not affect the default route. However, in some configurations, if the endpoint is added with a policy that allows all traffic, it might still work. The most likely issue is that the NAT gateway route is missing or the route table does not have a default route to the NAT gateway. But among the options, B is the closest because misconfiguration can lead to the endpoint route overriding the default route.

Why this answer

Option B is correct. The Gateway VPC Endpoint for S3 adds a route in the private subnet route tables that points 0.0.0.0/0 to the endpoint, which overrides the default route to the NAT gateway. This prevents traffic destined for the internet from reaching the NAT gateway.

Option A is wrong because the VPC endpoint is in the same region and works across AZs. Option C is wrong because the NAT gateway is in AZ1, but instances in other AZs can still route to it if the route table has a 0.0.0.0/0 route pointing to the NAT gateway. Option D is wrong because the S3 endpoint does not need to be in every AZ; Gateway endpoints are regional.

309
MCQhard

A company uses AWS Direct Connect with a private VIF and a virtual private gateway (VGW) to connect its on-premises data center to a VPC. The on-premises network uses BGP to advertise routes to AWS. The VPC has multiple subnets. The company wants to ensure that only traffic destined for the VPC CIDR (10.0.0.0/16) is sent over Direct Connect, and all other traffic uses the internet. However, after configuration, on-premises users can access the internet through the Direct Connect link, which is unintended. What change should be made to restrict traffic?

A.Add a static route in the VPC route table to send all traffic to the internet gateway.
B.Disable route propagation for the private subnet route table.
C.Configure the on-premises router to only accept the VPC CIDR route from AWS and not a default route.
D.Remove the virtual private gateway and use a VPN connection instead.
AnswerC

This prevents the on-premises network from using Direct Connect for internet traffic.

Why this answer

Option B is correct. On-premises routers should only advertise the VPC CIDR (10.0.0.0/16) to AWS, and AWS should not advertise a default route to on-premises. By default, Direct Connect private VIF can propagate a default route if configured.

To prevent on-premises from using Direct Connect for internet, ensure that the on-premises router does not accept a default route from AWS or that AWS does not advertise one. Option A is incorrect because removing the VGW disconnects the VPC. Option C is incorrect because adding a static route would not fix the issue.

Option D is incorrect because disabling route propagation for the specific subnet does not affect BGP advertisements.

310
MCQmedium

A company is deploying a multi-tier web application across two AWS Regions with an active-passive failover architecture. The application uses Application Load Balancers (ALBs) in each Region, and traffic must be directed to the active Region using DNS. Which routing policy should be used for the Amazon Route 53 record set to achieve this?

A.Geolocation routing policy
B.Failover routing policy
C.Weighted routing policy
D.Latency routing policy
AnswerB

Failover routing policy is designed for active-passive failover configurations.

Why this answer

Option B is correct because a failover routing policy is used for active-passive configurations where one resource is primary and the other is secondary, allowing Route 53 to direct traffic to the active region and fail over to the passive region if the primary becomes unhealthy. Option A (weighted) distributes traffic across multiple resources. Option C (latency) routes based on lowest latency.

Option D (geolocation) routes based on user location.

311
MCQmedium

A company is deploying an application that requires low-latency communication between EC2 instances in two different AWS Regions. The application traffic is latency-sensitive and the company wants to minimize jitter. Which network design provides the lowest and most consistent latency?

A.Create a VPC peering connection between the two VPCs and route traffic through the peering connection.
B.Use internet gateways and route traffic over the public internet between the instances.
C.Use a Site-to-Site VPN connection between the two VPCs over the internet.
D.Deploy an AWS Global Accelerator with endpoints in both Regions and use the accelerator's static IP addresses for communication.
AnswerD

Global Accelerator uses the AWS global network to route traffic over optimized paths, reducing latency and jitter.

Why this answer

AWS Global Accelerator uses the AWS global network and Anycast static IP addresses to route traffic over optimized paths, providing lower and more consistent latency than VPC peering, internet transit, or VPNs. It minimizes jitter by avoiding the public internet and leveraging AWS's internal backbone, which is ideal for latency-sensitive inter-Region communication.

Exam trap

The trap here is that candidates assume VPC peering (Option A) is the best for inter-Region traffic because it's private, but they overlook that Global Accelerator provides superior latency consistency by using anycast and AWS's optimized backbone, while VPC peering still routes through the AWS global network without traffic engineering for jitter reduction.

How to eliminate wrong answers

Option A is wrong because VPC peering does not support inter-Region traffic with low jitter; it relies on the AWS global network but lacks the traffic engineering and endpoint optimization of Global Accelerator, and it does not provide static anycast IPs for consistent routing. Option B is wrong because routing over the public internet introduces variable latency and jitter due to ISP hops, congestion, and BGP path fluctuations, making it unsuitable for latency-sensitive applications. Option C is wrong because a Site-to-Site VPN over the internet adds encryption overhead and traverses the public internet, increasing latency and jitter compared to AWS's private network path.

312
MCQhard

A company is designing a network for a real-time gaming application that requires extremely low latency between players. The application will be deployed on EC2 instances in multiple AWS regions. Which AWS service provides the best latency performance by using the AWS global network and anycast IPs?

A.AWS Direct Connect
B.AWS Global Accelerator
C.Amazon CloudFront
D.Amazon Route 53 Latency Routing
AnswerB

Uses anycast IPs and AWS global network for low latency.

Why this answer

AWS Global Accelerator uses the AWS global network and anycast IPs to route traffic to the optimal edge location, then over the AWS backbone to the nearest healthy endpoint. This minimizes internet hops and latency, making it ideal for real-time gaming applications that require consistent low latency across multiple regions.

Exam trap

The trap here is that candidates often confuse CloudFront's edge caching with Global Accelerator's network path optimization, but CloudFront does not use anycast IPs for dynamic traffic routing and cannot provide the same low-latency performance for real-time applications that require direct connections to backend servers.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect provides a dedicated private connection from on-premises to AWS, but it does not use anycast IPs or optimize routing between multiple AWS regions for end-user traffic; it is designed for hybrid connectivity, not global latency optimization. Option C is wrong because Amazon CloudFront is a content delivery network (CDN) that caches static and dynamic content at edge locations, but it does not use anycast IPs for TCP/UDP traffic optimization and is not designed to reduce latency for real-time gaming traffic that requires dynamic routing to the nearest application endpoint. Option D is wrong because Amazon Route 53 Latency Routing directs DNS queries to the region with the lowest latency, but it operates at the DNS level and does not use anycast IPs; it cannot provide sub-second failover or optimize the network path after the initial connection, and DNS caching can cause stale routing decisions.

313
MCQhard

A company is designing a hybrid network using AWS Direct Connect with multiple VPCs in the same region. They need to ensure that traffic between on-premises and VPCs is encrypted and that VPC-to-VPC traffic does not traverse the internet. Which solution meets these requirements?

A.Use a single Direct Connect connection with multiple virtual interfaces and enable encryption on the physical connection.
B.Use AWS Transit Gateway with an IPsec VPN over Direct Connect using a virtual private gateway on each VPC, and configure Transit Gateway route tables.
C.Use AWS Transit Gateway with Direct Connect Gateway and enable encryption on the Transit Gateway attachments.
D.Set up a VPN connection over the internet between on-premises and each VPC, and use VPC Peering for VPC-to-VPC traffic.
AnswerB

Correct: IPsec provides encryption; Transit Gateway enables VPC-to-VPC.

Why this answer

Option D is correct because Transit Gateway with IPsec VPN over Direct Connect provides encryption and VPC connectivity. Option A is wrong because Direct Connect alone does not encrypt traffic. Option B is wrong because VPN over the internet does not use Direct Connect.

Option C is wrong because it does not provide encryption for VPC-to-VPC traffic.

314
MCQhard

A media company is designing a global streaming platform using AWS. They have a primary workload in us-east-1 (VPC A, 10.0.0.0/16) and a secondary workload in eu-west-1 (VPC B, 10.1.0.0/16). They need to replicate data between these VPCs with low latency and high throughput, and also allow their on-premises data center (10.2.0.0/16) in us-east-2 to communicate with both VPCs. The on-premises network is connected to AWS via two Direct Connect connections terminating in us-east-1 and eu-west-1. The company uses a Transit Gateway in each region, with inter-region peering between the Transit Gateways. The on-premises network has BGP advertisements for 10.2.0.0/16. The routing is set up such that the on-premises network can reach both VPCs via the Direct Connect connections. However, the VPCs cannot reach each other's CIDRs. The network engineer checks the Transit Gateway route tables and sees that the inter-region peering attachment is associated with the appropriate route tables, and static routes for the remote VPC CIDRs are present. What is the MOST likely cause of the problem?

A.The inter-region peering attachment is not in the same route table as the VPC attachments
B.The VPC CIDRs overlap with each other
C.The static routes for the remote VPC CIDRs are pointing to the Direct Connect attachment instead of the inter-region peering attachment
D.The on-premises network is advertising a default route that is being preferred
AnswerC

This would cause traffic to be sent to on-premises, which cannot route between regions, causing blackhole.

Why this answer

In a Transit Gateway inter-region peering, you need to add static routes in both directions to point to the peering attachment. The engineer confirmed static routes are present, so that might not be the issue. However, a common misconfiguration is that the on-premises network's route propagation via Direct Connect may be causing the Transit Gateway to prefer the on-premises path (which may not have connectivity between regions) over the inter-region peering.

But the VPCs cannot reach each other's CIDRs, so the issue is likely that the route tables for the VPC attachments do not have the routes for the remote VPC CIDRs pointing to the inter-region peering attachment. Alternatively, the inter-region peering attachment might not be in the correct route table. The most likely issue is that the Transit Gateway route tables for the VPCs do not include routes for the remote VPC CIDRs via the peering attachment.

Since the engineer says they are present, the issue might be that the propagation from the Direct Connect attachment is overriding the static route with a less preferred route or causing a conflict. Actually, the most common problem is that the static routes for the inter-region CIDRs are pointing to the wrong attachment (e.g., the Direct Connect attachment instead of the peering attachment).

315
MCQmedium

A company wants to monitor network traffic between two VPCs that are peered. Which AWS feature can capture IP traffic information for analysis?

A.AWS X-Ray
B.AWS Config
C.VPC Flow Logs
D.AWS CloudTrail
AnswerC

Network traffic logs.

Why this answer

VPC Flow Logs capture IP traffic information for network interfaces in a VPC, including traffic between peered VPCs. They log metadata such as source/destination IPs, ports, protocols, and packet accept/reject decisions, which can be published to CloudWatch Logs or Amazon S3 for analysis. This makes them the correct choice for monitoring network traffic between two peered VPCs.

Exam trap

The trap here is that candidates confuse AWS CloudTrail (which logs API calls) with VPC Flow Logs (which logs network traffic), leading them to select CloudTrail when the question specifically asks about IP traffic information for analysis.

How to eliminate wrong answers

Option A is wrong because AWS X-Ray is designed for tracing application requests and debugging distributed applications, not for capturing IP-level network traffic metadata. Option B is wrong because AWS Config is a resource inventory and compliance service that tracks configuration changes to AWS resources, not network packet or flow data. Option D is wrong because AWS CloudTrail records API calls and management events for governance and auditing, not the IP traffic flowing across network interfaces or VPC peering connections.

316
Multi-Selectmedium

A company is designing a hybrid network using AWS Direct Connect and VPN backup. The company wants to ensure that traffic always uses Direct Connect when it is available. Which TWO configurations should be implemented? (Choose TWO.)

Select 2 answers
A.Use AS_PATH prepending on the VPN BGP session to make the VPN path less preferred.
B.Advertise more specific prefixes over Direct Connect and less specific prefixes over VPN.
C.Disable BGP on the VPN connection to force traffic to Direct Connect.
D.Set a lower MED value on the Direct Connect BGP session.
E.Advertise the same prefixes over both connections with the same AS_PATH length.
AnswersA, B

Longer AS_PATH is less preferred.

Why this answer

AS_PATH prepending on the VPN BGP session increases the AS_PATH length for routes advertised over the VPN, making them less preferred compared to the same routes learned over Direct Connect with a shorter AS_PATH. BGP selects the path with the shortest AS_PATH length, so traffic will use Direct Connect when it is available. This is a standard technique for influencing outbound traffic path selection in a hybrid network.

Exam trap

AWS often tests the distinction between outbound and inbound traffic manipulation; the trap here is that candidates may incorrectly apply MED (which influences inbound traffic) or think disabling BGP is acceptable, when the correct approach for outbound traffic preference is to manipulate AS_PATH length or local preference.

317
MCQhard

A large e-commerce company operates a multi-tier application across multiple AWS accounts. The web tier is in a VPC (10.0.0.0/16) in Account A, and the application tier is in a separate VPC (10.1.0.0/16) in Account B. Both VPCs are connected via a VPC peering connection. The application tier uses an NLB to distribute traffic to EC2 instances in private subnets. The web tier sends traffic to the NLB's private IP address. Recently, the company migrated the application tier to use AWS PrivateLink instead of the VPC peering connection, creating a VPC endpoint service in Account B and an interface VPC endpoint in Account A. After the migration, the web tier cannot connect to the application tier. The security groups and NACLs allow the traffic. Which of the following is the MOST likely cause of the connectivity issue?

A.The web tier instances are using the private IP address of the Network Load Balancer instead of the VPC endpoint DNS name or private IP addresses.
B.The route tables in Account A's VPC do not have a route to the VPC endpoint service in Account B.
C.The VPC endpoint in Account A requires an Internet Gateway (IGW) to route traffic to the VPC endpoint service in Account B.
D.The Network Load Balancer in Account B is not configured to support TCP traffic.
AnswerA

Correct; after migrating to PrivateLink, the web tier should use the VPC endpoint's DNS name or its assigned private IPs, not the NLB's IP directly.

Why this answer

After migrating from VPC peering to AWS PrivateLink, the web tier instances must use the VPC endpoint's DNS name or its private IP addresses to connect to the application tier. The VPC endpoint provides a different set of IP addresses (from the subnet in Account A) than the NLB's private IP, which remains in Account B. Since the web tier continues to send traffic to the NLB's private IP, the packets are not routed through the VPC endpoint, causing connectivity failure because the VPC peering connection is no longer available.

Exam trap

The trap here is that candidates assume PrivateLink transparently forwards traffic to the original NLB IP, but in reality the consumer must use the endpoint's DNS name or IP, not the service's original IP.

How to eliminate wrong answers

Option B is wrong because VPC endpoints do not require route table entries; traffic to the endpoint service is routed via the endpoint's elastic network interface in the subnet, not through route tables. Option C is wrong because interface VPC endpoints do not require an Internet Gateway; they use private IP addresses within the VPC and communicate over the AWS network without internet access. Option D is wrong because Network Load Balancers support TCP traffic by default; the issue is not about protocol support but about the destination IP address used by the web tier.

318
MCQmedium

A company has a VPC with public and private subnets in three Availability Zones. An internet-facing Network Load Balancer (NLB) is deployed in the public subnets, and a fleet of EC2 instances is in the private subnets. The application logs show intermittent connection timeouts. The security group for the EC2 instances allows traffic from the NLB's security group. What is the MOST likely cause?

A.Cross-zone load balancing is disabled on the NLB.
B.The EC2 instances' security group allows traffic from the NLB's security group, but the NLB preserves client IP, so the security group must allow client IPs directly.
C.The NLB's security group is not allowing traffic from the EC2 instances.
D.The network ACLs in the private subnets are blocking return traffic.
AnswerB

NLB preserves source IP; security group references to NLB's security group only work for traffic that originates from NLB's private IPs, but NLB sends client IPs.

Why this answer

Option C is correct because NLB's source IP preservation by default sends traffic with client IP, not NLB's private IP, so security group must allow client IPs. Option A is wrong because subnet ACLs are stateless and need ephemeral ports open. Option B is wrong because NLB does not have a security group.

Option D is wrong because cross-zone load balancing is enabled by default for NLB.

319
MCQhard

A company has a Direct Connect connection with a private VIF attached to a Direct Connect Gateway. The company wants to connect to multiple VPCs in the same AWS Region. What is the MOST cost-effective and scalable design?

A.Provision multiple private VIFs, each connected to a different VPC.
B.Create a Direct Connect Gateway and associate each VPC's Virtual Private Gateway to it using a private VIF.
C.Create a Transit Gateway, attach it to the Direct Connect Gateway using a Transit VIF, and attach each VPC to the Transit Gateway.
D.Use a private VIF to connect to a Virtual Private Gateway in one VPC and use VPC Peering to reach other VPCs.
AnswerC

This is scalable and cost-effective.

Why this answer

Option C is correct because it uses a Transit Gateway (TGW) to interconnect multiple VPCs and a Direct Connect Gateway (DXGW) via a Transit VIF, which is the most cost-effective and scalable design. The Transit VIF allows a single Direct Connect connection to be shared across many VPCs through the TGW, avoiding the need for multiple private VIFs or complex peering arrangements. This design scales to hundreds of VPCs and reduces operational overhead by centralizing routing.

Exam trap

AWS often tests the misconception that a Direct Connect Gateway alone can provide transitive routing between VPCs, but in reality, a Direct Connect Gateway only connects VPCs to on-premises networks, not VPCs to each other, which is why a Transit Gateway is needed for inter-VPC connectivity.

How to eliminate wrong answers

Option A is wrong because provisioning multiple private VIFs for each VPC is not cost-effective (each VIF incurs separate port and data transfer charges) and does not scale well beyond a few VPCs. Option B is wrong because a Direct Connect Gateway can associate multiple Virtual Private Gateways (VGWs) via a single private VIF, but this design requires each VPC to have its own VGW and does not provide transitive routing between VPCs; it only connects each VPC to the on-premises network, not to each other. Option D is wrong because using VPC Peering to connect other VPCs creates a non-transitive, point-to-point mesh that does not scale (each peering connection is a separate relationship) and introduces complex routing and bandwidth limitations, while still relying on a single VPC as a hub.

320
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They need to peer with another VPC that has a CIDR of 10.0.0.0/24. What will happen?

A.The peering connection will be established, but only the first VPC's CIDR will be used.
B.The peering connection will be established, but routes with overlapping CIDRs will not be added automatically.
C.The peering connection will fail because the CIDRs overlap.
D.The peering connection will be established, and the overlapping CIDRs will be ignored.
AnswerC

VPC Peering requires non-overlapping IP address ranges.

Why this answer

Option D is correct because overlapping CIDRs cannot be peered. Option A is wrong because VPC Peering does not support overlapping CIDRs. Option B is wrong because AWS will reject the peering request.

Option C is wrong because overlapping CIDRs are not allowed.

321
MCQmedium

A company has a VPC with public and private subnets in two Availability Zones. An Application Load Balancer in the public subnets distributes traffic to EC2 instances in the private subnets. The security group for the EC2 instances allows inbound traffic from the ALB security group. Users report intermittent timeouts. What is the most likely cause?

A.The security group for the ALB does not allow inbound traffic from the internet.
B.The ALB is not associated with an internet gateway.
C.The network ACL for the private subnets is blocking inbound traffic from the ALB subnets.
D.Cross-zone load balancing is disabled on the ALB.
AnswerA

ALB security group must allow inbound from clients.

Why this answer

The most likely cause is that the ALB's security group does not allow inbound traffic from the internet (0.0.0.0/0) on the listener port (e.g., 80 or 443). Without this rule, the ALB will reject incoming client requests, causing intermittent timeouts as users attempt to connect. The ALB must have an inbound rule permitting traffic from the internet to receive and forward requests to the targets.

Exam trap

AWS often tests the misconception that the ALB's security group only needs to allow outbound traffic to targets, but in reality, the ALB's security group must also allow inbound traffic from clients to receive requests.

How to eliminate wrong answers

Option B is wrong because an ALB in a public subnet is automatically associated with an internet gateway via the subnet's route table; no explicit association is required. Option C is wrong because network ACLs are stateless and, by default, allow all inbound and outbound traffic; even if modified, the ALB's traffic originates from its own subnets, and the private subnet's NACL would need to explicitly deny traffic from the ALB subnet CIDR, which is unlikely to cause intermittent timeouts. Option D is wrong because cross-zone load balancing is enabled by default on ALBs, and disabling it would cause uneven traffic distribution but not intermittent timeouts; all targets would still be reachable within their own zone.

322
MCQeasy

A company is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is internet-facing and receives traffic from clients. The company wants to improve security by adding an additional layer of protection against common web exploits like SQL injection and cross-site scripting. Which AWS service should they use?

A.AWS Firewall Manager
B.AWS WAF
C.AWS Shield Advanced
D.Network ACLs
AnswerB

Web application firewall that filters SQL injection and XSS.

Why this answer

AWS WAF (Web Application Firewall) is the correct service because it is specifically designed to protect web applications from common exploits such as SQL injection and cross-site scripting (XSS). It integrates directly with an Application Load Balancer (ALB) to inspect HTTP/HTTPS requests and apply customizable rules to block malicious traffic before it reaches the EC2 instances.

Exam trap

The trap here is that candidates often confuse AWS WAF with AWS Shield Advanced, mistakenly thinking Shield Advanced covers application-layer exploits, when in fact Shield Advanced focuses on volumetric DDoS protection and WAF handles Layer 7 threats like SQL injection and XSS.

How to eliminate wrong answers

Option A is wrong because AWS Firewall Manager is a centralized policy management service that helps manage AWS WAF, AWS Shield Advanced, and VPC security groups across accounts, but it does not itself inspect web traffic or block application-layer attacks. Option C is wrong because AWS Shield Advanced provides protection against Distributed Denial of Service (DDoS) attacks at the network and transport layers, not against application-layer exploits like SQL injection or XSS. Option D is wrong because Network ACLs are stateless packet filters that operate at the subnet level (Layer 3/4) and cannot inspect application-layer payloads or block specific HTTP request patterns.

323
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and uses AWS Direct Connect with a private VIF to connect to on-premises. The on-premises network uses 10.0.0.0/8. The company wants to access an AWS service (e.g., S3) privately from the VPC without using public endpoints. Which solution avoids IP overlap and meets the requirement?

A.Create a NAT gateway in a public subnet and route S3 traffic through it.
B.Create a VPC endpoint for S3 (Gateway type) and use it from the VPC.
C.Use a public virtual interface and access S3 via public endpoints.
D.Add a route in the VPC route table pointing to the Direct Connect virtual interface for the S3 prefix list.
AnswerB

VPC endpoint provides private access without overlapping IPs.

Why this answer

Option B is correct because a Gateway VPC Endpoint for S3 allows private access to S3 from within the VPC without traversing the internet or requiring public IPs. It avoids IP overlap because the endpoint uses prefix lists and route table entries within the VPC's 10.0.0.0/16 range, and does not involve the on-premises 10.0.0.0/8 network. The Direct Connect private VIF is not used for S3 traffic, so the overlapping CIDR is irrelevant.

Exam trap

The trap here is that candidates assume a private VIF can be used to reach AWS services privately, but they overlook the IP overlap between the VPC and on-premises networks, which breaks routing and makes Gateway VPC Endpoints the only viable solution.

How to eliminate wrong answers

Option A is wrong because a NAT gateway requires a public subnet and routes traffic through the internet, which does not meet the requirement of private access without public endpoints. Option C is wrong because a public virtual interface accesses S3 via public endpoints over the internet, violating the private access requirement. Option D is wrong because adding a route to the Direct Connect private VIF for the S3 prefix list would attempt to route S3 traffic over the private VIF, but the on-premises network uses 10.0.0.0/8, which overlaps with the VPC's 10.0.0.0/16, causing routing conflicts and preventing proper connectivity.

324
MCQmedium

A company is deploying a critical application across multiple Availability Zones (AZs) in a single AWS region. The application requires a highly available network layer that can automatically detect and reroute traffic away from failed endpoints. Which AWS service should be used to meet this requirement?

A.Network Load Balancer (NLB)
B.AWS Global Accelerator
C.Application Load Balancer (ALB)
D.NAT gateway
AnswerA

NLB provides high availability and automatic rerouting at Layer 4.

Why this answer

Option A is correct because a Network Load Balancer (NLB) operates at Layer 4, provides high availability across AZs, and automatically reroutes traffic from unhealthy targets. Option B is wrong because an Application Load Balancer (ALB) is Layer 7 and may introduce unnecessary overhead. Option C is wrong because a NAT gateway provides outbound internet access, not load balancing.

Option D is wrong because AWS Global Accelerator is for multi-region traffic, not intra-region.

325
MCQmedium

A company has a VPC peering connection between VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). Both VPCs have subnets with EC2 instances. The security groups allow all traffic between the instances. The instances in VPC A can ping the instances in VPC B, but cannot initiate TCP connections to a web server running on port 443 in VPC B. What is the most likely cause?

A.The VPC peering connection does not support TCP traffic.
B.The DNS resolution settings for the VPC peering are not enabled.
C.The security group for the web server in VPC B does not allow inbound traffic from VPC A on TCP port 443.
D.The network ACL in VPC B is blocking inbound TCP traffic on port 443.
AnswerC

Security groups are stateful; if inbound rule missing, TCP connections are denied while ICMP might be allowed.

Why this answer

Option D is correct. VPC peering does not support transitive routing, so if there is a NACL or security group rule that allows ICMP but not TCP, or if the web server's security group only allows traffic from specific sources, the issue could be security group rules. However, the most common cause is that the security group for the web server in VPC B does not allow inbound TCP 443 from VPC A CIDR.

Option A is incorrect because VPC peering supports TCP. Option B is incorrect because DNS resolution is not required for TCP. Option C is incorrect because NACLs are stateless and would affect both ICMP and TCP if misconfigured.

326
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16 and needs to connect to a partner's VPC with CIDR 10.0.0.0/16. The VPCs are in the same Region. What is the best solution?

A.Use an AWS Site-to-Site VPN connection
B.Establish VPC peering between the two VPCs
C.Use an AWS Transit Gateway with a transit gateway attachment and configure NAT on the transit gateway to translate IPs
D.Use an AWS Direct Connect private virtual interface
AnswerC

Transit Gateway can perform NAT to resolve overlapping CIDRs.

Why this answer

Since the CIDRs overlap, VPC peering cannot be used because overlapping CIDRs are not allowed for peering. The best solution is to use a transit gateway with network address translation (NAT) to handle the overlapping IPs. Option C is correct.

Option A (VPC peering) is not possible. Option B (VPN) would also have overlapping issues. Option D (Direct Connect) does not solve overlapping.

327
MCQhard

A company is deploying a global application with users in North America and Europe. The application runs on EC2 instances in us-east-1 and eu-west-1. To reduce latency, the company wants to route users to the nearest region and provide automatic failover. Which combination of AWS services should be used?

A.Amazon CloudFront with origins in each region.
B.AWS Global Accelerator with endpoint groups in each region.
C.Amazon Route 53 with geolocation routing and health checks.
D.Amazon Route 53 with latency-based routing and health checks.
AnswerD

Latency routing directs users to the lowest-latency region, health checks provide failover.

Why this answer

Option D is correct because Amazon Route 53 latency-based routing directs users to the region with the lowest latency, automatically routing traffic to the nearest region. Combined with health checks, if an endpoint fails, Route 53 automatically fails over to the next lowest-latency healthy endpoint, meeting both the latency reduction and automatic failover requirements.

Exam trap

AWS often tests the distinction between geolocation routing (which uses static geographic mapping) and latency-based routing (which uses dynamic network performance data), and candidates mistakenly choose geolocation routing because they think 'nearest region' means geographic proximity rather than network latency.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that caches content at edge locations; it does not provide active-active routing or automatic failover between regional origins based on user proximity for dynamic application traffic—it primarily accelerates static and dynamic content delivery via edge caching, not regional routing with health-check-based failover. Option B is wrong because AWS Global Accelerator uses endpoint groups to route traffic to the nearest region via Anycast IPs, but it does not natively support automatic failover between endpoint groups based on health checks—failover requires manual intervention or additional automation, and Global Accelerator is designed for TCP/UDP traffic optimization, not DNS-level routing with health-check-driven failover. Option C is wrong because Amazon Route 53 geolocation routing routes traffic based on the user's geographic location, not latency; it does not automatically fail over to the next nearest region if the primary region is unhealthy—geolocation routing requires explicit failover rules (e.g., failover routing) and does not dynamically adjust to latency changes.

328
MCQeasy

A company wants to ensure that traffic between Amazon EC2 instances in the same VPC but different subnets is inspected by a network security appliance. The appliance is deployed in a separate security VPC. Which AWS service should be used to route traffic through the security VPC?

A.AWS Transit Gateway
B.VPC Peering
C.VPC Endpoint
D.Network Load Balancer
AnswerA

Transit Gateway can route traffic between VPCs with route tables enabling inspection.

Why this answer

Option B is correct because Transit Gateway with route tables allows inter-VPC traffic to be forwarded to the security VPC. Option A is wrong because VPC Peering does not support transitive routing. Option C is wrong because an NLB is a load balancer, not a routing device.

Option D is wrong because VPC endpoints are for accessing AWS services.

329
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to two on-premises locations via AWS Direct Connect. Each Direct Connect connection uses a private VIF. The company wants to use BGP to exchange routes. The on-premises routers advertise the same prefix 10.0.0.0/8 for both connections. How should the network engineer configure the VPC route tables to ensure traffic is load balanced across both Direct Connect connections?

A.Create a VPN connection over the Direct Connect and use BGP with different metrics.
B.Create two separate route tables and associate each with half the subnets.
C.Use AWS Transit Gateway with equal cost multipath routing.
D.Allow BGP to install both routes; AWS will automatically load balance across them using ECMP.
AnswerD

When identical routes are learned from two Direct Connect connections, AWS uses ECMP.

Why this answer

AWS supports equal cost multipath (ECMP) only when BGP routes are learned from different Direct Connect connections but with the same AS path length and prefix. Since both on-premises advertise the same prefix with identical AS path, AWS will install two equal-cost routes and load balance (ECMP) across them. Option A is correct.

Option B is incorrect because using a VPN would not use Direct Connect. Option C is incorrect because weight-based routing requires different weights. Option D is incorrect because AWS does not support ECMP across different prefixes.

330
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network with CIDR 10.0.0.0/8. The company wants to use AWS Site-to-Site VPN. What configuration change is required to avoid routing conflicts?

A.Create a more specific route in the VPC route table for the on-premises CIDR.
B.Enable route propagation on the VPC route tables.
C.Use a VPN connection with static routes instead of BGP.
D.Change the VPC CIDR to a non-overlapping range, such as 172.16.0.0/16.
AnswerD

Eliminates the overlap.

Why this answer

The VPC CIDR 10.0.0.0/16 is a subset of the on-premises CIDR 10.0.0.0/8. AWS Site-to-Site VPN cannot route traffic correctly when the VPC and on-premises networks have overlapping IP ranges because the VPN connection relies on distinct destination prefixes. The only way to eliminate the conflict is to change the VPC CIDR to a non-overlapping range, such as 172.16.0.0/16, ensuring no IP address overlap between the two networks.

Exam trap

The trap here is that candidates think they can override the conflict with a more specific route or by switching to static routes, but they overlook that the VPC's local route is always more specific than any VPN route for overlapping prefixes, making the conflict unresolvable without changing the VPC CIDR.

How to eliminate wrong answers

Option A is wrong because creating a more specific route (e.g., 10.0.0.0/16) in the VPC route table for the on-premises CIDR would still result in overlapping IP space; the VPC itself uses 10.0.0.0/16, so traffic destined for the on-premises 10.0.0.0/8 would be ambiguous and could be routed locally instead of over the VPN. Option B is wrong because enabling route propagation on VPC route tables only imports routes from the VPN connection (via BGP or static), but it does not resolve the fundamental IP overlap; the VPC and on-premises networks still share the same address space, causing routing conflicts. Option C is wrong because using static routes instead of BGP does not address the overlapping CIDR issue; whether routes are learned dynamically or statically, the VPC and on-premises networks cannot have overlapping IP ranges for the VPN to function correctly.

331
MCQmedium

A company is designing a network for a critical application that requires low latency and high throughput between EC2 instances in the same AWS Region. Which network design should the company use?

A.Launch the instances in a Cluster Placement Group.
B.Launch the instances in a Spread Placement Group.
C.Launch the instances as larger instance types with enhanced networking.
D.Launch the instances in different Availability Zones.
AnswerA

Cluster Placement Groups provide low-latency, high-throughput networking.

Why this answer

A Cluster Placement Group is the correct choice because it provides the lowest possible latency and highest throughput between EC2 instances by placing them in a single Availability Zone with non-blocking, high-bandwidth networking. This design is ideal for tightly coupled, high-performance computing (HPC) or latency-sensitive applications that require consistent, low-latency communication within the same AWS Region.

Exam trap

The trap here is that candidates often confuse 'enhanced networking' (Option C) as a standalone solution for low latency, overlooking that placement group optimization is required to achieve the lowest possible latency and highest throughput, even with enhanced networking enabled.

How to eliminate wrong answers

Option B is wrong because a Spread Placement Group spreads instances across distinct hardware racks or Availability Zones to maximize fault tolerance, which increases network latency and reduces throughput due to physical separation, making it unsuitable for low-latency, high-throughput requirements. Option C is wrong because while larger instance types with enhanced networking (e.g., ENA, SR-IOV) improve network performance, they do not guarantee the same low-latency, non-blocking connectivity as a Cluster Placement Group, which also leverages these features but adds the critical placement optimization. Option D is wrong because launching instances in different Availability Zones introduces cross-AZ network latency and bandwidth constraints (e.g., inter-AZ data transfer costs and higher jitter), which directly contradicts the need for low latency and high throughput.

332
Multi-Selectmedium

A company is designing a Direct Connect solution for high availability. Which of the following are best practices? (Select THREE.)

Select 3 answers
A.Use the same Direct Connect provider for both connections to simplify management.
B.Provision two Direct Connect connections at different locations.
C.Configure Bidirectional Forwarding Detection (BFD) on the virtual interfaces.
D.Use a single Direct Connect connection with multiple virtual interfaces.
E.Use separate BGP sessions for each connection with different AS numbers if needed.
AnswersB, C, E

Diverse locations provide physical redundancy.

Why this answer

Provisioning two Direct Connect connections at different locations ensures physical diversity, which is a fundamental requirement for high availability. If one data center or fiber path fails, the other connection can continue to carry traffic, preventing a single point of failure. This aligns with the AWS Well-Architected Framework's recommendation for redundant network paths.

Exam trap

The trap here is that candidates often confuse logical redundancy (multiple virtual interfaces on one connection) with physical redundancy (multiple connections at different locations), leading them to select Option D as a valid high-availability solution.

333
MCQmedium

Refer to the exhibit. An EC2 instance in the PrivateSubnet is unable to download patches from the internet. What is the most likely cause?

A.The private subnet is not associated with any route table.
B.The NAT gateway does not support IPv6 traffic.
C.The private subnet does not have MapPublicIpOnLaunch set to true.
D.The PrivateRoute resource references the NAT gateway before it is created.
AnswerD

Missing DependsOn causes a dependency issue.

Why this answer

Option C is correct. The PrivateRoute uses a NatGatewayId but the NAT gateway is defined after the route in the template, and the route has no DependsOn to ensure the NAT gateway is created first. This can cause a dependency error or the route to reference a non-existent resource.

Option A is wrong because the private subnet does not need MapPublicIpOnLaunch. Option B is wrong because NAT gateways do not support IPv6, but the question is about internet access (IPv4). Option D is wrong because the route table is associated with the private subnet.

334
MCQeasy

A startup wants to design a cost-effective network for a new application. They expect low traffic initially but need to handle sudden spikes. They plan to use Amazon EC2 instances behind an Application Load Balancer (ALB) in a single VPC. The application must be highly available within the region. The network engineer has proposed using two public subnets in two Availability Zones for the ALB, and two private subnets for the EC2 instances. The EC2 instances need to access the internet for updates. What is the MOST cost-effective and highly available design?

A.Use a single NAT instance in one public subnet
B.Use a NAT gateway in each public subnet (one per AZ)
C.Use a NAT instance in each public subnet (one per AZ)
D.Use a single NAT gateway in one public subnet
AnswerB

Highly available and managed.

Why this answer

Option C is correct. A NAT gateway in each AZ provides high availability and is managed, reducing operational overhead. Option A is wrong because a NAT instance in one AZ is a single point of failure.

Option B is wrong because a single NAT gateway is a single point of failure. Option D is wrong because although a NAT instance in each AZ is highly available, it requires more management than NAT gateways.

335
Multi-Selecthard

A company is migrating a legacy application to AWS. The application uses multicast for service discovery. Which THREE AWS services or features can be used to support multicast traffic within a VPC?

Select 3 answers
A.AWS Direct Connect with multicast
B.AWS Transit Gateway with multicast domain
C.VPC multicast groups using network interfaces
D.Internet Gateway (IGW)
E.VPC Peering
AnswersA, B, C

Direct Connect can extend on-premises multicast to AWS.

Why this answer

Options B, C, and D are correct. AWS Transit Gateway supports multicast domains for multicast traffic. VPC has limited multicast support via network interfaces, and AWS PrivateLink does not.

Direct Connect can extend on-premises multicast. Option A is incorrect because Internet Gateway does not support multicast. Option E is incorrect because VPC Peering does not support multicast.

336
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They have set up a VPC peering connection with another VPC (CIDR 172.16.0.0/16). The route tables are configured correctly. However, instances in the first VPC cannot communicate with instances in the peered VPC. The security groups and network ACLs are configured to allow all traffic. What is the most likely cause?

A.The DNS resolution settings for the VPC peering connection are not enabled.
B.The route tables in the VPCs are not propagated to the subnets.
C.The instances do not have ICMP traffic allowed.
D.The VPC CIDR ranges overlap.
AnswerA

When VPC peering is created, DNS resolution must be enabled to allow DNS hostnames to resolve across the peering connection.

Why this answer

Option B is correct because DNS resolution settings for VPC peering must be enabled for instances to resolve DNS hostnames across the peering connection. Option A is wrong because route tables are already configured correctly. Option C is wrong because the CIDRs are different and non-overlapping.

Option D is wrong because ICMP is not required for basic connectivity.

337
MCQmedium

A company is designing a VPC with multiple subnets across three Availability Zones. The application requires that all traffic between subnets within the same AZ stay within that AZ to minimize latency and data transfer costs. Which configuration achieves this?

A.Use a single route table for all subnets and add specific routes for each AZ.
B.Use an AWS Transit Gateway with separate attachments for each AZ.
C.Create a VPC peering connection between subnets in the same AZ.
D.Create a route table for each AZ and associate the subnets in that AZ with the route table. Ensure the route tables have only local routes for the VPC CIDR.
AnswerD

Local routing within the same AZ is used.

Why this answer

Option A is correct. By creating separate route tables for each AZ and ensuring that routes for other AZs use the local route (which keeps traffic within the VPC), traffic between subnets in the same AZ will stay within the AZ because AWS uses local routing within the same AZ by default. Option B is wrong because a single route table would not segregate traffic by AZ.

Option C is wrong because VPC peering is for cross-VPC. Option D is wrong because a transit gateway would route traffic centrally, not necessarily keep it within the AZ.

338
MCQhard

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company wants to use a single NAT Gateway for all private subnets to reduce costs, but the NAT Gateway is in a single Availability Zone (AZ). The network architect is concerned about single points of failure. Which design best addresses high availability while still using the minimum number of NAT Gateways?

A.Deploy a single NAT Gateway in one AZ and use a VPN to an on-premises internet gateway as backup.
B.Deploy one NAT Gateway in each AZ that contains private subnets, and update the route tables accordingly.
C.Use a NAT instance in an Auto Scaling group across multiple AZs instead of a NAT Gateway.
D.Create a second VPC with a NAT Gateway and peer the VPCs to share the NAT Gateway.
AnswerB

This ensures each AZ is independent; if one NAT Gateway fails, only that AZ loses internet access.

Why this answer

Using one NAT Gateway per AZ that has private subnets provides high availability. The minimum is 2 if there are at least 2 AZs with private subnets. Option B is incorrect because a single NAT Gateway is a single point of failure.

Option C is incorrect because NAT instances are less reliable and require management. Option D is incorrect because multiple VPCs add complexity and cost.

339
Multi-Selectmedium

A company is designing a VPC with public and private subnets. The private subnets must have outbound internet access for software updates, but must not be directly reachable from the internet. Which two components are required for this design? (Choose two.)

Select 2 answers
A.NAT Gateway in a public subnet
B.Security Group allowing outbound HTTPS
C.Internet Gateway attached to the VPC
D.AWS Site-to-Site VPN connection
E.Route table for private subnets with 0.0.0.0/0 pointing to the NAT Gateway
AnswersA, E

NAT Gateway enables outbound internet access for private instances.

Why this answer

Options B and E are correct. A NAT Gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet, while the private subnets route 0.0.0.0/0 traffic to the NAT Gateway. Option A is wrong because an Internet Gateway alone does not provide outbound-only access; instances would need public IPs.

Option C is wrong because Security Groups are firewalls, not for internet access. Option D is wrong because a VPN connection is for private connectivity, not internet access.

340
MCQmedium

An application running on EC2 instances in a VPC needs to access an Amazon S3 bucket to read configuration files. The VPC has an S3 VPC endpoint configured. The instances are in a private subnet and have a security group that allows all outbound traffic. The bucket policy allows access from the VPC endpoint. However, the application fails to access the S3 bucket. What is the most likely cause?

A.The network ACL for the private subnet is blocking outbound HTTPS traffic.
B.The VPC endpoint's route table does not include the subnet's route table, so traffic to S3 is not routed through the endpoint.
C.The security group for the EC2 instances has an outbound rule that blocks HTTPS traffic to S3.
D.The S3 bucket policy does not grant access to the VPC endpoint's ID.
AnswerB

VPC endpoints require route table association to route traffic.

Why this answer

Option A is correct. The VPC endpoint must be associated with a route table that includes the subnet's route table. If not, traffic from the subnet to S3 will not use the endpoint.

Option B is incorrect because security group outbound is all traffic. Option C is incorrect because the bucket policy allows access from the endpoint. Option D is incorrect because there is no NACL mentioned, and if NACL blocks, it would block all traffic.

341
MCQmedium

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. Which configuration will allow this without exposing the instance to inbound internet traffic?

A.Use VPC Gateway Endpoints for S3 and DynamoDB.
B.Attach an Internet Gateway to the VPC and assign a public IP to the instance.
C.Deploy a NAT Gateway in a public subnet and update the private subnet's route table to point default route to the NAT Gateway.
D.Configure a VPN connection from the VPC to an on-premises network that has internet access.
AnswerC

NAT Gateway provides outbound internet access without inbound access.

Why this answer

Option B is correct. A NAT Gateway in a public subnet allows outbound internet traffic from private instances while preventing inbound traffic from the internet. Option A is wrong because an Internet Gateway alone does not provide outbound-only access; it would require a public IP and could allow inbound traffic.

Option C is wrong because a VPN does not provide internet access. Option D is wrong because VPC endpoints are for AWS services, not general internet.

342
MCQhard

A global company is deploying a multi-Region application on AWS. The application requires low-latency access to a shared dataset that is updated frequently in multiple Regions. The company wants to use Amazon Route 53 latency-based routing to direct users to the closest Region. Which data store provides the best combination of low-latency reads and cross-Region consistency for this use case?

A.Amazon S3 with cross-Region replication
B.Amazon Aurora Global Database
C.Amazon ElastiCache for Redis Global Datastore
D.Amazon DynamoDB global tables with eventually consistent reads
AnswerC

Redis Global Datastore provides sub-millisecond reads and cross-Region replication.

Why this answer

Option C is correct because Amazon ElastiCache for Redis offers sub-millisecond latency and can be used as a global datastore with cross-Region replication using Global Datastore. Option A is incorrect because DynamoDB global tables offer eventual consistency, but with higher latency for strongly consistent reads. Option B is incorrect because S3 is object storage and not suitable for frequently updated shared dataset requires sub-millisecond latency.

Option D is incorrect because Aurora Global Database provides low-latency reads but with a lag of typically 1 second, not sub-millisecond.

343
MCQhard

A large e-commerce company is redesigning its global network architecture. They have three VPCs in us-east-1: production (10.0.0.0/16), staging (10.1.0.0/16), and development (10.2.0.0/16). They also have two VPCs in eu-west-1: production (10.10.0.0/16) and staging (10.11.0.0/16). All VPCs are connected via a Transit Gateway with inter-region peering. The company wants to allow the staging VPCs in both regions to communicate with each other for data replication, but no other cross-region traffic should be allowed. Additionally, the production VPC in us-east-1 must be able to send traffic to the production VPC in eu-west-1 for a disaster recovery pilot. The security team has configured Network ACLs and security groups appropriately. However, after implementation, the staging VPCs can communicate, but the production VPCs cannot. A network engineer checks the Transit Gateway route tables and finds that both production VPC attachments are associated with the same route table, which has a static route for the 10.0.0.0/16 and 10.10.0.0/16 prefixes. What is the MOST likely reason for the failure?

A.The security groups in the production VPCs are blocking the traffic
B.The production VPCs are attached to the same Transit Gateway route table, causing asymmetric routing
C.The production VPCs have overlapping CIDR ranges, causing a routing conflict
D.The Transit Gateway route table for the production VPCs does not have a route for the remote production CIDR
AnswerB

If both production VPCs are in the same route table, the route for the remote production CIDR might be incorrectly propagated or cause a loop. They should be in separate route tables to control routing direction.

Why this answer

Transit Gateway route tables propagate routes from VPC attachments. If both production VPCs are in the same route table, the routes for their CIDRs will be propagated. However, if there is a propagated route for the local VPC, it may override the static route or cause a conflict.

The issue is likely that the static routes are being ignored because a more specific or conflicting propagated route exists, or the route table lacks a route for the remote production CIDR if the attachment is not associated correctly. Actually, the most common issue is that the production VPC attachments are in the same route table, but the static route for the remote production CIDR might be pointing to the VPC attachment itself, causing a loop. But the key point: Transit Gateway route tables do not allow overlapping CIDRs.

Since both production VPCs have overlapping CIDRs (10.0.0.0/16 and 10.10.0.0/16 are different), that's not the issue. The issue is likely that the route table has a static route for the remote production CIDR, but the propagation from the local production VPC attachment might be creating a route that is not correct. The best answer is that the production VPC attachments need to be in separate route tables to avoid conflicting routes.

344
MCQmedium

A company is designing a multi-Region application with an Application Load Balancer (ALB) in each Region fronting an Auto Scaling group of EC2 instances. The application must be accessible via a single DNS name, and traffic should be routed to the closest healthy Region using a latency-based routing policy. Which AWS service should be used as the DNS endpoint to achieve this?

A.Amazon Route 53
B.Amazon CloudFront
C.AWS Global Accelerator
D.AWS Network Load Balancer
AnswerA

Route 53 latency-based routing sends traffic to the AWS endpoint with the lowest latency.

Why this answer

Amazon Route 53 with latency-based routing directs traffic to the Region with the lowest latency. The ALB in each Region is registered as a latency alias record. Option A is incorrect because Global Accelerator uses Anycast IPs and does not use latency-based routing via DNS.

Option C is incorrect because CloudFront uses edge locations and does not route based on latency to origins in the same way. Option D is incorrect because Network Load Balancer does not provide DNS-level routing policies.

345
MCQmedium

A company is setting up a new AWS environment for a project. The network architect decides to use a hub-and-spoke model with a central inspection VPC for east-west traffic inspection. The inspection VPC (VPC-Hub) contains a firewall appliance that inspects traffic between spoke VPCs. All VPCs are attached to an AWS Transit Gateway. The architect creates a route table in the Transit Gateway for the inspection VPC and another route table for the spoke VPCs. The inspection VPC route table has a default route (0.0.0.0/0) pointing to the firewall appliance. The spoke VPCs have route tables that point to the inspection VPC for traffic to other spoke VPCs. The firewall appliance is configured to forward traffic after inspection. However, traffic between spoke VPCs is not being routed through the inspection VPC. Which configuration change should the architect make to ensure traffic between spoke VPCs is inspected?

A.Use VPC Peering between the spoke VPCs instead of Transit Gateway
B.Create a static route in the inspection VPC route table for each spoke VPC CIDR
C.Remove the default route from the spoke VPC route tables
D.Enable route propagation on the inspection VPC attachment for the inspection route table
AnswerD

Correct; propagation allows the inspection VPC to learn the spoke CIDRs.

Why this answer

Option D is correct because the inspection VPC route table needs to learn the spoke VPC CIDRs dynamically via route propagation from the Transit Gateway attachment. Without propagation, the inspection VPC route table only has a default route pointing to the firewall appliance, but no specific routes for the spoke VPCs. When the firewall appliance forwards traffic after inspection, it needs to know how to reach the destination spoke VPC; enabling route propagation on the inspection VPC attachment for the inspection route table allows the Transit Gateway to inject the spoke VPC routes into that route table, enabling proper return traffic flow.

Exam trap

The trap here is that candidates often focus on the spoke VPC route tables (thinking they need to remove the default route or add static routes) instead of recognizing that the inspection VPC route table must have routes to the spoke VPCs via route propagation to allow the firewall to forward inspected traffic back to the Transit Gateway.

How to eliminate wrong answers

Option A is wrong because using VPC Peering instead of Transit Gateway would bypass the central inspection VPC entirely, defeating the purpose of the hub-and-spoke model for east-west traffic inspection. Option B is wrong because creating a static route in the inspection VPC route table for each spoke VPC CIDR is unnecessary and less scalable; the Transit Gateway can dynamically propagate routes, and static routes would require manual updates as spoke VPCs change. Option C is wrong because removing the default route from the spoke VPC route tables would break all outbound traffic from the spoke VPCs, not just inter-spoke traffic; the default route is needed for internet-bound traffic or other destinations, and the issue is about the inspection VPC route table lacking spoke routes, not the spoke route tables.

346
MCQhard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to connect their on-premises data center to AWS using AWS Direct Connect. The data center uses RFC 1918 addresses from the 10.0.0.0/8 range, overlapping with the VPC CIDR. The company cannot change the on-premises IP addresses. Which design allows connectivity without IP conflicts?

A.Configure Direct Connect Gateway with network address translation
B.Use AWS Transit Gateway with route table separation
C.Deploy a Private NAT Gateway in the VPC and configure routes to send on-premises traffic through it
D.Set up VPC Peering between the VPC and on-premises network over Direct Connect
AnswerC

Private NAT Gateway translates VPC IPs to a different range, allowing communication with overlapping on-premises addresses.

Why this answer

Option B is correct because Private NAT Gateway can translate overlapping VPC IPs to a different CIDR for communication with on-premises. Option A is wrong because VPC Peering does not support overlapping CIDRs. Option C is wrong because Transit Gateway also cannot handle overlapping CIDRs without NAT.

Option D is wrong because Direct Connect Gateway alone does not resolve overlapping IPs.

347
Multi-Selectmedium

A company is designing a hybrid network using AWS Direct Connect. The company wants to use the same Direct Connect connection to access both VPC resources and public AWS services (such as S3 and DynamoDB) from its on-premises network. Which THREE components are required to meet this goal? (Choose three.)

Select 3 answers
A.AWS Transit Gateway
B.Private virtual interface (VIF)
C.Direct Connect Gateway
D.AWS Site-to-Site VPN connection
E.Public virtual interface (VIF)
AnswersB, C, E

Correct; private VIF connects to VPCs.

Why this answer

Option B is correct because a private virtual interface (VIF) is required to connect your on-premises network to a VPC via Direct Connect. However, to also access public AWS services like S3 and DynamoDB over the same Direct Connect connection, you need a public VIF (Option E) for public endpoint connectivity and a Direct Connect Gateway (Option C) to enable transitive routing between the private VIF and multiple VPCs or to simplify the architecture. Together, these three components allow a single Direct Connect connection to serve both private VPC resources and public AWS services.

Exam trap

The trap here is that candidates often think a Transit Gateway is required for multi-VPC or hybrid access, but for a single Direct Connect connection to access both VPCs and public services, the essential components are the private VIF, public VIF, and Direct Connect Gateway, not the Transit Gateway.

348
MCQhard

A company is designing a network for a critical application that requires low latency between EC2 instances. The instances are in the same AWS Region but different Availability Zones. Which configuration will provide the lowest latency?

A.Use an Application Load Balancer to distribute traffic
B.Launch instances in the same placement group within a single Availability Zone
C.Use Direct Connect to connect the VPCs
D.Use VPC peering to connect the VPCs
AnswerB

Placement groups provide low latency by placing instances close together.

Why this answer

Option B is correct because placing EC2 instances within the same placement group in a single Availability Zone ensures they are in close physical proximity, often on the same rack or within the same cluster, which minimizes network hops and achieves the lowest possible latency (typically under 1 ms). This configuration is specifically designed for low-latency, high-throughput workloads like HPC or real-time data processing.

Exam trap

The trap here is that candidates often assume inter-AZ latency is negligible or that services like ALB or VPC peering are designed for low-latency scenarios, but the question specifically asks for the lowest latency, which requires physical co-location within a single AZ using a placement group.

How to eliminate wrong answers

Option A is wrong because an Application Load Balancer operates at Layer 7 and introduces additional network hops and processing overhead, which increases latency compared to direct instance-to-instance communication. Option C is wrong because Direct Connect is a dedicated network connection between on-premises and AWS, not between VPCs or instances within the same Region, and it does not reduce inter-AZ latency. Option D is wrong because VPC peering connects VPCs across different networks and does not optimize physical proximity; instances in different VPCs still communicate over the AWS backbone, which has higher latency than instances in the same placement group.

349
Matchingmedium

Match each AWS networking feature to its use case for hybrid connectivity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central hub connecting multiple VPCs and on-premises networks

Connect multiple VPCs across regions to a single Direct Connect

Hub-and-spoke VPN topology between multiple on-premises sites

Managed OpenVPN-based service for remote users

Private access to S3 and DynamoDB without internet gateway

Why these pairings

These services enable hybrid network architectures.

350
MCQhard

A company has a VPC with multiple subnets. They want to ensure that all outbound traffic from EC2 instances in the VPC goes through a centralized NAT device for inspection. They have deployed a NAT instance in a public subnet and configured the route tables for private subnets to point to the NAT instance. However, traffic is not being routed through the NAT instance. What is the most likely cause?

A.The source/destination check is enabled on the NAT instance.
B.The NAT instance does not have a public IP address.
C.The route table for the private subnets does not have a default route (0.0.0.0/0) pointing to the NAT instance.
D.The security group of the NAT instance blocks outbound traffic.
AnswerA

By default, EC2 instances check that the source or destination of traffic matches their own IP. This must be disabled for NAT instances.

Why this answer

Option C is correct because the NAT instance must have source/destination check disabled to forward traffic for other instances. Option A is wrong because the route table is already configured. Option B is wrong because the NAT instance itself can have its own route table for internet access.

Option D is wrong because security groups can allow traffic; the issue is routing.

351
Multi-Selectmedium

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to add IPv6 support for their internet-facing Application Load Balancer. The VPC is already associated with an IPv6 CIDR block. What additional configuration is required? (Choose two.)

Select 2 answers
A.Configure NAT64 and DNS64 on the VPC.
B.Add a route in the subnet's route table for ::/0 to the Internet Gateway.
C.Associate an IPv6 CIDR block with the public subnet where the ALB is deployed.
D.Assign an IPv6 address to the ALB's network interface.
E.Create an Egress-Only Internet Gateway for the VPC.
AnswersB, C

IPv6 traffic needs a route to the internet gateway.

Why this answer

Options A and C are correct. For an internet-facing ALB to serve IPv6 clients, the subnet must have an IPv6 CIDR and the route table must have a route for ::/0 to the internet gateway. Option B is wrong because the ALB itself does not require an IPv6 address; it uses the subnet's IPv6 CIDR.

Option D is wrong because Egress-Only Internet Gateway is for outbound-only IPv6 traffic from private subnets. Option E is wrong because a NAT64/DNS64 is not needed; ALB can handle IPv6 natively.

352
MCQhard

A global company is designing a multi-region architecture with VPCs in us-east-1, eu-west-1, and ap-southeast-1. They are using AWS Transit Gateway with inter-region peering between all three regions. The company also has on-premises data centers in the US and Europe connected via Direct Connect to the Transit Gateways in us-east-1 and eu-west-1 respectively. The on-premises networks use BGP to advertise their CIDRs (10.0.0.0/8 for US, 172.16.0.0/12 for Europe). The Transit Gateway route tables are configured to propagate routes from all attachments. The company needs all VPCs and on-premises networks to be able to communicate with each other. After configuration, the VPC in ap-southeast-1 can communicate with the VPCs in us-east-1 and eu-west-1, but cannot communicate with either on-premises network. The VPCs in us-east-1 and eu-west-1 can communicate with all on-premises networks. What is the MOST likely cause of this issue?

A.The VPC in ap-southeast-1 has a security group that blocks traffic from on-premises IP ranges
B.The inter-region peering attachments in ap-southeast-1 do not have route propagation enabled
C.The on-premises networks are not advertising their CIDRs to the ap-southeast-1 region
D.The Direct Connect gateways are not attached to the Transit Gateways in us-east-1 and eu-west-1
AnswerB

Without propagation, the ap-southeast-1 Transit Gateway does not learn the on-premises CIDRs from the other regions.

Why this answer

The on-premises CIDRs are advertised via Direct Connect into the Transit Gateways in us-east-1 and eu-west-1. Those Transit Gateways propagate the routes to the inter-region peering attachments. However, the Transit Gateway in ap-southeast-1 needs to have routes for the on-premises CIDRs pointing to the inter-region peering attachments.

This is typically done by enabling route propagation from the inter-region peering attachment. If the route propagation is not enabled, the routes will not be added automatically. The engineer likely assumed propagation works automatically, but it must be explicitly enabled for each attachment.

Since the VPCs in us-east-1 and eu-west-1 can reach on-premises, the local Direct Connect routes are fine. The issue is that the ap-southeast-1 Transit Gateway route table does not have routes for the on-premises CIDRs via the peering attachments.

353
MCQmedium

A network administrator is troubleshooting connectivity to a web server in subnet with network ACL 'acl-12345678'. The web server is on port 443. The administrator finds that traffic from IP 10.0.1.5 is being denied. Why is the traffic being denied?

A.The subnet is not associated with this network ACL.
B.The security group attached to the web server is blocking the traffic.
C.The network ACL rule 100 denies traffic from 10.0.0.0/8, which includes the IP 10.0.1.5.
D.The network ACL rule 100 allows traffic from 0.0.0.0/0, but rule 200 denies traffic from 10.0.0.0/8, and rule 200 is evaluated first.
AnswerC

Rule 100 matches and denies.

Why this answer

Option C is correct because network ACLs are stateless and evaluated in ascending order by rule number. Rule 100 denies traffic from 10.0.0.0/8, which includes the source IP 10.0.1.5, so any traffic from that IP is denied regardless of later allow rules. Since network ACLs do not track connection state, the deny is applied immediately upon matching rule 100.

Exam trap

The trap here is that candidates often confuse the evaluation order of network ACL rules (ascending by rule number) with the order of security group rules (all evaluated until a match), or mistakenly think that a higher-numbered allow rule overrides a lower-numbered deny rule.

How to eliminate wrong answers

Option A is wrong because if the subnet were not associated with the network ACL, the default network ACL (which allows all traffic) would apply, and traffic would not be denied. Option B is wrong because security groups are stateful and operate at the instance level, not the subnet level; the question specifies the network ACL is the cause, and security groups would not deny traffic from a specific IP unless explicitly configured, but the scenario points to the ACL. Option D is wrong because network ACL rules are evaluated in numerical order from lowest to highest; rule 100 is evaluated before rule 200, so if rule 100 denies the traffic, rule 200 is never reached.

354
MCQhard

A company is running a latency-sensitive application in a VPC with a public subnet and a private subnet. The application in the private subnet needs to access an Amazon S3 bucket in the same region. The company wants to minimize latency and avoid using a NAT gateway. Which solution meets these requirements?

A.Use S3 Transfer Acceleration and access the bucket via the public endpoint
B.Create a VPC Gateway Endpoint for Amazon S3 and update the route table for the private subnet
C.Attach an Internet Gateway to the VPC and route the private subnet traffic through a NAT instance
D.Set up a NAT gateway in the public subnet and route traffic to the S3 bucket through it
AnswerB

A Gateway Endpoint provides private connectivity to S3 without leaving the AWS network, minimizing latency and avoiding NAT gateway costs.

Why this answer

A VPC Gateway Endpoint for Amazon S3 allows instances in a private subnet to access S3 without traversing the internet or requiring a NAT gateway. This minimizes latency by routing traffic over the AWS internal network, and it avoids the cost and complexity of NAT devices. The route table for the private subnet must be updated with a route pointing to the gateway endpoint for the S3 prefix list.

Exam trap

The trap here is that candidates often assume S3 Transfer Acceleration is always faster, but it is designed for cross-region or long-distance transfers and actually adds latency for same-region traffic due to additional routing and edge location processing.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is designed for long-distance transfers over the public internet and does not reduce latency for same-region access; it actually adds overhead. Option C is wrong because routing private subnet traffic through a NAT instance still forces traffic over the internet, increasing latency and requiring a public IP, which contradicts the requirement to avoid a NAT gateway. Option D is wrong because a NAT gateway introduces additional hop latency and cost, and is unnecessary when a VPC Gateway Endpoint provides direct, private connectivity to S3 within the same region.

355
MCQmedium

A company has a VPC with a public subnet for a web server and a private subnet for a database. The web server needs to make API calls to Amazon S3. Which is the most secure way to provide this access without traffic leaving the AWS network?

A.Use an AWS Site-to-Site VPN to connect to a remote network that has access to S3.
B.Create a VPC gateway endpoint for Amazon S3 and attach it to the route table of the private subnet.
C.Set up a NAT gateway in the public subnet and route the web server's traffic through it.
D.Use an internet gateway and a public IP address on the web server.
AnswerB

Gateway endpoint provides private, secure access to S3.

Why this answer

Option A is correct because a VPC gateway endpoint for S3 allows private connectivity to S3 without traversing the internet. Option B is incorrect because a NAT gateway would route traffic over the internet. Option C is incorrect because internet through an IGW is less secure.

Option D is incorrect because a VPN connection is not needed.

356
MCQeasy

A company wants to improve the performance and availability of its application that is deployed on EC2 instances in a single Availability Zone. Which architecture should the company implement?

A.Add more subnets in the same Availability Zone
B.Deploy EC2 instances in multiple Availability Zones
C.Use larger EC2 instances
D.Use Auto Scaling in the same Availability Zone
AnswerB

Multi-AZ deployment provides high availability.

Why this answer

Deploying instances across multiple Availability Zones improves availability. Option B is correct. Option A (larger instances) does not improve availability.

Option C (Auto Scaling in one AZ) still has a single point of failure. Option D (more subnets in one AZ) does not help.

357
MCQmedium

A company is designing a VPC with subnets in multiple Availability Zones (AZs) for a web application. The application must be fault-tolerant and highly available. Which design should the network engineer implement?

A.Deploy all application instances in a single AZ behind an Application Load Balancer.
B.Place one instance in each of two AZs and use an internet gateway for load balancing.
C.Deploy application instances in two AZs behind an Application Load Balancer that spans both AZs.
D.Use a Network Load Balancer in a single AZ with instances in multiple AZs.
AnswerC

This provides fault tolerance and high availability across AZs.

Why this answer

Option C is correct because deploying application instances in two Availability Zones (AZs) behind an Application Load Balancer (ALB) that spans both AZs provides fault tolerance and high availability. If one AZ fails, the ALB automatically routes traffic to healthy instances in the remaining AZ, ensuring continuous service. This design leverages cross-zone load balancing, which is enabled by default for ALBs, to distribute traffic evenly across instances in multiple AZs.

Exam trap

The trap here is that candidates often assume a single load balancer in one AZ is sufficient if instances are in multiple AZs, but they overlook that the load balancer itself must be deployed across multiple AZs to avoid being a single point of failure.

How to eliminate wrong answers

Option A is wrong because deploying all application instances in a single AZ creates a single point of failure; if that AZ experiences an outage, the entire application becomes unavailable, violating fault-tolerance requirements. Option B is wrong because an internet gateway is a VPC component for internet connectivity, not a load balancer; it cannot perform health checks or distribute traffic across instances, so it provides no load balancing or high availability. Option D is wrong because a Network Load Balancer (NLB) in a single AZ cannot route traffic to instances in other AZs unless cross-zone load balancing is explicitly enabled, and even then, the NLB itself is a single point of failure if that AZ fails; the design does not meet high availability standards.

358
MCQmedium

An e-commerce company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. During a flash sale, the application experiences high latency. The network team notices that the ALB is receiving more traffic than expected. What is the most likely cause?

A.The ALB is configured to terminate HTTPS, which increases CPU load on the ALB.
B.The Auto Scaling group's scaling policies are too aggressive, causing frequent instance launches.
C.The ALB health checks are too frequent, consuming resources.
D.The ALB is not protected by AWS WAF, allowing a DDoS attack or excessive traffic to reach the backend.
AnswerD

Without WAF, the ALB can be targeted by attacks that consume its capacity.

Why this answer

Option D is correct because the sudden spike in traffic reaching the ALB beyond expected levels, combined with high latency, strongly indicates that the ALB is being overwhelmed by malicious or excessive traffic. Without AWS WAF protection, the ALB cannot filter out DDoS attacks or unwanted requests at Layer 7, so all traffic passes through to the backend instances, causing resource exhaustion and latency. AWS WAF integrates directly with ALBs to inspect and block malicious traffic before it reaches the application.

Exam trap

The trap here is that candidates may assume high latency is always caused by backend scaling issues (Option B) or health check overhead (Option C), but the key clue is 'ALB is receiving more traffic than expected,' which points directly to an external traffic source, not internal configuration problems.

How to eliminate wrong answers

Option A is wrong because HTTPS termination at the ALB does increase CPU usage on the ALB node, but this is a normal, expected operation and would not cause the ALB to receive 'more traffic than expected' — it only processes the traffic it receives. Option B is wrong because aggressive Auto Scaling policies cause more frequent instance launches, which could temporarily increase load on the ALB during scale-up events, but this does not explain why the ALB itself is receiving more traffic than expected; scaling policies respond to traffic, they don't generate it. Option C is wrong because ALB health checks are lightweight HTTP/HTTPS requests sent to the target group instances, not to the ALB itself, and they consume negligible resources on the ALB; they do not increase the traffic volume reaching the ALB.

359
MCQmedium

A company is deploying a critical application on AWS and needs to ensure that traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the network engineer do to meet the encryption requirement?

A.No additional configuration is needed; VPC peering traffic is automatically encrypted.
B.Create a VPN connection between the two VPCs using the VPC peering connection.
C.Use AWS Transit Gateway with VPN attachments between the VPCs.
D.Configure IPsec on the EC2 instances to encrypt traffic over the VPC peering connection.
AnswerA

AWS encrypts inter-region VPC peering traffic automatically.

Why this answer

VPC peering traffic within the same region is automatically encrypted at the physical layer using AWS's infrastructure, and no additional configuration is required. AWS uses a transit encryption mechanism that encrypts all traffic between VPC peering connections at the network layer, ensuring data confidentiality in transit without the need for VPN or IPsec configurations.

Exam trap

The trap here is that candidates often assume VPC peering traffic is unencrypted by default and reach for VPN or IPsec solutions, but AWS automatically encrypts all traffic within the same region over VPC peering connections.

How to eliminate wrong answers

Option B is wrong because a VPN connection cannot be established over a VPC peering connection; VPN connections require a virtual private gateway or transit gateway and are not supported on peering connections. Option C is wrong because AWS Transit Gateway with VPN attachments is an alternative connectivity method, but it is unnecessary and more complex when a VPC peering connection already exists and automatically encrypts traffic in the same region. Option D is wrong because configuring IPsec on EC2 instances would add unnecessary overhead and complexity, as VPC peering traffic is already encrypted by AWS, and IPsec is not required.

360
Multi-Selectmedium

Which TWO of the following are valid methods to connect a VPC to an on-premises network? (Choose 2.)

Select 2 answers
A.AWS Site-to-Site VPN
B.Internet gateway
C.NAT gateway
D.VPC peering
E.AWS Direct Connect
AnswersA, E

Valid method.

Why this answer

AWS Site-to-Site VPN creates an encrypted tunnel between a VPC and an on-premises network using IPsec. It uses a virtual private gateway or transit gateway on the AWS side and a customer gateway device on-premises, enabling secure communication over the public internet.

Exam trap

The trap here is that candidates often confuse internet-facing connectivity options (internet gateway, NAT gateway) with hybrid connectivity methods, or mistakenly think VPC peering can extend to on-premises networks, when it is strictly limited to inter-VPC communication within AWS.

361
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to add a second CIDR block of 10.1.0.0/16 for additional subnets. After adding the CIDR, the existing subnets cannot communicate with the new subnets. What is the most likely cause?

A.Security groups are blocking traffic between the old and new subnets.
B.The VPC CIDR cannot be extended; a new VPC must be created.
C.Route tables for the existing subnets do not have routes to the new CIDR.
D.Network ACLs are blocking traffic by default.
AnswerC

Route tables must include routes for the new CIDR to enable communication.

Why this answer

Option C is correct because route tables must be updated to include routes for the new CIDR block. Option A is wrong because adding a CIDR does not require a new VPC. Option B is wrong because security groups are not the cause of connectivity issues between subnets.

Option D is wrong because NACLs are not the issue unless they are blocking traffic.

362
MCQeasy

A company has a VPC with a CIDR block of 192.168.0.0/16. They have two subnets: Subnet A (192.168.1.0/24) and Subnet B (192.168.2.0/24). They launch an EC2 instance in Subnet A and another EC2 instance in Subnet B. They want to ensure that both instances can communicate with each other. The instances are in the same VPC. What is the simplest way to enable communication between these instances?

A.Create a VPC Peering connection between Subnet A and Subnet B
B.No additional configuration is needed; instances in the same VPC can communicate by default
C.Create a NAT Gateway in each subnet
D.Attach an internet gateway to the VPC
AnswerB

Default VPC routing allows communication between subnets.

Why this answer

By default, all instances within the same VPC can communicate with each other using private IP addresses, regardless of which subnet they reside in. The VPC's implicit router enables this layer-3 connectivity as long as the subnets' route tables do not explicitly block traffic and the instances' security groups or network ACLs permit the traffic. Since both subnets are within the same VPC (192.168.0.0/16), no additional configuration is required for basic IP-level communication.

Exam trap

The trap here is that candidates may overthink the scenario and assume that different subnets require explicit routing or peering, when in fact the VPC's implicit local route already handles all intra-VPC traffic by default.

How to eliminate wrong answers

Option A is wrong because VPC peering connects entire VPCs, not subnets, and is unnecessary when instances are already in the same VPC. Option C is wrong because a NAT Gateway is used to enable outbound internet access for instances in private subnets, not to enable communication between instances within the same VPC. Option D is wrong because an internet gateway provides internet connectivity, not internal VPC communication, and attaching it does not affect intra-VPC routing.

363
MCQeasy

A solutions architect is designing a VPC with public and private subnets in two Availability Zones. The private subnets require outbound internet access for software updates, but inbound internet access must be blocked. Which solution meets these requirements?

A.Attach an internet gateway to the VPC and add a default route to the internet gateway in the private subnet route tables.
B.Deploy a NAT Gateway in a public subnet and add a default route to the NAT Gateway in the private subnet route tables.
C.Launch an EC2 instance in a public subnet with a proxy software and route private subnet traffic through it.
D.Create a VPC endpoint for Amazon S3 and add a route to the endpoint in the private subnet route tables.
AnswerB

NAT Gateway provides outbound-only internet access.

Why this answer

Option B is correct because a NAT Gateway, deployed in a public subnet with an Elastic IP and a route to an Internet Gateway, enables outbound traffic from private subnets to the internet while blocking unsolicited inbound connections. The private subnet route table directs default traffic (0.0.0.0/0) to the NAT Gateway, which performs source network address translation (SNAT) on outbound packets, ensuring responses return to the NAT Gateway without exposing private instances directly.

Exam trap

The trap here is that candidates may confuse a NAT Gateway with an Internet Gateway, thinking that a default route to an Internet Gateway in a private subnet is acceptable, but an Internet Gateway allows bidirectional traffic, which would expose private instances to inbound internet connections.

How to eliminate wrong answers

Option A is wrong because adding a default route to an internet gateway in a private subnet route table would make the private subnet effectively public, allowing inbound internet traffic to reach instances directly, violating the requirement to block inbound access. Option C is wrong because while an EC2 instance with proxy software could provide outbound access, it introduces a single point of failure, requires ongoing management (patching, scaling), and is less reliable and cost-effective than a managed NAT Gateway, which is the recommended AWS solution. Option D is wrong because a VPC endpoint for Amazon S3 only provides private connectivity to S3, not general outbound internet access for software updates from arbitrary sources on the internet.

364
MCQeasy

A company has a VPC with CIDR 10.0.0.0/16 and needs to connect to an on-premises network with CIDR 10.0.0.0/8. They plan to use AWS Direct Connect with a private virtual interface. What should they do to resolve the overlapping CIDR conflict?

A.Create a VPN connection with dynamic routing and use BGP to advertise the VPC CIDR.
B.Create a VPC peering connection between the VPC and the on-premises network.
C.Change the VPC CIDR to a non-overlapping range, such as 172.16.0.0/16, and re-create the VPC with the new CIDR.
D.Use a NAT Gateway in the VPC to translate the on-premises IP addresses.
AnswerC

The only solution is to use non-overlapping IP address ranges.

Why this answer

Option C is correct because AWS does not support network address translation (NAT) for overlapping CIDRs on a Direct Connect private virtual interface. The only way to resolve the conflict is to change the VPC CIDR to a non-overlapping range (e.g., 172.16.0.0/16) and recreate the VPC, as the VPC CIDR cannot be modified after creation. This ensures that routes between the VPC and on-premises network do not conflict.

Exam trap

The trap here is that candidates assume NAT or VPN can magically resolve overlapping IP ranges, but AWS Direct Connect private VIFs require non-overlapping CIDRs for proper routing, and no AWS service (including NAT Gateway or VPN) can translate on-premises IPs in this context.

How to eliminate wrong answers

Option A is wrong because a VPN connection with dynamic routing does not resolve overlapping CIDRs; BGP would still advertise the conflicting 10.0.0.0/16 into the on-premises network, causing routing loops or blackholing. Option B is wrong because VPC peering does not support overlapping CIDRs and cannot connect a VPC to an on-premises network; it only connects VPCs within AWS. Option D is wrong because a NAT Gateway translates traffic from private instances to the internet, not from the VPC to on-premises; it cannot translate on-premises IP addresses and does not resolve overlapping CIDR conflicts in a Direct Connect private VIF.

365
Multi-Selecthard

A company wants to use AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to centrally manage and enforce security policies. Which THREE components are required?

Select 3 answers
A.Transit Gateway route tables
B.VPC Gateway Endpoints
C.AWS Resource Access Manager (RAM)
D.AWS Direct Connect Gateway
E.AWS Network Firewall
AnswersA, C, E

Route tables control how traffic is routed between attachments.

Why this answer

Options A, C, and D are correct. Transit Gateway route tables control traffic flow. Network Firewall provides centralized inspection and policy enforcement.

Resource shares via AWS RAM allow sharing the Transit Gateway across accounts. Option B is wrong because VPC endpoints are not needed for Transit Gateway connectivity. Option E is wrong because Direct Connect gateway is optional for on-premises but not strictly required for security policy enforcement.

366
MCQeasy

A company has a VPC with public and private subnets. The private subnets need outbound internet access for software updates. Which design will meet this requirement most securely?

A.Deploy a NAT Gateway in a public subnet and add a route to it from the private subnets.
B.Add a default route to the IGW from the private subnet route table.
C.Place the instances in a public subnet with a route to an Internet Gateway (IGW).
D.Deploy a NAT instance in a private subnet and configure routes to it.
AnswerA

NAT Gateway allows outbound traffic from private subnets while blocking inbound traffic.

Why this answer

A NAT Gateway deployed in a public subnet with an Elastic IP allows private subnet instances to initiate outbound connections to the internet (e.g., for software updates) while preventing unsolicited inbound connections. The private subnet route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway, which then forwards traffic to the Internet Gateway (IGW) in the public subnet. This design is the most secure because it avoids exposing private instances directly to the internet and uses a managed, highly available service.

Exam trap

AWS often tests the misconception that a NAT instance can be placed in a private subnet and still provide outbound internet access, but in reality, a NAT device must reside in a public subnet with a route to an IGW to translate and forward traffic.

How to eliminate wrong answers

Option B is wrong because adding a default route to the IGW from the private subnet route table would directly expose private instances to the internet, allowing unsolicited inbound traffic and bypassing any NAT functionality, which violates security best practices. Option C is wrong because placing instances in a public subnet with a route to an IGW gives them public IP addresses and direct internet access, making them vulnerable to inbound attacks and defeating the purpose of using private subnets for security. Option D is wrong because deploying a NAT instance in a private subnet would require a route to an IGW or another NAT device for outbound traffic, creating a circular dependency; NAT instances must be in a public subnet to reach the IGW, and using a NAT instance also introduces single points of failure and management overhead compared to a managed NAT Gateway.

367
MCQeasy

A company has an AWS Direct Connect connection and wants to use it to access Amazon S3 buckets without traversing the public internet. Which virtual interface type should be used?

A.Transit virtual interface
B.Hosted virtual interface
C.Private virtual interface
D.Public virtual interface
AnswerD

Public VIF provides access to public AWS services over Direct Connect.

Why this answer

A public virtual interface (VIF) allows access to public AWS services, including S3, over Direct Connect. A private VIF is for accessing resources in a VPC. A transit VIF is for connecting to a transit gateway.

A hosted VIF is provided by an AWS partner.

368
MCQmedium

A company is designing a multi-region architecture with an Application Load Balancer (ALB) in us-east-1 and a Network Load Balancer (NLB) in eu-west-1. They need to route traffic from the ALB to the NLB using a fixed IP address. Which AWS service should be used to provide a static IP for the NLB and enable cross-region load balancing?

A.AWS WAF
B.Amazon CloudFront
C.AWS Transit Gateway
D.AWS Global Accelerator
AnswerD

Global Accelerator provides static IPs and can route to NLB across regions.

Why this answer

AWS Global Accelerator provides two static anycast IP addresses that serve as a fixed entry point for traffic. It can route traffic from the ALB in us-east-1 to the NLB in eu-west-1 by using an endpoint group that includes the NLB's IP address, enabling cross-region load balancing with a static IP. This allows the ALB to forward traffic to the Global Accelerator's static IP, which then optimally routes to the NLB in the other region.

Exam trap

The trap here is that candidates often confuse Amazon CloudFront's ability to serve content with a static IP (via custom origins) with the need for a fixed IP that routes traffic from an ALB to an NLB across regions, overlooking that Global Accelerator is specifically designed for this use case with TCP/UDP traffic and static anycast IPs.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that protects against common web exploits, not a service for providing static IP addresses or cross-region routing. Option B is wrong because Amazon CloudFront is a content delivery network (CDN) that uses edge locations and can have static IPs via custom origins, but it is designed for HTTP/HTTPS traffic and does not natively support routing traffic from an ALB to an NLB with a fixed IP for cross-region load balancing; it also does not provide a static IP for the NLB itself. Option C is wrong because AWS Transit Gateway is a network transit hub to connect VPCs and on-premises networks within a region or across regions using peering attachments, but it does not provide static IP addresses for load balancers and is not designed to route traffic from an ALB to an NLB with a fixed IP endpoint.

369
MCQhard

A company is designing a multi-Region architecture using AWS Transit Gateway and Direct Connect. They have VPCs in us-east-1 and eu-west-1, each with an attached Transit Gateway. The Direct Connect gateway is associated with the Transit Gateway in us-east-1. They need to enable communication between VPCs across Regions using the Direct Connect gateway. What is the correct design to achieve this?

A.Create a single Transit Gateway that spans both Regions and attach VPCs in both Regions.
B.Use VPC peering between the VPCs and route Direct Connect traffic through the VPC peering connection.
C.Create a Transit Gateway peering attachment between the Transit Gateways in us-east-1 and eu-west-1, and route traffic over the Direct Connect gateway via the peering.
D.Associate the Direct Connect gateway with both Transit Gateways in us-east-1 and eu-west-1.
AnswerC

Transit Gateway peering enables inter-Region connectivity. The Direct Connect gateway remains associated with the Transit Gateway in us-east-1, and routes can be propagated to allow traffic to flow across the peering.

Why this answer

Option C is correct because Transit Gateway peering attachments allow transitive routing between Transit Gateways in different AWS Regions. By establishing a peering attachment between the Transit Gateways in us-east-1 and eu-west-1, traffic from the VPC in eu-west-1 can be routed through its local Transit Gateway, across the peering attachment to the Transit Gateway in us-east-1, and then over the Direct Connect gateway to on-premises networks. This design enables cross-region VPC communication via Direct Connect without requiring a single Transit Gateway or direct VPC peering.

Exam trap

The trap here is that candidates often assume a Direct Connect gateway can be associated with multiple Transit Gateways across regions, but AWS only supports a one-to-one association between a Direct Connect gateway and a Transit Gateway at a time, requiring Transit Gateway peering for cross-region connectivity.

How to eliminate wrong answers

Option A is wrong because a single Transit Gateway cannot span multiple AWS Regions; Transit Gateways are regional resources and cannot be shared across regions. Option B is wrong because VPC peering does not support transitive routing through a Direct Connect gateway; traffic would need to traverse the peering connection, but Direct Connect traffic cannot be routed through a VPC peering connection to reach another VPC without additional complex routing and potential asymmetric routing issues. Option D is wrong because a Direct Connect gateway can only be associated with a single Transit Gateway in one Region at a time; associating it with both Transit Gateways is not supported and would cause routing conflicts.

370
MCQmedium

A company is using AWS Organizations to manage multiple accounts. The network team needs to allow a centralized inspection VPC to inspect all traffic between VPCs in different accounts. Which AWS service should be used to route traffic through the inspection VPC?

A.AWS Transit Gateway
B.VPC peering connections
C.AWS PrivateLink
D.AWS Site-to-Site VPN
AnswerA

Transit Gateway supports transitive routing and central inspection.

Why this answer

Option C is correct because a Transit Gateway with route tables can route traffic between VPCs and send it to a network appliance in the inspection VPC. Option A is wrong because VPC peering is a simple point-to-point connection and does not support transitive routing. Option B is wrong because a VPN is for hybrid connectivity, not inter-VPC routing.

Option D is wrong because PrivateLink is for accessing services privately, not for routing traffic.

371
MCQeasy

A company wants to provide secure access to an S3 bucket from a VPC without using an internet gateway or NAT device. Which AWS feature should be used?

A.Internet gateway
B.NAT gateway
C.AWS Site-to-Site VPN connection
D.VPC endpoint (Gateway type) for S3
AnswerD

A Gateway VPC endpoint provides private access to S3.

Why this answer

A VPC endpoint (Gateway type) for S3 allows instances within a VPC to access S3 buckets privately using the AWS network, without requiring an internet gateway or NAT device. This is achieved by adding an endpoint route in the VPC route table that directs S3 traffic through the AWS backbone, ensuring data never traverses the public internet.

Exam trap

AWS often tests the misconception that a NAT gateway alone provides private S3 access, but candidates must remember that NAT gateways still require an internet gateway and do not eliminate internet transit for S3 traffic.

How to eliminate wrong answers

Option A is wrong because an internet gateway provides direct internet access, which is explicitly not allowed per the requirement to avoid internet gateways or NAT devices. Option B is wrong because a NAT gateway enables outbound internet traffic from private subnets, but it still relies on an internet gateway and public IPs, violating the no-internet-gateway condition. Option C is wrong because an AWS Site-to-Site VPN connection extends an on-premises network to the VPC over the internet, but it does not provide direct private access to S3 from within the VPC without additional routing and still uses the internet for the VPN tunnel.

372
MCQhard

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group behind a Network Load Balancer (NLB). The application requires that all packets from a given client session are sent to the same target instance for the duration of the session. Which feature should be enabled on the NLB to meet this requirement?

A.Enable proxy protocol v2
B.Enable cross-zone load balancing
C.Enable stickiness using the source IP address
D.Configure health checks to mark targets as healthy
AnswerC

NLB uses a consistent hash based on source IP, protocol, and port to route packets from the same client to the same target, ensuring session persistence.

Why this answer

Option C is correct because enabling stickiness using the source IP address on a Network Load Balancer (NLB) ensures that all packets from a given client IP are routed to the same target instance for the duration of the session. This is achieved by the NLB hashing the source IP address (and optionally port and protocol) to consistently select the same target, which meets the requirement for session persistence without relying on application-layer cookies.

Exam trap

The trap here is that candidates often confuse Proxy Protocol v2 with session persistence, thinking that passing client IP information to the backend automatically ensures stickiness, when in fact Proxy Protocol only provides metadata and does not influence load balancer routing decisions.

How to eliminate wrong answers

Option A is wrong because Proxy Protocol v2 is a mechanism for passing client connection metadata (such as source IP and port) to the backend targets, but it does not provide any session persistence or stickiness; it simply adds a header to the forwarded traffic. Option B is wrong because cross-zone load balancing distributes traffic evenly across targets in all Availability Zones, which can actually break session persistence by sending packets from the same client to different targets across zones. Option D is wrong because health checks only determine whether a target is considered healthy or unhealthy for traffic routing; they do not influence which target receives packets from a specific client session.

373
MCQeasy

A company is designing a hybrid network using AWS Direct Connect. They want to extend their on-premises network to multiple VPCs in the same AWS Region. Which resource should they use to achieve this?

A.Direct Connect transit virtual interface
B.Direct Connect gateway
C.Direct Connect private virtual interface (VIF)
D.Link Aggregation Group (LAG)
AnswerB

A Direct Connect gateway enables connectivity to multiple VPCs.

Why this answer

A Direct Connect gateway is the correct resource because it allows you to associate up to 10 VPCs (or 20 with a quota increase) in the same or different AWS Regions with a single Direct Connect connection. It acts as a central hub, enabling connectivity from your on-premises network to multiple VPCs via a single private virtual interface (VIF) attached to the Direct Connect gateway, without needing separate VIFs per VPC.

Exam trap

The trap here is that candidates often confuse a Direct Connect gateway with a transit gateway or a private VIF, mistakenly thinking a private VIF alone can connect to multiple VPCs, but AWS requires a Direct Connect gateway to aggregate multiple VPC associations under a single VIF.

How to eliminate wrong answers

Option A is wrong because a Direct Connect transit virtual interface is used to connect to a transit gateway, not directly to multiple VPCs; it requires a transit gateway in between and is typically used for large-scale multi-VPC architectures. Option C is wrong because a Direct Connect private virtual interface (VIF) can only connect to a single VPC (or a Direct Connect gateway) and cannot directly extend to multiple VPCs on its own. Option D is wrong because a Link Aggregation Group (LAG) is a logical bundle of multiple physical connections to increase bandwidth or provide redundancy, but it does not provide the logical routing or multi-VPC connectivity needed for this scenario.

374
MCQmedium

A network engineer deploys this CloudFormation template. After deployment, an EC2 instance launched in PublicSubnet1 cannot reach the internet. What is the most likely cause?

A.The Internet Gateway is not attached to the VPC.
B.The subnet does not have a route to the Internet Gateway because the route table is not associated with the subnet.
C.The subnet does not have MapPublicIpOnLaunch set to true.
D.The security group is blocking outbound traffic.
AnswerB

The template does not associate the custom route table with PublicSubnet1; it uses the main route table which lacks the IGW route.

Why this answer

The most likely cause is that the route table containing the default route (0.0.0.0/0) pointing to the Internet Gateway is not associated with PublicSubnet1. Without this association, traffic from the subnet has no path to the Internet Gateway, even if the IGW is attached to the VPC. CloudFormation templates often create separate route tables and subnets, and a missing subnet-to-route-table association is a common misconfiguration.

Exam trap

AWS often tests the distinction between having an Internet Gateway attached to the VPC (which is necessary but not sufficient) and having a proper route table association with a default route to that IGW, leading candidates to mistakenly select Option A when the real issue is the missing subnet-to-route-table linkage.

How to eliminate wrong answers

Option A is wrong because if the Internet Gateway were not attached to the VPC, no subnet in the VPC could reach the internet, but the question specifies only PublicSubnet1 has the issue, implying the IGW is attached. Option C is wrong because MapPublicIpOnLaunch controls whether an auto-assigned public IPv4 address is given to the instance, but even without a public IP, the instance could still reach the internet via a NAT device or an Elastic IP; the core issue is routing, not IP assignment. Option D is wrong because security groups by default allow all outbound traffic (unless explicitly modified), and the question does not indicate any custom outbound deny rule; the problem is at the subnet routing layer, not the instance firewall.

375
MCQeasy

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company has an internet gateway attached to the VPC and a NAT gateway in a public subnet. Which route table configuration is required for the private subnets to access the internet?

A.Add a route in the private subnet route table with destination 0.0.0.0/0 and target the internet gateway.
B.Add a route in the private subnet route table with destination 0.0.0.0/0 and target the NAT gateway.
C.Add a route in the public subnet route table with destination 0.0.0.0/0 and target the NAT gateway.
D.Add a route in the private subnet route table with destination 0.0.0.0/0 and target the internet gateway, and associate an Elastic IP with the NAT gateway.
AnswerB

This allows private instances to use NAT for internet access.

Why this answer

Option B is correct because private subnets require a default route (0.0.0.0/0) pointing to the NAT gateway to enable outbound internet access while preventing inbound traffic from the internet. The NAT gateway, residing in a public subnet with an associated Elastic IP, translates private IP addresses to the Elastic IP for internet-bound traffic. The internet gateway is used by public subnets, not private subnets, for direct internet access.

Exam trap

AWS often tests the misconception that private subnets can use the internet gateway directly via a default route, but the trap here is that private subnets must route through a NAT gateway or NAT instance to maintain their private nature and avoid direct inbound internet access.

How to eliminate wrong answers

Option A is wrong because adding a route with destination 0.0.0.0/0 targeting the internet gateway in a private subnet route table would allow direct inbound traffic from the internet, bypassing the NAT gateway and defeating the purpose of a private subnet. Option C is wrong because modifying the public subnet route table does not affect traffic originating from private subnets; private subnets have their own route table that must direct traffic to the NAT gateway. Option D is wrong because associating an Elastic IP with the NAT gateway is already a requirement for its operation, but the route in the private subnet route table must target the NAT gateway, not the internet gateway; targeting the internet gateway would still allow direct internet access without NAT.

← PreviousPage 5 of 7 · 504 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Design questions.