CCNA Network Implementation Questions

75 of 434 questions · Page 1/6 · Network Implementation · Answers revealed

1
MCQeasy

A company wants to securely connect multiple VPCs in the same region to a common on-premises network using a single Direct Connect connection. Which AWS service should they use to simplify the network architecture?

A.Virtual Private Gateway
B.Direct Connect Gateway
C.VPC Peering
D.Transit Gateway
AnswerB

Direct Connect Gateway enables multiple VPCs to use a single Direct Connect connection.

Why this answer

Option B is correct. A Direct Connect gateway allows you to associate multiple VPCs (via virtual private gateways or transit gateways) to a single Direct Connect connection. Option A is wrong because a transit gateway alone does not include Direct Connect.

Option C is wrong because a VPC peering connection is for VPC-to-VPC, not Direct Connect. Option D is wrong because a VPN gateway is for VPN, not Direct Connect.

2
MCQmedium

A company is implementing a hybrid network with AWS Direct Connect and a VPN connection as backup. They have a Direct Connect gateway (DXGW) attached to a private VIF and a virtual private gateway (VGW) attached to a VPN connection. The VPC is attached to the VGW. They want to use the Direct Connect connection for all traffic when available. The on-premises router advertises the same prefix over both connections. However, traffic from on-premises to the VPC is using the VPN connection. BGP is configured correctly on both connections. What should the company do to prefer the Direct Connect path?

A.Set a higher weight on the Direct Connect BGP session.
B.Set a higher local preference on the Direct Connect VIF.
C.Change the BGP timers on the Direct Connect VIF to have a lower hold time.
D.Configure AS_PATH prepending on the VPN BGP session.
E.Configure a lower MED (Multi-Exit Discriminator) on the Direct Connect VIF.
AnswerE

Lower MED is preferred for inbound traffic; setting a lower MED on the Direct Connect VIF will make it the preferred path.

Why this answer

Option E is correct because the Multi-Exit Discriminator (MED) is a BGP attribute used to influence inbound traffic from an AS to the local AS. By setting a lower MED on the Direct Connect VIF, the on-premises router will prefer the Direct Connect path over the VPN path when both advertise the same prefix, assuming all other BGP path selection criteria are equal. This directly addresses the requirement to prefer the Direct Connect connection for all traffic.

Exam trap

The trap here is that candidates often confuse BGP attributes that influence outbound traffic (weight, local preference) with those that influence inbound traffic (MED), leading them to incorrectly select options A or B instead of the correct MED-based solution.

How to eliminate wrong answers

Option A is wrong because weight is a Cisco-proprietary attribute that influences outbound traffic from the local router, not inbound traffic from on-premises; it is not applicable to the on-premises router's path selection. Option B is wrong because local preference is used to influence outbound traffic from an AS to external destinations, not inbound traffic from on-premises to the VPC. Option C is wrong because changing BGP timers (e.g., hold time) affects convergence speed and failure detection, not path preference; it does not influence which path is chosen for traffic.

Option D is wrong because AS_PATH prepending on the VPN BGP session would make the VPN path appear longer (less preferred), which would actually help prefer Direct Connect, but the question asks for a configuration on the Direct Connect side; moreover, AS_PATH prepending is typically applied to the less preferred path, not the preferred one, and the correct approach is to set a lower MED on the Direct Connect VIF.

3
Multi-Selectmedium

A network engineer is troubleshooting connectivity between an on-premises data center and a VPC over an AWS Site-to-Site VPN. The tunnel status shows UP, but traffic from on-premises to the VPC is intermittently dropped. Which TWO of the following are likely causes? (Choose 2.)

Select 2 answers
A.Dead Peer Detection (DPD) timeout configuration
B.BGP hold timer expiration
C.Asymmetric routing across multiple tunnels
D.Incorrect MTU size causing packet fragmentation
E.IPsec SA lifetime mismatch between peers
AnswersC, D

Asymmetric routing can cause stateful devices to drop packets.

Why this answer

Incorrect MTU settings can cause fragmentation issues leading to drops, and asymmetric routing can cause stateful firewalls to drop return traffic. Dead Peer Detection (DPD) timeout would cause the tunnel to go down, not intermittent drops; BGP hold timer expiration would cause BGP session reset; IPsec SA lifetime mismatch would cause periodic rekey issues but not typical intermittent drops.

4
MCQmedium

A company is deploying a multi-tier web application across three Availability Zones in a VPC. The web tier must be highly available and scale based on CPU utilization. The database tier uses an Amazon RDS Multi-AZ DB instance. The web tier must have the lowest possible latency to the internet. Which configuration should be used for the web tier subnets?

A.Place the web tier in public subnets with auto-assign public IP addresses disabled.
B.Place the web tier in public subnets with auto-assign public IP addresses enabled.
C.Place the web tier in private subnets and use a VPC endpoint for internet access.
D.Place the web tier in private subnets and use a NAT gateway for internet access.
AnswerB

Public subnets provide direct internet access with lowest latency.

Why this answer

Option A is correct because assigning public IP addresses to web instances in public subnets allows direct internet access with minimal latency. B would introduce NAT latency. C and D are incorrect for a public-facing web tier.

5
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They create a subnet 10.0.1.0/24 and launch an EC2 instance with a private IP 10.0.1.5. The instance needs to communicate with an on-premises server at 172.16.0.10 over a VPN connection. The VPN connection uses a Virtual Private Gateway. The VPC route table has a route 172.16.0.0/16 pointing to the VPG. The instance cannot reach the on-premises server. What is the most likely cause?

A.The security group attached to the instance does not allow outbound traffic to 172.16.0.10.
B.The instance's route table does not have a route to the internet gateway.
C.The network ACL for the subnet denies outbound traffic to the on-premises IP range.
D.The on-premises router is not advertising the 172.16.0.0/16 route to the Virtual Private Gateway.
AnswerD

Without the route advertisement, the VPG does not know how to reach the on-premises network.

Why this answer

The VPN connection requires that the on-premises network advertise routes to the VPG via BGP. If the on-premises router is not advertising the 172.16.0.0/16 route, the VPG will not have a route to forward traffic. Option A (security group) would affect inbound, not outbound; Option C (NACL) would need to be checked but default NACL allows all; Option D (internet gateway) is not needed for VPN.

6
MCQmedium

A company has multiple VPCs that need to communicate with each other. They want to use a hub-and-spoke model with centralized network management. Which AWS service should they use?

A.AWS Direct Connect
B.VPN CloudHub
C.VPC Peering
D.AWS Transit Gateway
AnswerD

Transit Gateway enables a hub-and-spoke topology with centralized routing.

Why this answer

AWS Transit Gateway (D) is the correct choice because it acts as a central hub that interconnects multiple VPCs and on-premises networks using a hub-and-spoke topology. It simplifies network management by providing a single point of connectivity and supports transitive routing between all attached VPCs, which is exactly what the company needs for centralized network management.

Exam trap

The trap here is that candidates often confuse VPC Peering (C) as the default solution for VPC connectivity, but they overlook its lack of transitive routing and the management overhead of creating a full mesh, which makes Transit Gateway the only correct choice for a hub-and-spoke model with centralized management.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, not a service for interconnecting multiple VPCs in a hub-and-spoke model. Option B is wrong because VPN CloudHub is designed to connect multiple on-premises sites via VPN tunnels to a single AWS VPN endpoint, but it does not provide transitive routing between VPCs or centralized VPC management. Option C is wrong because VPC Peering creates a one-to-one, non-transitive connection between two VPCs; to interconnect multiple VPCs, you would need a full mesh of peering connections, which is complex and does not scale well, unlike the hub-and-spoke model required.

7
MCQmedium

A company deployed an Application Load Balancer (ALB) in front of a fleet of EC2 instances. Users report intermittent timeouts. The ALB's target group health checks are failing for some instances. The instances are in private subnets with a single NAT Gateway. What is the most likely cause?

A.The security group on the EC2 instances does not allow inbound traffic from the ALB's security group.
B.The route tables in the private subnets do not have a default route pointing to the NAT Gateway.
C.The EC2 instances are of an unsupported instance type for ALB target groups.
D.The NAT Gateway is in a single Availability Zone, causing traffic to fail during an AZ outage.
AnswerA

ALB health checks originate from the ALB's security group; if not allowed, health checks fail.

Why this answer

Health checks from the ALB originate from the ALB's subnet and do not require a NAT Gateway. However, if the security group for the instances does not allow inbound traffic from the ALB's security group, health checks will fail. Option A (NAT Gateway) is unrelated; Option B (route table) would affect outbound traffic; Option C (instance type) is unlikely.

8
MCQhard

A network engineer is troubleshooting connectivity issues between an on-premises network and a VPC over a Direct Connect private VIF. The on-premises network can reach EC2 instances in the VPC, but cannot reach an RDS database in the same VPC. The VPC has a single subnet. What is the MOST likely cause?

A.The VPC network ACL is blocking inbound traffic from on-premises
B.The direct connect virtual interface is configured for a different VLAN
C.The RDS database security group is not allowing inbound traffic from the on-premises CIDR
D.The VPC route table does not have a route to the on-premises network
AnswerC

Security groups are stateful and often the cause of such issues.

Why this answer

Option C is correct because the RDS security group likely does not allow inbound traffic from the on-premises CIDR. Option A is wrong because VPC route table would affect all traffic to the subnet. Option B is wrong if the security group is not the issue; NACLs are stateless and could be the cause but security group is more likely for RDS.

Option D is wrong because Direct Connect routing is working for EC2.

9
Multi-Selectmedium

A company is designing a highly available network architecture using AWS Direct Connect. They have two Direct Connect connections from different providers to two different AWS Direct Connect locations. They want to ensure that if one connection fails, traffic automatically fails over to the other. Which TWO steps should they take? (Select TWO.)

Select 2 answers
A.Advertise the same prefix over both Direct Connect connections.
B.Use a different BGP AS number for each Direct Connect connection.
C.Use static routes instead of BGP for the Direct Connect connections.
D.Enable Bidirectional Forwarding Detection (BFD) on both BGP sessions.
E.Configure a single virtual interface for both connections.
AnswersA, D

Same prefix allows BGP to select the best path and fail over automatically.

Why this answer

To achieve high availability with Direct Connect, you should configure BGP with the same prefix advertised over both connections and enable Bidirectional Forwarding Detection (BFD) for fast failure detection. Option A (same AS number) is not required; Option B (same prefix) is correct; Option D (BFD) is correct; Option C (single VIF) is not recommended; Option E (static routes) is not preferred.

10
MCQhard

A company has multiple AWS accounts and wants to centrally manage network security using AWS Network Firewall. The firewall must inspect traffic between VPCs in the same Region. Which deployment model achieves this with minimal latency?

A.Deploy AWS Network Firewall in each VPC and configure VPC peering between VPCs.
B.Deploy AWS Network Firewall in a shared services VPC and use VPC peering to connect all VPCs.
C.Use AWS Transit Gateway and attach AWS Network Firewall as a VPC attachment to the transit gateway.
D.Use a centralized inspection VPC with a Gateway Load Balancer and third-party appliances.
AnswerC

This centralizes inspection and routes traffic through the firewall with minimal latency.

Why this answer

Option D is correct because an AWS Network Firewall in the transit VPC can inspect traffic between VPCs when using Transit Gateway and route tables to steer traffic through the firewall. Option A is wrong because firewall per VPC would not inspect inter-VPC traffic unless routing is configured, and it adds overhead. Option B is wrong because a firewall in each VPC is not centralized.

Option C is wrong because the firewall must be in the path of traffic; simply inspecting at the egress point of each VPC would not catch all inter-VPC traffic.

11
MCQeasy

A company has a VPC with a CIDR of 10.0.0.0/16. They have an Application Load Balancer (ALB) in public subnets and EC2 instances in private subnets. The ALB is configured to route traffic to the instances. Users can reach the ALB, but the ALB returns 502 Bad Gateway errors. The target group health checks are failing. The instances are running a web server on port 80. The security group for the instances allows inbound traffic from the ALB's security group on port 80. The network ACL for the private subnets allows inbound traffic on port 80 from the public subnet CIDR (10.0.1.0/24). What is the most likely cause of the health check failures?

A.The network ACL for the private subnets does not allow inbound traffic on port 80 from the ALB's subnet
B.The security group for the instances does not allow inbound traffic from the ALB
C.The network ACL for the private subnets is stateless and is blocking the return traffic from the instances to the ALB
D.The target group is configured with the wrong port
AnswerC

NACLs are stateless; outbound traffic from the private subnet to the ALB must be explicitly allowed.

Why this answer

Option B is correct because the health checks originate from the ALB's private IPs, which are in the public subnet CIDR 10.0.1.0/24, but the network ACL must allow inbound traffic from the ALB's security group source? Actually, the NACL allows from the public subnet CIDR, which should include the ALB's IPs. However, the NACL is stateless and must also allow outbound traffic from the instance's subnet to the ALB. The issue is likely that the NACL is blocking the return traffic.

Option A is wrong because the security group allows the traffic. Option C is wrong because the NACL allows inbound on port 80 from the public subnet. Option D is wrong because the target group port is correct.

12
MCQhard

A company uses AWS Direct Connect with a private VIF to connect to a VPC. The VPC has a virtual private gateway (VGW). The on-premises network uses BGP to advertise routes. The company wants to ensure high availability by using two Direct Connect connections from different providers. Both connections terminate at the same Direct Connect location (same AWS device). The company configures two private VIFs, each with a separate BGP session, and attaches both to the same VGW. However, when one connection fails, traffic does not fail over. What is the most likely cause?

A.Both Direct Connect connections are on the same AWS device, creating a single point of failure
B.The same BGP ASN is used for both VIFs, causing route conflict
C.The MTU size is mismatched between the VIFs
D.The allowed prefixes for the VIFs do not include the on-premises subnets
AnswerA

Same location and device means no redundancy.

Why this answer

If both connections terminate at the same AWS Direct Connect location and same device, they share the same physical infrastructure. A failure at that location would affect both. True high availability requires connections at different locations.

Also, BGP configuration may not have proper failover. The most likely cause is that both VIFs are on the same device, so a single point of failure exists. Option B (BGP ASN) is wrong because same ASN is allowed.

Option C (allowed prefixes) would cause routes not to be accepted. Option D (MTU) would not cause complete failover failure.

13
MCQhard

A company has deployed a Network Load Balancer (NLB) in a VPC. The NLB is configured with a target group that points to EC2 instances in the same VPC. The network engineer notices that traffic from clients is not being forwarded to the targets. The NLB's security groups and network ACLs allow all traffic. What is the most likely cause?

A.The security group attached to the NLB is blocking traffic.
B.The EC2 instances are missing a route back to the NLB's subnet.
C.The NLB health checks are failing, causing targets to be marked unhealthy.
D.Cross-zone load balancing is disabled on the NLB.
AnswerB

Preserve client IP is enabled, so targets must send response back to NLB; if they have a default route to NAT gateway, return traffic goes to internet.

Why this answer

Option C is correct. NLB uses the source IP of the client by default, so the target's route table must send return traffic back to the NLB. If the targets have a default route to a NAT gateway, return traffic goes straight to the internet, breaking the connection.

Option A is wrong because NLB does not use security groups for itself. Option B is wrong because health checks might fail but that's not the root cause. Option D is wrong because NLB supports cross-zone load balancing.

14
MCQmedium

A company has a VPC with CIDR 10.0.0.0/16 and needs to connect to another VPC (192.168.0.0/16) using VPC peering. Both VPCs have overlapping CIDRs with some on-premises networks. What must be done to ensure proper routing?

A.Use AWS Transit Gateway instead and attach both VPCs.
B.Verify that the CIDR blocks do not overlap. If they do, you must re-IP one VPC or use other solutions like Transit Gateway with network address translation.
C.Use a NAT gateway in one VPC to translate addresses.
D.Create the peering connection and add routes for the full CIDR ranges in both route tables.
AnswerB

Without overlap, peering works. Overlap requires re-IP or alternative solutions.

Why this answer

Option B is correct because VPC peering does not support overlapping CIDRs; you cannot have routes to the same CIDR via different targets. If there is any overlap, you cannot create the peering connection or the routes. Option A is wrong because it suggests ignoring overlap.

Option C is wrong because NAT does not solve routing ambiguity. Option D is wrong because Transit Gateway also has limitations with overlapping CIDRs.

15
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via Direct Connect and Site-to-Site VPN. The network team wants to ensure that traffic between VPCs does not traverse the on-premises network. Which Transit Gateway feature should be used?

A.Transit Gateway Multicast
B.Transit Gateway Network Manager
C.Transit Gateway BGP over AWS Direct Connect
D.Transit Gateway route tables with separate associations and propagations
AnswerD

This allows creating isolated routing domains.

Why this answer

Option B is correct because Transit Gateway route tables allow isolation of traffic between different attachments (e.g., VPCs vs. VPN). Option A is wrong because multicast is not relevant.

Option C is wrong because flow logs monitor traffic, not control routing. Option D is wrong because BGP is used for dynamic routing, not for isolation.

16
MCQhard

A company is designing a multi-region architecture with two AWS Regions. They need to connect VPCs in each region to an on-premises data center using AWS Direct Connect. They want to minimize latency and use the same BGP ASN on both sides. Which solution meets these requirements?

A.Use a Direct Connect gateway and create a private virtual interface from each region's Direct Connect connection to the Direct Connect gateway. Use the same BGP ASN on AWS side.
B.Establish two separate private virtual interfaces from each region to the on-premises router using different BGP ASNs.
C.Use AWS Site-to-Site VPN over the internet as a backup and the Direct Connect as primary.
D.Create a transit virtual interface from each region to a Transit Gateway in each region and peer the Transit Gateways.
AnswerA

Direct Connect gateway allows same ASN across multiple VIFs and regions.

Why this answer

Option A is correct because a Direct Connect gateway allows you to associate multiple virtual interfaces from different regions to a single gateway, and you can use the same BGP ASN. Option B is wrong because transit VIFs connect to Transit Gateway, but Direct Connect gateway is needed for multi-region. Option C is wrong because each Direct Connect connection must use different ASNs if not using Direct Connect gateway.

Option D is wrong because VPN over internet adds latency and does not meet Direct Connect requirement.

17
MCQmedium

A company is connecting their on-premises data center to AWS using a site-to-site VPN. The customer gateway device has a dynamic routing configuration with BGP. The VPN connection is established, but the VPC route table does not contain the on-premises network routes. What is the most likely cause?

A.The customer gateway device is not configured with the correct BGP ASN.
B.The VPC route table has static routes pointing to the virtual private gateway.
C.Route propagation is not enabled on the VPC route table.
D.The VPN connection is using static routing instead of dynamic routing.
AnswerC

Route propagation must be enabled for dynamic BGP routes to be added.

Why this answer

Option B is correct. For dynamic VPN, you must enable route propagation on the VPC route table to automatically propagate BGP routes. Option A is wrong because static routes are not needed.

Option C is wrong because BGP is used. Option D is wrong because the customer gateway device is configured correctly.

18
MCQhard

A company is deploying a multi-region application with an Application Load Balancer (ALB) in us-east-1 and a second ALB in eu-west-1. They want to route traffic to the nearest region using Amazon Route 53. They have set up a latency-based routing policy. Users in North America are being routed to eu-west-1 instead of us-east-1. What is the most likely cause?

A.The routing policy is incorrectly configured as geolocation instead of latency
B.The us-east-1 ALB is not associated with a Route 53 record set
C.The health checks for the us-east-1 ALB are failing
D.Latency measurements between the user and us-east-1 are higher than expected due to transient network conditions
AnswerD

Latency-based routing uses measured latency; higher latency can cause routing to other region.

Why this answer

Option B is correct because latency-based routing uses measured latency, which can be inconsistent. If the latency measurement for us-east-1 is higher than expected (e.g., due to a temporary issue), Route 53 may route to eu-west-1. Option A is wrong because health checks affect routing only if they fail, but the question doesn't indicate failure.

Option C is wrong because routing policy is already set to latency. Option D is wrong because weight is not used in latency routing.

19
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network is advertising a default route (0.0.0.0/0) over BGP. The VPC has an internet gateway attached. When an EC2 instance in the VPC sends traffic to an internet destination, which path does it take by default?

A.Traffic goes to the on-premises network only if there is a static route.
B.Traffic is dropped because there is no route.
C.Traffic goes to the internet via the internet gateway.
D.Traffic goes to the on-premises network via Direct Connect.
AnswerD

The propagated BGP route is more specific than a default route to IGW, if any.

Why this answer

Option A is correct because the VPC route table will have the more specific local VPC routes and the propagated route from Direct Connect. The most specific route for 0.0.0.0/0 will be the one from Direct Connect (propagated), so traffic goes to on-premises. Option B is wrong because the IGW route is not present.

Option C is wrong because the instance sends traffic based on route table. Option D is wrong because traffic goes to on-premises.

20
MCQeasy

A company is deploying a VPC with public and private subnets in two Availability Zones. The public subnets host NAT gateways for outbound internet access from the private subnets. Which configuration ensures that EC2 instances in the private subnets can route traffic to the internet through the NAT gateways?

A.Add a route in the public subnet route table pointing to the internet gateway.
B.Attach an egress-only internet gateway to the private subnets.
C.Create a VPC peering connection between the VPC and the NAT gateway.
D.Add a route in the private subnet route table with destination 0.0.0.0/0 targeting the NAT gateway.
AnswerD

This enables outbound internet access from private instances via NAT.

Why this answer

Option B is correct because the private subnet route table must have a default route (0.0.0.0/0) pointing to the NAT gateway to allow outbound internet traffic. Option A is wrong because internet gateway is for public subnets. Option C is wrong because VPC peering doesn't provide internet access.

Option D is wrong because egress-only internet gateways are for IPv6.

21
Multi-Selectmedium

A company is migrating a legacy application to AWS. The application requires multicast communication between EC2 instances in the same VPC. Which THREE options can support this requirement? (Choose three.)

Select 3 answers
A.Use AWS Transit Gateway with a multicast domain.
B.Use AWS Direct Connect to extend the on-premises multicast domain to the VPC.
C.Deploy a multicast-capable third-party virtual appliance in the VPC and configure multicast routing.
D.Use a VPC with a single subnet and enable multicast on the subnet.
E.Create a VPC peering connection and enable multicast across the peered VPCs.
AnswersA, C, D

Transit Gateway supports multicast groups and domains.

Why this answer

AWS Transit Gateway supports multicast through the creation of a multicast domain, which allows EC2 instances in different subnets and VPCs attached to the transit gateway to send and receive multicast traffic. This is a native AWS capability that does not require third-party appliances or workarounds, making it a valid option for the requirement.

Exam trap

The trap here is that candidates assume VPC peering or Direct Connect can carry multicast traffic because they support other Layer 3 protocols, but AWS explicitly blocks multicast and broadcast on these connections.

22
MCQmedium

A company is deploying a multi-tier web application across two AWS Regions. The application uses an Application Load Balancer (ALB) in each region, and traffic must be distributed to the closest healthy ALB using Route 53 latency-based routing. The application requires that clients maintain the same source IP address when the request is forwarded from the ALB to the backend targets. The backend targets are EC2 instances in private subnets. The company also needs to ensure that traffic between the ALB and targets stays within AWS. What should the company implement to meet these requirements?

A.Deploy a Network Load Balancer (NLB) in each region with targets in public subnets. Use Route 53 latency-based routing to the NLB.
B.Deploy an internal ALB in each region. Place targets in private subnets. Use VPC endpoints for the ALB (AWS PrivateLink) and Route 53 latency-based routing to the VPC endpoint.
C.Deploy an Application Load Balancer (ALB) with internet-facing scheme in each region. Use Route 53 latency-based routing to the ALB.
D.Use AWS Global Accelerator with endpoints in each region. Attach the ALB as an endpoint and enable client IP preservation on the accelerator.
E.Deploy an ALB with internet-facing scheme in each region. Use Route 53 latency-based routing to the ALB. Place targets in public subnets to preserve source IP.
AnswerB

Internal ALB with VPC endpoints keeps traffic within AWS and preserves source IP.

Why this answer

Option B is correct because an internal ALB with targets in private subnets ensures traffic stays within AWS and preserves the client source IP by using VPC endpoints (AWS PrivateLink). Route 53 latency-based routing directs traffic to the closest healthy VPC endpoint, meeting the multi-region distribution requirement while maintaining source IP transparency for backend targets.

Exam trap

The trap here is that candidates assume internet-facing ALBs preserve source IP or that Global Accelerator can be combined with Route 53 latency-based routing, but AWS specifically requires an internal ALB with PrivateLink and client IP preservation enabled to meet both source IP preservation and traffic confinement requirements.

How to eliminate wrong answers

Option A is wrong because an NLB with targets in public subnets does not preserve the original client source IP when forwarding to targets (NLB preserves source IP only for UDP or TCP traffic, but the requirement is for an ALB-based application); also, public subnets expose targets to the internet, violating the 'traffic stays within AWS' requirement. Option C is wrong because an internet-facing ALB does not preserve the client source IP when forwarding to targets (ALB replaces source IP with its own private IP); additionally, targets in private subnets would receive traffic with the ALB's IP, not the client's IP. Option D is wrong because AWS Global Accelerator with client IP preservation enabled does preserve source IP, but it does not use Route 53 latency-based routing (Global Accelerator uses Anycast IPs and its own routing algorithm); the question specifically requires Route 53 latency-based routing.

Option E is wrong because placing targets in public subnets to preserve source IP is incorrect—ALB always replaces the source IP regardless of subnet placement; also, public subnets expose targets to the internet, violating the 'traffic stays within AWS' requirement.

23
Multi-Selecteasy

A company is deploying an AWS Client VPN endpoint to provide remote access to its VPC resources. The company wants to allow clients to access resources in multiple subnets within the VPC. Which TWO configurations are necessary?

Select 2 answers
A.Configure route tables in the VPC to direct traffic to the Client VPN endpoint.
B.Associate the Client VPN endpoint with subnets in the VPC.
C.Create authorization rules to allow access to the target networks.
D.Attach the VPC to a transit gateway.
E.Configure security groups on the target subnets.
AnswersB, C

Subnet associations allow the endpoint to have elastic network interfaces in those subnets.

Why this answer

Option A is correct because the Client VPN endpoint must be associated with the VPC's subnets via a subnet association. Option C is correct because authorization rules specify which groups can access which networks. Option B is wrong because security groups are applied to the Client VPN endpoint, not to the target subnets directly.

Option D is wrong because route tables are automatically propagated, but the question asks for necessary configurations. Option E is wrong because a transit gateway is not required for a single VPC.

24
Multi-Selectmedium

Which THREE of the following are considerations when designing a VPC with multiple Availability Zones for high availability? (Choose THREE.)

Select 3 answers
A.Use an Application Load Balancer to distribute traffic across instances in different Availability Zones.
B.Create a single public subnet that spans all Availability Zones.
C.Deploy NAT gateways in each Availability Zone for redundancy.
D.Create separate subnets in each Availability Zone for the application tier.
E.Use a single NAT gateway in one Availability Zone to reduce cost.
AnswersA, C, D

ALB can route traffic to multiple AZs.

Why this answer

Options B, D, and E are correct. Using NAT gateways in each AZ ensures availability if one AZ fails. Spreading subnets across AZs provides redundancy.

Using an Application Load Balancer distributes traffic across AZs. Option A is wrong because a single NAT gateway in one AZ is a single point of failure. Option C is wrong because a single public subnet across all AZs is not possible; subnets are per AZ.

25
MCQmedium

A company has a VPC with an IPv6 CIDR block and wants to provide internet access to instances in a private subnet using an egress-only internet gateway. Which of the following must be configured correctly?

A.Configure NAT64 on the VPC to translate IPv6 to IPv4.
B.Enable route propagation for the egress-only internet gateway in the route table.
C.Add a default route (::/0) in the private subnet's route table pointing to the egress-only internet gateway.
D.Assign an IPv6 address to the egress-only internet gateway.
AnswerC

This allows IPv6 traffic from the private subnet to reach the internet outbound.

Why this answer

Option C is correct because an egress-only internet gateway is used for IPv6 outbound-only internet access, and the private subnet's route table must have a default route (::/0) pointing to the egress-only internet gateway. Option A is incorrect because IPv6 addresses are not assigned to the egress-only internet gateway. Option B is incorrect because NAT64 is not required.

Option D is incorrect because the egress-only internet gateway does not use route propagation.

26
MCQhard

A company is designing a multi-account AWS environment using AWS Organizations. They need to centralize VPC flow logs and network traffic inspection across all accounts. Which architecture meets these requirements with minimal operational overhead?

A.Deploy a central inspection VPC with AWS Network Firewall and use Transit Gateway to route traffic from all VPCs through it.
B.Use AWS Network Firewall in each VPC and aggregate logs centrally.
C.Enable VPC flow logs in each account and send them to a central S3 bucket. Use Network Access Analyzer for inspection.
D.Create VPC peering connections between all VPCs and deploy a third-party firewall in one VPC.
AnswerA

Centralized inspection with AWS Network Firewall and Transit Gateway is recommended.

Why this answer

Option B is correct because a centralised inspection VPC with Transit Gateway and Network Firewall allows all traffic to be inspected. Option A is wrong because it doesn't centralize inspection. Option C is wrong because VPC peering is not transitive.

Option D is wrong because AWS Network Firewall is not available in every account without Transit Gateway.

27
MCQeasy

A company is using a Network Load Balancer (NLB) to distribute traffic to a fleet of EC2 instances. The NLB is configured with a target group that has health checks enabled. Some instances are marked as unhealthy even though they are running and responding to requests on the health check port. What is a likely cause?

A.The route table for the NLB subnet does not have a route to the internet.
B.The security group for the EC2 instances does not allow inbound traffic from the VPC CIDR on the health check port.
C.The internet gateway is not attached to the VPC.
D.The health check is being blocked by a network ACL that allows inbound traffic only from the internet.
AnswerB

NLB health checks come from the VPC CIDR; security group must allow that traffic.

Why this answer

Option B is correct because the NLB health checks use the VPC subnet CIDR as the source IP, and if the security group does not allow traffic from that CIDR, health checks fail. Option A is wrong because health checks are sent from the NLB's private IPs within the subnet, not from the internet. Option C is wrong because NLB health checks do not use the internet gateway.

Option D is wrong because route tables do not affect health check traffic; the NLB sends health checks from within the VPC.

28
MCQmedium

A company has multiple VPCs connected via a Transit Gateway. The security team wants to centrally inspect all traffic between VPCs using a third-party firewall appliance. The appliance must be deployed in a single VPC and all inter-VPC traffic must be routed through it. Which architecture should be used?

A.Configure the Transit Gateway with a central inspection VPC that hosts the firewall appliance
B.Create a Network Load Balancer in each VPC and point to the firewall
C.Deploy AWS Network Firewall in each VPC
D.Use VPC peering connections between all VPCs and route traffic through the inspection VPC
AnswerA

Transit Gateway supports central inspection by routing traffic through a dedicated inspection VPC.

Why this answer

Option C is correct because a Transit Gateway with a central inspection VPC allows all inter-VPC traffic to be routed through the firewall appliance. Option A is incorrect because VPC peering does not provide central inspection. Option B is incorrect because a Network Load Balancer does not route traffic through a firewall.

Option D is incorrect because AWS Network Firewall is a managed service, not a third-party appliance.

29
MCQmedium

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add an IPv6 CIDR block and ensure that traffic from the internet to the IPv6-enabled resources is allowed. Which configuration is required?

A.Attach a NAT gateway to the VPC and update route tables.
B.Attach an internet gateway and update route tables for IPv6.
C.Create a Virtual Private Gateway and attach the VPC.
D.Create a Transit Gateway and attach the VPC.
AnswerB

IGW supports IPv6 traffic.

Why this answer

Option B is correct because an internet gateway must be attached to the VPC and must be IPv6-compatible (allows egress-only or full dual-stack). Option A is incorrect because a NAT gateway is for outbound IPv4. Option C is incorrect because a Transit Gateway is for inter-VPC connectivity.

Option D is incorrect because a Virtual Private Gateway is for VPN/Direct Connect.

30
MCQmedium

A company has a VPC peering connection between VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). Both VPCs have route tables that include routes to each other's CIDR blocks via the peering connection. Instances in VPC A can ping instances in VPC B, but traffic to an Application Load Balancer (ALB) in VPC B fails. The ALB is in public subnets with internet-facing scheme. What is the most likely cause?

A.The VPC peering connection does not support transitive routing for ALBs
B.The ALB is internet-facing and cannot be accessed from a peered VPC
C.The route tables in VPC B do not have a route back to VPC A
D.The ALB security group does not allow inbound traffic from VPC A
AnswerD

The security group must allow inbound traffic from the peered VPC's CIDR.

Why this answer

Option C is correct because an internet-facing ALB expects traffic to come from the internet via its public IP. Traffic from a peered VPC uses private IPs, which the ALB's security group may not allow unless explicitly permitted. Option A is wrong because route tables are configured correctly.

Option B is wrong because the ALB can be reached from the internet. Option D is wrong because VPC peering does not affect the ALB's public accessibility.

31
MCQmedium

A company is deploying a VPC with public and private subnets in two Availability Zones. The private subnets need outbound internet access for software updates but must not be reachable from the internet. Which AWS service should be used to achieve this?

A.VPC Peering
B.Virtual Private Gateway
C.NAT Gateway
D.Internet Gateway
AnswerC

NAT Gateway provides outbound internet access for private subnets without allowing unsolicited inbound connections.

Why this answer

A NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet.

32
MCQeasy

A company is implementing a hybrid network using AWS Site-to-Site VPN. The on-premises firewall requires that the VPN tunnels use IKEv2 with pre-shared keys and that the tunnels are always active. Which VPN configuration should be used?

A.Two VPN tunnels in active/passive mode
B.Two VPN tunnels with static routing
C.One VPN tunnel with static routing
D.Two VPN tunnels in active/active mode with BGP
AnswerD

Active/active tunnels with BGP provide high availability and always-on connectivity.

Why this answer

Option C is correct because two tunnels in active/active mode provide high availability and always-on connectivity. Option A is wrong because one tunnel is not redundant. Option B is wrong because active/passive means one tunnel is standby.

Option D is wrong because dynamic routing with BGP is typically used, not static routes.

33
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16. They need to connect to a partner's VPC with CIDR 10.0.0.0/16 using a VPC peering connection. What is the issue with this configuration?

A.The company has reached the maximum number of VPC peering connections
B.VPC peering is only supported within the same region
C.VPC peering does not support transitive routing
D.Overlapping CIDR ranges are not supported for VPC peering
AnswerD

VPC peering requires non-overlapping CIDR blocks to enable routing between them.

Why this answer

Option A is correct because VPC peering does not support overlapping CIDR blocks. Option B is wrong because VPC peering supports inter-region connections. Option C is wrong because there is no such limit on the number of peering connections.

Option D is wrong because VPC peering does allow transitive routing via a middle VPC but overlapping CIDRs still cause issues.

34
MCQeasy

A company is deploying a multi-tier application on AWS and needs to ensure that traffic between the web tier and the application tier does not traverse the internet. Both tiers are deployed in the same VPC but in different subnets. What is the MOST secure way to meet this requirement?

A.Use an Internet Gateway to route traffic between subnets
B.Use VPC Peering between the subnets
C.Use a NAT Gateway in each subnet for inter-subnet communication
D.Use route tables and security groups to allow traffic within the VPC
AnswerD

Correct; local routes already enable communication within a VPC; security groups and NACLs provide security.

Why this answer

Option C is correct because VPC Peering is used for connectivity between different VPCs, not within the same VPC. Option A is wrong because internet traffic would still traverse the internet if using an Internet Gateway. Option B is wrong because NAT Gateways are for outbound internet access, not for private connectivity.

Option D is wrong because VPC Endpoints are for accessing AWS services privately, not for traffic between tiers within a VPC.

35
Multi-Selectmedium

A company is implementing a hybrid network architecture with an AWS Transit Gateway connecting multiple VPCs and an on-premises data center via AWS Direct Connect. The company needs to ensure that traffic between VPCs is inspected by a centralized security appliance running on EC2 instances in a dedicated inspection VPC. To achieve this, traffic must be routed through the inspection VPC before reaching its destination. Which TWO configurations are required? (Choose two.)

Select 2 answers
A.Enable route propagation for all VPC attachments in the Transit Gateway route table.
B.Create a blackhole route in the Transit Gateway route table for the VPC CIDR blocks that are destined for other VPCs.
C.Add a static route in the inspection VPC route tables pointing to the Transit Gateway for all other VPC CIDRs.
D.Configure a VPC Gateway Endpoint for the inspection VPC to attract traffic.
E.Deploy a NAT gateway in each VPC to route traffic through the inspection VPC.
AnswersB, C

Prevents direct routing between VPCs.

Why this answer

Option A is correct because blackhole routes in the Transit Gateway route table prevent direct VPC-to-VPC communication. Option C is correct because the inspection VPC must advertise specific routes to attract traffic. Option B is incorrect because enabling route propagation does not force traffic through inspection VPC.

Option D is incorrect because NAT gateway is for outbound internet traffic. Option E is incorrect because VPC endpoints are not used for inter-VPC traffic inspection.

36
Multi-Selecthard

A company uses AWS Transit Gateway with multiple VPC attachments and a VPN attachment to an on-premises network. The on-premises network advertises the same prefix via two separate VPN connections for redundancy. The TGW route table shows both routes as active. Traffic from a VPC to on-premises is not load-balanced and prefers one connection. Which THREE actions would help achieve active-active load balancing? (Choose 3.)

Select 3 answers
A.Configure BGP AS_PATH prepending on the preferred VPN connection to make it less preferred
B.Enable equal-cost multi-path (ECMP) routing on the Transit Gateway route table
C.Set a higher BGP weight on the less preferred connection
D.Use static routes for both VPN connections instead of BGP
E.Adjust the BGP Multi-Exit Discriminator (MED) attribute on the on-premises routers
AnswersA, B, E

AS_PATH prepending can make one path appear longer.

Why this answer

Using BGP AS_PATH prepending can influence path selection, equal-cost multi-path (ECMP) routing in TGW supports load balancing across equal routes, and adjusting BGP MED can influence inbound traffic. Weight is not supported in TGW; AS_PATH prepending on both sides equally would not differentiate; using VPN static routes would not support ECMP.

37
MCQhard

A company is implementing a hybrid network using AWS Direct Connect and VPN backup. The company has two Direct Connect connections from different providers and a site-to-site VPN as a backup. The company wants to ensure that traffic is always routed through the Direct Connect connections when they are healthy, and only fails over to the VPN if both Direct Connect connections fail. Which BGP configuration should be used on the customer gateway device (CGW) to achieve this?

A.Set a lower BGP Local Preference value for routes received from the VPN connection.
B.Apply a BGP community tag to routes received over the VPN to signal less preference.
C.Set a higher BGP Multi-Exit Discriminator (MED) value for routes advertised over the VPN.
D.Prepend AS_PATH on routes advertised over the Direct Connect connections.
AnswerA

Lower Local Preference makes the VPN routes less preferred, so Direct Connect routes are used when available.

Why this answer

Option A is correct because setting a lower Local Preference on the VPN routes makes them less preferred than Direct Connect routes. Option B is wrong because MED is used to influence inbound traffic. Option C is wrong because AS_PATH prepending would affect all traffic, including Direct Connect.

Option D is wrong because community tags are not used for route preference directly.

38
Multi-Selectmedium

A network engineer is troubleshooting connectivity issues between two VPCs connected via a Transit Gateway. The VPCs are in the same region and have proper route tables. Which TWO actions should the engineer perform to diagnose the problem?

Select 2 answers
A.Verify that the VPC route tables have routes pointing to the Transit Gateway attachment.
B.Check the security groups of the Transit Gateway.
C.Ping the Transit Gateway to verify its status.
D.Examine the network ACLs for the Transit Gateway.
E.Review VPC Flow Logs for the subnets to see if traffic is being blocked.
AnswersA, E

Missing routes would prevent traffic from reaching the Transit Gateway.

Why this answer

Option B is correct because checking route tables and association ensures traffic is directed to the Transit Gateway. Option D is correct because VPC Flow Logs can show dropped traffic. Option A is incorrect because Transit Gateway does not have a ping command.

Option C is incorrect because security groups apply at the instance level, not Transit Gateway. Option E is incorrect because NACLs are stateless and less likely the issue.

39
MCQeasy

A company is migrating a legacy application to AWS. The application requires multicast traffic between EC2 instances. Which AWS service can support multicast within a VPC?

A.VPC native multicast
B.Amazon CloudFront
C.Application Load Balancer
D.Transit Gateway with multicast domain
AnswerD

Transit Gateway supports multicast.

Why this answer

AWS Transit Gateway supports multicast traffic through the creation of a multicast domain, which allows EC2 instances in different VPCs or subnets to send and receive multicast traffic. This is the only native AWS service that supports multicast within a VPC environment, making it the correct choice for migrating a legacy application that requires multicast.

Exam trap

The trap here is that candidates may assume 'VPC native multicast' exists because of the term 'native' or confuse multicast with broadcast or unicast features, but AWS VPC does not support multicast natively, and Transit Gateway is the required service.

How to eliminate wrong answers

Option A is wrong because AWS VPC does not natively support multicast traffic; multicast is not a feature of standard VPCs. Option B is wrong because Amazon CloudFront is a content delivery network (CDN) that delivers content over HTTP/HTTPS and does not support multicast IP traffic between EC2 instances. Option C is wrong because an Application Load Balancer operates at Layer 7 and handles unicast HTTP/HTTPS traffic; it cannot forward or replicate multicast packets.

40
MCQhard

A company uses AWS Direct Connect with a private VIF to connect to a VPC. They also have a VPN connection as a backup. How should they configure BGP to ensure that the VPN is only used when Direct Connect fails?

A.Use a lower local preference on the Direct Connect BGP session
B.Use a lower AS path prepend on the VPN BGP session
C.Use a higher local preference on the Direct Connect BGP session
D.Use a higher MED on the VPN BGP session
AnswerC

Higher local preference makes the Direct Connect route preferred.

Why this answer

Local preference is a BGP attribute used to influence outbound traffic from an AS. By setting a higher local preference on the Direct Connect BGP session, the router will prefer that path over the VPN session. When Direct Connect fails, the BGP session goes down, and the VPN route becomes the only available path, ensuring seamless failover.

Exam trap

The trap here is that candidates often confuse local preference (influences outbound path selection) with MED (influences inbound path selection) or AS path prepending (also influences inbound selection), leading them to choose options that would not achieve the desired primary/backup behavior for outbound traffic.

How to eliminate wrong answers

Option A is wrong because a lower local preference on the Direct Connect session would make it less preferred, causing the VPN to be used as the primary path, which contradicts the requirement. Option B is wrong because AS path prepending on the VPN session would make the VPN path less preferred (longer AS path), but the goal is to prefer Direct Connect; prepending on the VPN is unnecessary and could cause suboptimal routing if Direct Connect fails. Option D is wrong because MED (Multi-Exit Discriminator) is used to influence inbound traffic from a neighboring AS, not outbound traffic from the local AS; it does not affect which path the local router chooses for outbound traffic.

41
MCQhard

Refer to the exhibit. An EC2 instance in a VPC is assigned a public IP via an Elastic IP address. The instance is not reachable from the internet, although it has a security group allowing inbound HTTP traffic from 0.0.0.0/0. The VPC has an Internet Gateway attached to the route table of the subnet. What is the MOST likely cause?

A.The subnet route table does not have a default route (0.0.0.0/0) to the Internet Gateway
B.The source/destination check is enabled and should be disabled
C.The security group is blocking inbound traffic
D.The Elastic IP is not correctly associated with the instance
AnswerA

Without this route, traffic cannot reach the internet.

Why this answer

Option D is correct because SourceDestCheck must be disabled for NAT instances, but for a regular EC2 instance that is not a NAT, it should be enabled. However, the exhibit shows SourceDestCheck: true, which is correct. The issue is likely that the subnet's route table does not have a route to the Internet Gateway.

Option A is wrong because the EIP is allocated. Option B is wrong because the security group allows inbound HTTP. Option C is wrong because SourceDestCheck being true is correct for regular instances.

42
MCQeasy

A company needs to connect multiple VPCs to a common on-premises network through a single AWS Direct Connect connection. Which AWS service should be used to simplify this architecture?

A.AWS VPN CloudHub
B.AWS Transit Gateway
C.VPC peering
D.Virtual Private Gateway (VGW)
AnswerB

Acts as a hub for VPCs and on-premises networks.

Why this answer

Option D is correct because Transit Gateway allows connecting multiple VPCs and on-premises networks via a single Direct Connect connection using a transit VIF. Option A is wrong because VPC peering is point-to-point and does not scale to many VPCs. Option B is wrong because VPN CloudHub connects VPNs, not Direct Connect.

Option C is wrong because VGW is per-VPC.

43
Multi-Selectmedium

A company is designing a multi-tier application in a VPC. The web tier must be accessible from the internet, while the application tier must only be accessible from the web tier. The database tier must be isolated from all other tiers except the application tier. Which TWO network architectures meet these requirements? (Choose TWO.)

Select 2 answers
A.Use a single public subnet for all tiers and control access with security groups.
B.Use private subnets for all tiers and a NAT gateway for internet access from the web tier. Use security groups to control traffic.
C.Use a public subnet for an Application Load Balancer and private subnets for web, app, and database tiers. Use security groups to restrict traffic between tiers.
D.Use a VPN connection from the on-premises network to access all tiers.
E.Use public subnets for the web tier, private subnets for the application tier, and isolated subnets (no route to internet) for the database tier. Use security groups to allow traffic only from the web to app and app to database.
AnswersC, E

The ALB in public subnet provides inbound access; private subnets isolate tiers.

Why this answer

Options B and D are correct. Option B uses public subnets for web, private subnets for app, and isolated subnets for database, with security groups controlling access. Option D uses a single private subnet with security groups and an ALB in a public subnet to expose the web tier.

Option A is wrong because a single public subnet does not isolate tiers. Option C is wrong because placing all tiers in private subnets with a NAT gateway does not provide inbound access from the internet. Option E is wrong because a VPN connection is not needed.

44
MCQeasy

A company is deploying a VPC with both public and private subnets. They have an EC2 instance in a private subnet that needs to access the internet for software updates. Which AWS service should be placed in a public subnet to enable this?

A.Internet gateway
B.VPC endpoint
C.Direct Connect virtual interface
D.NAT gateway
AnswerD

A NAT gateway in a public subnet enables outbound internet access for instances in private subnets.

Why this answer

A NAT gateway (or NAT instance) in a public subnet allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Option A is correct. Option B is incorrect because an internet gateway is in a VPC but does not allow private instances to initiate outbound traffic without a NAT.

Option C is incorrect because a VPC endpoint is for private connectivity to AWS services, not internet access. Option D is incorrect because a Direct Connect virtual interface is for hybrid connectivity, not internet access.

45
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They have set up a Transit Gateway and attached the VPC and the Direct Connect gateway. The on-premises network can reach some VPC resources but not others. The VPC has multiple subnets with different CIDR blocks. The on-premises router is advertising the same prefixes over BGP. What is the most likely cause of the partial connectivity?

A.The VPC route tables for the subnets that cannot be reached do not have a route to the Transit Gateway for the on-premises prefixes.
B.The Direct Connect gateway association with the Transit Gateway is misconfigured.
C.The Transit Gateway route table does not have a static route or propagation for the on-premises prefixes.
D.The on-premises router is advertising different prefixes over BGP than expected.
AnswerA

Without a route in the VPC subnet route table pointing to the Transit Gateway, traffic from the VPC to on-premises will not be forwarded.

Why this answer

The most common cause of partial connectivity in this scenario is that the VPC route tables do not have routes pointing to the Transit Gateway for the on-premises prefixes. Even if the Transit Gateway has routes, the VPC subnets must send traffic to the Transit Gateway. Option A is correct.

Option B is incorrect because if the Transit Gateway route table had incorrect propagation, it would affect all prefixes equally. Option C is incorrect because the on-premises router advertising the same prefixes would not cause partial connectivity. Option D is incorrect because the Direct Connect gateway association is fine if some traffic works.

46
MCQhard

A company is building a hybrid network with an AWS Transit Gateway connecting multiple VPCs and an on-premises network via Direct Connect. The on-premises network uses BGP to advertise routes to the Transit Gateway. One of the VPCs has an overlapping CIDR (10.0.0.0/16) with the on-premises network (10.0.0.0/8). The company wants to ensure that traffic from other VPCs to 10.0.0.0/16 goes to the VPC, not on-premises. What configuration is required?

A.Use AS_PATH prepending on the on-premises BGP advertisements to make them less preferred
B.No additional configuration is needed; the more specific route will be preferred automatically
C.Add a static route in the Transit Gateway route table for 10.0.0.0/16 pointing to the VPC attachment
D.Disable route propagation from the Direct Connect virtual interface to the Transit Gateway
AnswerB

Correct; Transit Gateway uses longest prefix match, so the /16 from VPC is preferred over /8 from on-premises.

Why this answer

Option C is correct because Transit Gateway uses longest prefix match. The VPC's /16 is more specific than the on-premises /8, so traffic to 10.0.0.0/16 will automatically go to the VPC. No additional configuration is needed.

Option A is wrong because disabling route propagation would remove the on-premises routes entirely. Option B is wrong because a static route is not needed; longest prefix match already handles it. Option D is wrong because AS_PATH prepending is used to influence BGP path selection, but in this case, longest prefix match is sufficient.

47
MCQmedium

A company wants to establish a dedicated, private connection between their on-premises data center and AWS. They require consistent, low-latency performance and support for multiple VLANs. Which AWS service should they use?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.VPC Peering
AnswerA

Direct Connect provides a dedicated private connection with VLAN support.

Why this answer

AWS Direct Connect provides a dedicated private connection with consistent performance and support for multiple VLANs via Virtual LANs (VLANs). Option A is wrong because a VPN connection uses the public internet. Option C is wrong because VPC peering is for connecting VPCs.

Option D is wrong because Transit Gateway is a hub for multiple VPCs and on-premises, but the private connection itself is Direct Connect.

48
MCQeasy

A company needs to connect its on-premises data center to AWS with a dedicated, private network connection that provides consistent performance. Which AWS service should they use?

A.Internet Gateway
B.VPC Endpoint
C.AWS Direct Connect
D.Site-to-Site VPN
AnswerC

Direct Connect provides a dedicated, private connection with consistent bandwidth.

Why this answer

AWS Direct Connect provides a dedicated, private network connection from an on-premises data center to AWS, bypassing the public internet. This ensures consistent, low-latency performance and can reduce bandwidth costs for high-volume data transfer, making it the ideal choice for the stated requirement.

Exam trap

AWS often tests the misconception that a Site-to-Site VPN provides dedicated performance because it is encrypted, but the trap is that VPNs still traverse the public internet and cannot guarantee consistent bandwidth or latency like a dedicated physical connection (Direct Connect).

How to eliminate wrong answers

Option A is wrong because an Internet Gateway is a horizontally scaled, redundant component that allows VPC communication with the internet over the public internet, not a dedicated private connection, and performance can be variable due to internet congestion. Option B is wrong because a VPC Endpoint enables private connectivity to AWS services (e.g., S3, DynamoDB) from within a VPC using AWS PrivateLink, but it does not extend to an on-premises data center; it is a service-specific endpoint, not a site-to-site connection. Option D is wrong because a Site-to-Site VPN creates an encrypted tunnel over the public internet, which introduces latency variability and potential throughput limitations due to internet conditions, failing to provide the consistent, dedicated performance required.

49
MCQmedium

Refer to the exhibit. A CloudFormation template creates a VPC with public and private subnets. The template includes an Internet Gateway and a route table with a default route to the IGW, associated with the public subnet. An EC2 instance launched in the public subnet cannot be reached from the internet. The security group allows inbound HTTP from 0.0.0.0/0. What is the MOST likely missing resource?

A.A VPN connection to the VPC
B.A NAT Gateway in the public subnet
C.An Elastic IP address assigned to the instance or auto-assign public IP enabled on the subnet
D.A route table for the private subnet
AnswerC

Public instances need a public IP to be reachable.

Why this answer

Option C is correct because the template does not define a route table or route for the private subnet. However, the instance is in the public subnet, so the issue is that the public subnet might not have the route table associated. But looking at the template, it has PublicSubnetRouteTableAssociation.

The missing piece is that the instance likely needs an Elastic IP or auto-assign public IP. Option A is not needed for public subnets with IGW. Option B is not needed for public subnets.

Option D is not needed because the instance is in a public subnet.

50
Multi-Selecthard

Which THREE of the following are required to establish a highly available site-to-site VPN connection between an on-premises network and an AWS VPC? (Choose three.)

Select 3 answers
A.Two separate VPN connections
B.Two VPN tunnels (one primary, one secondary)
C.A customer gateway resource in AWS
D.A virtual private gateway attached to the VPC
E.An AWS Direct Connect connection
AnswersB, C, D

Two tunnels provide redundancy.

Why this answer

Options B, D, and E are correct. A highly available VPN requires at least two tunnels (option B), a virtual private gateway attached to the VPC (option D), and a customer gateway resource representing the on-premises device (option E). Option A is wrong because a single VPN connection can have two tunnels and still be highly available.

Option C is wrong because a Direct Connect connection is not required; VPN is standalone.

51
Multi-Selectmedium

A company is deploying a VPC with a CIDR block of 10.0.0.0/16. The VPC requires six subnets: three public and three private, each with a /24 CIDR. The company needs to ensure high availability across three Availability Zones. Which TWO of the following are valid subnet CIDR assignments that meet these requirements?

Select 2 answers
A.Public: 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24; Private: 10.0.0.0/25, 10.0.1.0/25, 10.0.2.0/25
B.Public: 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24; Private: 10.0.3.0/24, 10.0.4.0/24, 10.0.5.0/24
C.Public: 10.0.0.0/24, 10.0.2.0/24, 10.0.4.0/24; Private: 10.0.1.0/24, 10.0.3.0/24, 10.0.5.0/24
D.Public: 10.0.0.0/24, 10.0.0.0/25, 10.0.0.128/25; Private: 10.0.1.0/24, 10.0.1.0/25, 10.0.1.128/25
E.Public: 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24; Private: 10.0.0.0/25, 10.0.1.0/25, 10.0.2.0/25
AnswersB, C

Non-overlapping, three AZs each.

Why this answer

Options A and D are correct because they provide three non-overlapping /24 subnets per AZ across three AZs. B overlaps and C and E overlap within the same AZ.

52
MCQhard

A company has a Direct Connect connection with a private VIF to a Direct Connect gateway. The VIF is associated with a Direct Connect gateway that has a virtual private gateway (VGW) attachment to a VPC. The on-premises network is advertising a route to 10.0.0.0/16. However, the VPC cannot reach on-premises resources. The VPC has a route table with a route to 10.0.0.0/16 pointing to the VGW. What is the MOST likely cause?

A.The VPC route table does not have route propagation enabled for the virtual private gateway
B.The on-premises router is not using BGP to advertise routes
C.The security group on the VPC instances is blocking inbound traffic
D.The Direct Connect gateway does not support the prefix 10.0.0.0/16
AnswerA

Without propagation, the VPC does not learn on-premises routes.

Why this answer

Option D is correct because the VGW needs to propagate routes from the Direct Connect gateway to the VPC route table. Without propagation, the VPC does not know the on-premises routes. Option A is incorrect because BGP is typically used with Direct Connect.

Option B is incorrect because the Direct Connect gateway can handle multiple prefixes. Option C is incorrect because security groups do not affect inbound routing decisions.

53
MCQhard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a VPC with a CIDR of 10.0.0.0/16 and an on-premises network with CIDR 10.0.0.0/8. The Transit Gateway route table has a static route for 10.0.0.0/8 pointing to the VPN attachment. However, traffic from on-premises to the VPC is not working. What is the most likely cause?

A.The VPN attachment is in the wrong TGW route table.
B.The VPC route table does not have a route pointing to the Transit Gateway for on-premises traffic.
C.The VPC CIDR overlaps with the on-premises CIDR.
D.The Transit Gateway route table does not have a route for the VPC CIDR.
AnswerB

Return traffic needs a route to TGW.

Why this answer

Option C is correct because the VPC's route table has a local route for 10.0.0.0/16, but a more specific route to the Transit Gateway is needed for return traffic. Option A is incorrect because the TGW route table is correct. Option B is incorrect because overlapping CIDRs cause issues, but the TGW can handle it with more specific routes.

Option D is incorrect because the VPN attachment is used.

54
Multi-Selecteasy

A company is designing a network for a three-tier web application on AWS. The web tier must be accessible from the internet, and the application and database tiers must be in private subnets. The company wants to use a single AWS Region and ensure high availability. Which TWO configurations should be implemented? (Choose two.)

Select 2 answers
A.Place an internet-facing Application Load Balancer (ALB) in public subnets across two Availability Zones.
B.Configure the web tier EC2 instances in an Auto Scaling group across two Availability Zones.
C.Use a stateful network ACL for the web tier subnets to simplify security rules.
D.Deploy a NAT Gateway in a single Availability Zone for outbound traffic from private subnets.
E.Create the VPC with a single Availability Zone to simplify management.
AnswersA, B

Provides high availability and internet access for the web tier.

Why this answer

Option A is correct because an internet-facing Application Load Balancer (ALB) in public subnets across two Availability Zones (AZs) provides both internet access to the web tier and high availability. The ALB distributes incoming HTTP/HTTPS traffic to web instances in private subnets, and deploying across two AZs ensures fault tolerance if one AZ fails.

Exam trap

The trap here is that candidates often confuse stateless network ACLs with stateful security groups, leading them to incorrectly select option C, or they assume a single NAT Gateway is sufficient for high availability, overlooking the need for redundancy in each AZ.

55
MCQmedium

A company uses AWS PrivateLink to access a SaaS application hosted in another AWS account. The SaaS provider has created a VPC endpoint service in their account. The consumer has created a VPC endpoint in their VPC. The consumer's VPC has a route table with a local route and a route to a NAT gateway. The VPC endpoint is associated with a security group that allows inbound HTTPS from the consumer's VPC CIDR. The consumer's EC2 instances can resolve the DNS name of the endpoint but cannot connect to the SaaS service. What is the most likely cause?

A.The consumer's route table routes traffic to the endpoint via the NAT gateway
B.The VPC endpoint service is not available in the consumer's Availability Zone
C.The VPC endpoint security group does not allow inbound HTTPS from the consumer's EC2 instances
D.The consumer's route table does not have a route to the VPC endpoint
AnswerC

The security group must allow inbound traffic from instances.

Why this answer

For PrivateLink, the consumer's VPC endpoint should be associated with a security group that allows outbound traffic to the endpoint service. The security group for the endpoint controls inbound traffic to the endpoint from the consumer's instances. But the issue is that instances can resolve DNS but cannot connect.

The most likely cause is that the endpoint's security group does not allow inbound HTTPS from the instances. Option B (NAT gateway) is irrelevant because PrivateLink uses private IPs. Option C (route table) is wrong because the endpoint uses local routing via the endpoint's network interfaces.

Option D (availability) is wrong because DNS resolution works.

56
Multi-Selectmedium

A company has a VPC with a CIDR block of 10.0.0.0/16 and needs to establish connectivity to an on-premises network via AWS Site-to-Site VPN. The on-premises network uses a CIDR block of 192.168.0.0/16. The VPN connection will be redundant using two tunnels. Which TWO actions are required to enable this connectivity?

Select 2 answers
A.Create a Customer Gateway (CGW) in the same AWS region.
B.Create a Direct Connect virtual interface.
C.Create a Virtual Private Gateway (VGW) and attach it to the VPC.
D.Configure a NAT Gateway in the VPC.
E.Add a route in the VPC route tables pointing to the VGW for the on-premises CIDR.
AnswersC, E

VGW is required for VPN termination on AWS side.

Why this answer

Option A and Option D are correct. Option A is correct because a Virtual Private Gateway must be attached to the VPC. Option D is correct because route tables must have routes for the on-premises CIDR pointing to the VPN gateway.

Option B is wrong because Customer Gateway is the on-premises device, not an AWS resource. Option C is wrong because Direct Connect is a different service. Option E is wrong because NAT Gateway is for outbound internet.

57
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network team reports intermittent connectivity loss to resources in the VPC, but the Direct Connect tunnel status shows as UP. Which configuration is MOST likely causing the issue?

A.The BGP keepalive interval is set to 60 seconds
B.Jumbo frames are enabled on the Direct Connect interface but not on on-premises routers
C.A separate private VIF is required for each VPC in the account
D.Traffic is being routed asymmetrically through the Direct Connect and a VPN backup
AnswerD

Asymmetric routing can cause connectivity issues if stateful firewalls or security groups block return traffic.

Why this answer

Option B is correct because asymmetric routing can cause connectivity drops if traffic returns via a different path and is dropped by security groups or ACLs. Option A is incorrect because BGP keepalives would not affect specific traffic. Option C is incorrect because jumbo frames may cause fragmentation but not intermittent loss.

Option D is incorrect because a separate VIF is not required for each VPC.

58
MCQmedium

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. They have also set up a Site-to-Site VPN as a backup. The VPC has a virtual private gateway (VGW) attached. The on-premises network uses BGP over the Direct Connect and static routes for the VPN. The network engineer notices that traffic from the VPC to on-premises is not using the Direct Connect when it is available; instead, it goes over the VPN. The VPC route table has a route for the on-premises CIDR (10.0.0.0/8) to the VGW. The VPN connection is configured with static routes. What is the MOST likely cause of this behavior?

A.The VPN static route has higher precedence than the BGP route from Direct Connect
B.The VPC route table does not have a route for the on-premises CIDR
C.The VGW is not attached to the VPC
D.The Direct Connect virtual interface is not associated with the VGW
AnswerA

Correct; static routes (from VPN) are preferred over BGP propagated routes in AWS route tables.

Why this answer

Option D is correct. When using a VGW, AWS automatically propagates routes from the Direct Connect virtual interface and the VPN connection into the VPC route table. If both routes are propagated, the VPN route (static) may have a lower metric or be preferred due to BGP attributes? Actually, by default, AWS prefers the more specific route.

But here both are to the same CIDR? The on-premises CIDR is 10.0.0.0/8. The Direct Connect virtual interface advertises this via BGP. The VPN static route also specifies this CIDR.

AWS route tables use the longest prefix match, but if both routes have the same prefix length, the one with the lower BGP metric (if BGP) or the static route? Actually, static routes have higher precedence than propagated routes. So the static route from the VPN would be preferred over the BGP route from Direct Connect. That is the issue.

The engineer should either remove the static route from the VPN or use BGP on the VPN to allow path selection. Option A is incorrect because both are to the VGW. Option B is incorrect because the VGW is attached.

Option C is incorrect because the VPC route table does have a route.

59
MCQmedium

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket in the same Region. Which solution provides the most secure and cost-effective connectivity?

A.Create a NAT gateway in a public subnet and add a route in the private subnet's route table pointing to the NAT gateway.
B.Create an interface endpoint for S3 in the private subnet.
C.Attach an internet gateway to the VPC and add a route to the internet gateway in the private subnet's route table.
D.Create a gateway endpoint for S3 in the VPC and add a route in the private subnet's route table pointing to the endpoint.
AnswerD

A gateway endpoint provides private, cost-effective access to S3 without internet connectivity.

Why this answer

Option B is correct because a gateway endpoint for S3 is free and provides private connectivity to S3 without traversing the internet. Option A is wrong because an internet gateway would expose the instance to the internet and incur costs. Option C is wrong because a NAT gateway incurs costs and is less secure than a VPC endpoint.

Option D is wrong because an interface endpoint for S3 is not available; S3 uses gateway endpoints.

60
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The VPC has a virtual private gateway (VGW) attached. The on-premises network advertises a prefix 10.0.0.0/8 over BGP. The VPC has subnets with CIDR 10.0.1.0/24 and 10.0.2.0/24. The company wants to ensure that traffic to on-premises uses Direct Connect. However, traffic to an S3 bucket uses the internet. What route configuration is required?

A.Change the VPC CIDR to avoid overlap with on-premises.
B.Add specific routes for S3 public IP prefixes pointing to the internet gateway.
C.Add a static route for 0.0.0.0/0 pointing to the internet gateway.
D.Add a static route in the VPC route table for 0.0.0.0/0 pointing to the VGW.
AnswerB

More specific routes override the general route to VGW, directing S3 traffic to IGW.

Why this answer

Option D is correct because adding a specific route for S3 prefixes to the internet gateway will override the more general route through the VGW for those destinations. Option A is wrong because S3 traffic would go through Direct Connect. Option B is wrong because VPC CIDR cannot be changed.

Option C is wrong because more specific routes to IGW are needed.

61
MCQmedium

A company is designing a hybrid network architecture that requires high availability and low latency between its on-premises data center and AWS. They have two redundant 1 Gbps AWS Direct Connect connections. The company wants to use BGP to advertise the same prefix from both locations to AWS. How should they configure the BGP attributes to ensure active/passive failover with automatic failback?

A.Prepend the AS path on the secondary connection's BGP advertisements
B.Set a higher MED value on the primary connection's BGP advertisements
C.Set a higher local preference on the secondary connection's BGP advertisements
D.Use BGP communities to tag routes and manipulate preference on AWS side
AnswerA

AS path prepending makes the secondary path less preferred; the primary will be used, and failover/failback occurs automatically.

Why this answer

Option B is correct because setting a shorter AS path prepend on the primary connection makes it preferred; if that path fails, the prepended path becomes active, and when the primary recovers, the shorter AS path is again preferred, providing automatic failback. Option A is wrong because local preference is applied inbound, not outbound. Option C is wrong because MED is not typically used across different AS.

Option D is wrong because communities do not directly influence path selection for failover.

62
MCQhard

A company is designing a hybrid network using AWS Direct Connect. They have two Direct Connect connections from different providers to two different AWS Direct Connect locations. They want to configure a virtual interface (VIF) that provides connectivity to multiple VPCs in the same region. Which type of VIF should they use?

A.Hosted virtual interface
B.Public virtual interface
C.Private virtual interface
D.Transit virtual interface
AnswerD

Transit VIF connects to Transit Gateway for multiple VPCs.

Why this answer

Option D is correct because a transit virtual interface connects to a Transit Gateway, which can then be attached to multiple VPCs. Option A is incorrect because a private VIF connects to a single VPC. Option B is incorrect because a public VIF is for public services.

Option C is incorrect because a hosted VIF is for partner connections.

63
MCQeasy

A company is deploying a new application in a VPC with public and private subnets. The application needs to access an S3 bucket in the same AWS Region. Which configuration provides the MOST secure and cost-effective connectivity?

A.Configure a proxy server in the public subnet to forward requests to S3.
B.Set up an AWS Direct Connect connection to S3.
C.Create a NAT gateway in the public subnet and route traffic through it.
D.Create an S3 Gateway Endpoint in the VPC and add a route to it.
AnswerD

Gateway Endpoint provides private, free access to S3 within same Region.

Why this answer

Option B is correct because an S3 Gateway Endpoint provides private connectivity to S3 without traversing the internet or incurring NAT gateway costs. Option A is wrong because a NAT gateway adds cost and still uses internet. Option C is wrong because Direct Connect is overkill and costly.

Option D is wrong because proxy servers add complexity and cost.

64
MCQeasy

A company is setting up a new VPC with both IPv4 and IPv6 support. They need to ensure that instances in a private subnet can access the Internet for software updates. Which combination of resources is required?

A.VPC endpoint and internet gateway
B.NAT gateway and egress-only internet gateway
C.NAT instance and internet gateway
D.Internet gateway and NAT gateway
AnswerB

NAT for IPv4, egress-only for IPv6.

Why this answer

Option B is correct because a NAT gateway provides IPv4 internet access, and an egress-only internet gateway provides IPv6 internet access for private instances. Option A is wrong because internet gateway is for public subnets. Option C is wrong because NAT instance is outdated and more complex.

Option D is wrong because VPC endpoint is for AWS services, not internet.

65
MCQmedium

A company is deploying an AWS Network Firewall in a centralized inspection VPC to inspect traffic between VPCs connected to an AWS Transit Gateway. The architecture uses Transit Gateway route tables to send inter-VPC traffic through the inspection VPC. The Network Firewall is configured with stateful and stateless rule groups. After deployment, the security team notices that traffic from VPC A to VPC B is being dropped. Other traffic flows correctly. What is the MOST likely cause of this issue?

A.The route table for VPC A's subnets does not have a route to the inspection VPC.
B.The stateless rule group is set to forward traffic, but the stateful rule group is not configured to allow the traffic.
C.The stateful rule group is configured to drop all traffic that is not explicitly allowed.
D.The security group attached to the Transit Gateway is blocking the traffic.
AnswerB

Stateful rules process first and can drop traffic even if stateless allows.

Why this answer

Option B is correct because the stateful rule group must have a pass rule for the traffic. Option A is incorrect because stateless rules forward traffic but stateful rules can drop. Option C is incorrect because route tables in VPC A do not affect firewall.

Option D is incorrect because Transit Gateway does not have security groups.

66
MCQeasy

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download software patches from the internet. Which AWS service should be used to provide outbound internet access without allowing inbound traffic?

A.Site-to-Site VPN connection
B.VPC endpoint
C.NAT gateway
D.Internet gateway
AnswerC

NAT gateway enables outbound internet access for instances in private subnets.

Why this answer

Option A is correct because a NAT gateway allows outbound internet traffic from private subnets and blocks unsolicited inbound traffic. Option B is wrong because an internet gateway is for public subnets and allows inbound traffic. Option C is wrong because a VPC endpoint is for accessing AWS services privately, not the internet.

Option D is wrong because a VPN connection is for hybrid connectivity, not internet access.

67
MCQmedium

A company has a Direct Connect connection with a public virtual interface (VIF) to access AWS public services. They want to ensure that all traffic to Amazon S3 from on-premises uses the Direct Connect connection instead of the internet. Which configuration is required?

A.Establish a VPN connection over the Direct Connect private VIF and route S3 traffic through the VPN.
B.Use the public virtual interface and configure a route filter to only accept routes for the S3 service.
C.Create a private virtual interface and attach it to the VPC.
D.Create a Direct Connect gateway and associate the public VIF with it.
AnswerB

A public VIF provides access to AWS public services, and route filters can restrict which prefixes are advertised.

Why this answer

Option B is correct because using a public VIF with a route filter that only allows S3 prefixes ensures traffic to S3 uses Direct Connect. Option A is wrong because a private VIF is for private IP connectivity to VPCs, not public services. Option C is wrong because a VPN over Direct Connect is unnecessary and adds complexity.

Option D is wrong because a Direct Connect gateway is used for private VIFs to multiple VPCs, not public VIFs.

68
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They want to extend this connectivity to multiple VPCs in the same region without creating additional VIFs. Which solution should they implement?

A.Provision additional private VIFs for each VPC
B.Use VPC peering between the VPCs
C.Use a Transit VPC with VPN connections
D.Use a Direct Connect Gateway and attach the VPCs
AnswerD

Direct Connect Gateway enables a single VIF to connect to multiple VPCs.

Why this answer

Option B is correct because a Direct Connect Gateway allows a single private VIF to connect to multiple VPCs in the same region. Option A is for hybrid connectivity but not for multi-VPC. Option C is for inter-VPC routing.

Option D is for additional VIFs.

69
MCQmedium

A company is designing a multi-region architecture with an Application Load Balancer (ALB) in each region. They want to route users to the nearest healthy ALB using latency-based routing. Which AWS service should be used?

A.Amazon Route 53 latency-based routing
B.Amazon CloudWatch
C.VPC Traffic Mirroring
D.AWS Global Accelerator
AnswerA

Latency-based routing routes users to the region with the lowest latency.

Why this answer

Amazon Route 53 latency-based routing directs user traffic to the AWS region with the lowest network latency for the end user, based on latency measurements between the user and each region's resources. This matches the requirement to route users to the nearest healthy ALB, as Route 53 can evaluate health checks on the ALBs and only route to healthy endpoints.

Exam trap

AWS often tests the distinction between DNS-based latency routing (Route 53) and anycast-based traffic acceleration (Global Accelerator), where candidates mistakenly choose Global Accelerator because it also improves performance, but it does not perform per-request latency-based DNS routing to the nearest healthy ALB.

How to eliminate wrong answers

Option B (Amazon CloudWatch) is wrong because CloudWatch is a monitoring and observability service for collecting metrics, logs, and alarms; it does not perform DNS routing or traffic steering. Option C (VPC Traffic Mirroring) is wrong because it copies network traffic from an elastic network interface for analysis (e.g., security inspection) and has no capability to route users based on latency or health. Option D (AWS Global Accelerator) is wrong because while it uses the AWS global network and anycast IPs to improve performance, it does not use latency-based DNS routing; it relies on static anycast IPs and endpoint weights, not per-request latency measurements to the nearest healthy ALB.

70
MCQeasy

A developer wants to allow an EC2 instance in a VPC to access an Amazon S3 bucket without traversing the public internet. Which AWS service should be used?

A.AWS PrivateLink with an interface VPC endpoint.
B.VPC Gateway Endpoint for S3.
C.NAT gateway in the public subnet.
D.AWS Direct Connect with a public VIF.
AnswerB

Gateway endpoints provide private access to S3 and DynamoDB.

Why this answer

Option D is correct because a VPC Gateway Endpoint allows private access to S3 without requiring an internet gateway or NAT device. Option A is incorrect because S3 does not use an interface endpoint directly (it uses gateway endpoint). Option B is incorrect because NAT gateway provides internet access but not private access to S3.

Option C is incorrect because S3 does not support Direct Connect privately without a VPC endpoint.

71
MCQmedium

A company is implementing a hybrid network using AWS Direct Connect and VPN backup. They have multiple VPCs in a single AWS Region. Which design minimizes the number of Direct Connect virtual interfaces while providing connectivity to all VPCs?

A.Create one private VIF attached to a Direct Connect gateway and associate the gateway with all VPCs.
B.Set up a transit VPC with EC2-based routers.
C.Create a separate private VIF for each VPC.
D.Use a single public VIF and route through the internet.
AnswerA

Direct Connect gateway enables multi-VPC connectivity over one VIF.

Why this answer

Option B is correct because a Direct Connect gateway allows multiple VPCs to connect via a single virtual interface (VIF). Option A is wrong because each VIF is limited to one VPC. Option C is wrong because VPN is a backup, not primary.

Option D is wrong because transit VPC adds complexity.

72
Multi-Selecthard

A company is designing a multi-region architecture using AWS Direct Connect. Which TWO of the following are valid configurations for connecting to multiple regions? (Select TWO.)

Select 2 answers
A.Use a single Direct Connect connection to connect to all regions
B.Set up separate Direct Connect connections in each region
C.Use a Transit Gateway to connect to multiple regions
D.Use a single private VIF associated with multiple regions
E.Create a Direct Connect Gateway and associate VPCs from different regions
AnswersB, E

You can have multiple connections in different regions.

Why this answer

Options B and D are correct. A Direct Connect Gateway allows connections to multiple VPCs in different regions, and multiple Direct Connect connections can be used to different regions. Option A is incorrect because a single VIF cannot be associated with multiple regions.

Option C is incorrect because a Direct Connect connection is tied to a specific AWS region. Option E is incorrect because a Transit Gateway is regional.

73
MCQmedium

A company has deployed a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application must be accessible over the internet, but the security team requires that all traffic be inspected by a third-party firewall appliance. What is the MOST scalable architecture?

A.Configure a Network Load Balancer with target groups pointing to firewall appliances.
B.Use an EC2 instance as a transparent proxy and set it as the next-hop in the route table.
C.Use a Gateway Load Balancer with firewall appliances in each Availability Zone.
D.Deploy a single firewall appliance in one Availability Zone and route all traffic through it.
AnswerC

GWLB provides scalable, HA traffic inspection.

Why this answer

Option C is correct because using Gateway Load Balancer with the firewall appliances in different AZs provides high availability and scalability. Option A is wrong because a single firewall is a SPOF. Option B is wrong because EC2 instances as next-hop in route table is not scalable.

Option D is wrong because Network Load Balancer does not inspect traffic; it load balances.

74
MCQhard

A global e-commerce company operates a production environment on AWS with a VPC (10.0.0.0/16) containing public and private subnets in three Availability Zones. The application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB) in public subnets. The company uses AWS Transit Gateway to connect multiple VPCs and on-premises data centers via Site-to-Site VPN. Recently, the operations team noticed intermittent connectivity issues: users in the Asia-Pacific region experience slow page load times and occasional timeouts, while users in other regions have no issues. The network team suspects packet loss or high latency on the VPN connection to the on-premises data center in Singapore, which hosts a critical database. The AWS Direct Connect connection is not yet available. The team ran a traceroute from an EC2 instance in the production VPC to the database server (IP 203.0.113.50) and observed high latency and packet loss on the fifth hop (a transit gateway attachment). The VPN tunnel status shows 'UP' on both ends. CloudWatch metrics for the VPN tunnel show no errors but high 'TunnelData' bytes. What should the network engineer do FIRST to resolve the issue?

A.Enable jumbo frames on the transit gateway and the EC2 instances in the private subnets.
B.Increase the VPN tunnel bandwidth by creating a second VPN tunnel and enabling ECMP.
C.Modify the BGP attributes on the transit gateway to prefer the Direct Connect path once it becomes available.
D.Rebuild the VPN connection using a different customer gateway device with stronger encryption.
AnswerA

Jumbo frames increase MTU, reducing fragmentation and packet loss, thus improving performance.

Why this answer

Option D is correct because enabling jumbo frames on the transit gateway and EC2 instances can improve throughput and reduce latency by allowing larger MTU, which reduces the number of packets and thus CPU overhead. High latency and packet loss on a transit gateway attachment, especially with high data volume, suggests MTU issues. Option A is incorrect because while BGP attributes can influence routing, the symptoms point to MTU fragmentation rather than suboptimal routing.

Option B is incorrect because increasing VPN bandwidth does not address packet loss due to MTU. Option C is incorrect because the VPN tunnel is already up and CloudWatch shows high data volume, not errors.

75
MCQeasy

A network engineer needs to allow an EC2 instance in a private subnet to access an S3 bucket without traversing the internet. Which AWS service should be used?

A.VPC Peering
B.VPC Gateway Endpoint
C.Internet Gateway
D.NAT Gateway
AnswerB

Gateway Endpoint allows private access to S3.

Why this answer

A VPC Gateway Endpoint provides private connectivity to S3 and DynamoDB without requiring a NAT or IGW.

Page 1 of 6 · 434 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Implementation questions.