CCNA Network Implementation Questions

75 of 434 questions · Page 3/6 · Network Implementation · Answers revealed

151
Multi-Selecthard

An organization is designing a hybrid network using AWS Direct Connect with a private VIF. They want to ensure high availability and failover. Which THREE components should be part of the design?

Select 3 answers
A.A NAT gateway in each Availability Zone.
B.Two separate Direct Connect connections from different providers or locations.
C.BGP with multiple sessions and AS-path prepending for route preference.
D.A VPN connection as a backup to the Direct Connect.
E.A single Direct Connect connection with multiple VLANs.
AnswersB, C, D

Redundant physical connections prevent a single point of failure.

Why this answer

Option A is correct because redundant connections at different locations provide resilience. Option C is correct because BGP enables dynamic failover. Option E is correct because failover to a VPN is a common backup.

Option B is incorrect because a single VIF is not redundant. Option D is incorrect because NAT gateway is not related to Direct Connect high availability.

152
MCQmedium

A company has a VPC with a public subnet and a private subnet. They launch an EC2 instance in the private subnet with a private IP only. The instance needs to download patches from the internet. Which configuration is required?

A.Launch a NAT instance in the private subnet and configure source/destination check.
B.Create a VPC endpoint for the patch service.
C.Create a NAT gateway in the public subnet and add a default route to the NAT gateway in the private subnet's route table.
D.Attach an internet gateway to the VPC and add a default route to it in the private subnet's route table.
AnswerC

NAT gateway enables outbound internet access for private instances while preventing inbound traffic.

Why this answer

Option B is correct because a NAT gateway in the public subnet allows instances in private subnets to initiate outbound traffic to the internet. Option A is incorrect because an internet gateway alone does not allow private instances to access the internet. Option C is incorrect because a NAT instance requires manual configuration.

Option D is incorrect because a VPC endpoint is for specific AWS services, not general internet access.

153
MCQmedium

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise its prefixes. Recently, the on-premises router started advertising a more specific route (10.0.0.0/24) that overlaps with the VPC's CIDR (10.0.0.0/16). What is the impact on traffic destined to 10.0.0.5?

A.The instance becomes unreachable from on-premises.
B.Return traffic from the instance to on-premises is routed through Direct Connect instead of staying within the VPC.
C.Traffic destined to the instance is blackholed.
D.Traffic is load-balanced between the VPC and Direct Connect.
AnswerB

More specific route is preferred.

Why this answer

Option C is correct because when a Direct Connect virtual interface advertises a more specific route that overlaps with the VPC CIDR, AWS prefers the more specific route from Direct Connect, causing traffic from the VPC to the on-premises network to be routed via Direct Connect instead of locally. Option A is wrong because the instance remains reachable from on-premises. Option B is wrong because BGP does not cause route flapping in this scenario.

Option D is wrong because the traffic is not blackholed; it goes to on-premises.

154
Matchingmedium

Match each AWS security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateful firewall that controls inbound and outbound traffic at instance level

Stateless firewall that controls traffic at subnet level

Web application firewall that protects against common web exploits

Managed DDoS protection service with enhanced detection and mitigation

Managed firewall service that provides stateful inspection for VPC traffic

Why these pairings

These are core security services for network protection.

155
Multi-Selectmedium

Which TWO of the following are valid methods to connect an on-premises data center to an Amazon VPC over a private, dedicated network connection? (Choose two.)

Select 2 answers
A.VPC peering
B.AWS Direct Connect
C.AWS Direct Connect with a VPN (IPsec) over the private VIF
D.AWS Site-to-Site VPN over the internet
E.AWS Client VPN
AnswersB, C

Direct Connect provides a dedicated private connection.

Why this answer

AWS Direct Connect provides a dedicated private connection. AWS VPN can also be used over the internet but is not dedicated; however, a VPN over Direct Connect is possible. The question asks for 'private, dedicated network connection', so Direct Connect is the primary method.

VPN over internet is not dedicated. VPN over Direct Connect uses the dedicated connection.

156
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16. They have two Availability Zones, each with a public subnet (10.0.1.0/24 and 10.0.2.0/24) and a private subnet (10.0.3.0/24 and 10.0.4.0/24). They have an internet-facing ALB in the public subnets and EC2 instances in the private subnets. The EC2 instances need to download updates from the internet. They deploy a NAT Gateway in each public subnet and add routes in the private subnet route tables pointing to the respective NAT Gateway in the same AZ. However, the EC2 instances in AZ2 cannot access the internet, while those in AZ1 can. What is the most likely cause?

A.The security group of the EC2 instances in AZ2 is blocking outbound traffic.
B.The NAT Gateway in AZ2 does not have an Elastic IP address assigned.
C.The private subnet in AZ2 is routing traffic to the NAT Gateway in AZ1, which is in a different Availability Zone and incurs cross-AZ charges but should still work.
D.The route table for the private subnet in AZ2 is missing a route to the NAT Gateway.
AnswerB

A NAT Gateway requires an Elastic IP; without it, it cannot route traffic to the internet.

Why this answer

The NAT Gateway in AZ2 may be in a different public subnet than the one the private subnet route points to, or the NAT Gateway may not have an associated Elastic IP. Option A is wrong because cross-AZ routing is possible but not the issue. Option B is wrong because the route is to the specific NAT Gateway in the same AZ.

Option D is wrong because the issue is specific to one AZ, not a global issue.

157
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from an S3 bucket in the same region. The company wants to minimize data transfer costs and avoid traversing the internet. Which solution should the company implement?

A.Create a VPC Interface Endpoint for S3 and attach it to the private subnet.
B.Configure an S3 bucket policy to allow access from the VPC and use an Internet Gateway.
C.Create a VPC Gateway Endpoint for S3 and attach it to the private subnet's route table.
D.Create a NAT Gateway in the public subnet and route traffic to the S3 bucket through it.
AnswerC

Gateway Endpoint is free and provides private connectivity to S3.

Why this answer

Option B is correct because a VPC Gateway Endpoint for S3 allows private connectivity to S3 without internet, reducing costs. Option A is wrong because a NAT Gateway incurs costs and uses internet. Option C is wrong because a VPC Interface Endpoint for S3 is also charged per hour and per GB.

Option D is wrong because an S3 bucket policy does not provide connectivity.

158
MCQmedium

A company has a VPC with multiple subnets. They want to centrally control outbound traffic to the internet and log all traffic. Which AWS service should they use?

A.NAT Gateway
B.Network ACL
C.VPC Flow Logs
D.VPC Traffic Mirroring
AnswerD

Traffic Mirroring allows you to copy traffic for monitoring and control.

Why this answer

The correct answer is D because VPC Traffic Mirroring allows you to capture and inspect network traffic for analysis. Option A (NAT Gateway) provides outbound internet access but does not log all traffic. Option B (VPC Flow Logs) captures IP traffic metadata but does not control traffic.

Option C (Network ACL) controls traffic at the subnet level but does not log all traffic.

159
MCQmedium

A company is designing a VPC with public and private subnets in two Availability Zones. The private subnets host EC2 instances that need to download patches from the internet. The company wants to minimize costs while ensuring high availability. Which solution meets these requirements?

A.Create a NAT gateway in one public subnet and use a second NAT gateway in a different AZ as a backup, but only route traffic to the primary.
B.Create a NAT gateway in one public subnet and configure route tables for private subnets to use it.
C.Launch a NAT instance in one public subnet and configure route tables for private subnets to use it.
D.Create a NAT gateway in a public subnet in each Availability Zone and configure route tables for private subnets to use the NAT gateway in the same AZ.
AnswerD

Highly available and cost-effective with proper AZ-level routing.

Why this answer

Option D is correct because two NAT gateways (one per AZ) provide high availability, and each is placed in a public subnet. Option A is wrong because a single NAT gateway is a single point of failure. Option B is wrong because NAT instances are less reliable and require more management.

Option C is wrong because a NAT gateway in one AZ provides no cross-AZ high availability if that AZ fails.

160
Multi-Selecthard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a VPC with a subnet that hosts a web application. They need to ensure that traffic from the on-premises network to the web application does not traverse the internet. Which TWO components are required? (Select TWO.)

Select 2 answers
A.Internet Gateway attached to the VPC
B.Direct Connect Gateway associated with the Transit Gateway
C.Direct Connect private virtual interface attached to a Direct Connect Gateway
D.Site-to-Site VPN connection to the Transit Gateway
E.CloudFront distribution in front of the web application
AnswersB, C

This allows the Direct Connect connection to be propagated to the Transit Gateway.

Why this answer

To connect on-premises to a VPC via Transit Gateway without internet, you need a Direct Connect private VIF attached to a Direct Connect Gateway, and the Direct Connect Gateway must be associated with the Transit Gateway. Option A (VPN) would go over the internet; Option C (Internet Gateway) is internet; Option D (VPC Peering) is not for on-premises; Option E (CloudFront) is a CDN.

161
MCQeasy

A networking engineer is troubleshooting connectivity issues between two VPCs that are peered using a VPC peering connection. The VPCs are in different AWS accounts. The engineer has verified that the route tables are correct and the security groups allow traffic. However, ICMP ping fails from an instance in VPC A to an instance in VPC B. What is a likely cause?

A.The route tables in both VPCs do not have the route propagation enabled.
B.The VPC CIDR blocks overlap.
C.There is a VPN connection attached to both VPCs that creates a transitive routing issue.
D.The security group in VPC A does not allow inbound ICMP from VPC B.
E.The network ACLs are not configured correctly for return traffic.
AnswerC

VPC peering does not support transitive routing; if there is another connection that could create a transitive route, it may cause unexpected behavior.

Why this answer

Option C is correct because a VPN connection attached to both VPCs can introduce transitive routing, which is not supported by VPC peering. VPC peering does not allow transitive routing; traffic must flow directly between the peered VPCs. If both VPCs have a VPN connection to the same on-premises network or another network, the VPN can create a path that interferes with the direct peering path, causing ICMP pings to fail even when route tables and security groups are correctly configured.

Exam trap

AWS often tests the concept that VPC peering does not support transitive routing, and candidates may overlook how a VPN connection can inadvertently create a transitive path that breaks direct peering traffic.

How to eliminate wrong answers

Option A is wrong because route propagation is a feature used with virtual private gateways (VPN or Direct Connect) to automatically propagate routes into route tables; it is not required for VPC peering, which uses static routes. Option B is wrong because overlapping CIDR blocks would cause a route conflict that would prevent the VPC peering connection from being established in the first place, not just cause ICMP ping failures after correct route tables are verified. Option D is wrong because the scenario states that security groups allow traffic, and the question specifies that ICMP ping fails from an instance in VPC A to an instance in VPC B, so the security group in VPC A would need to allow outbound ICMP (or the security group in VPC B would need to allow inbound ICMP), but the issue is not about inbound ICMP to VPC A.

Option E is wrong because network ACLs are stateless and must allow both inbound and outbound traffic for the ICMP echo request and reply; however, the engineer has verified that route tables and security groups are correct, and network ACLs are not mentioned as verified, but the most likely cause among the options is the transitive routing issue, not a misconfigured network ACL.

162
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise a specific prefix (10.0.0.0/16) to AWS. The VPC CIDR is 10.0.0.0/16. The company wants to ensure that traffic from the VPC to on-premises uses the Direct Connect connection. However, traffic is going over the internet instead. What is the most likely cause?

A.The on-premises BGP ASN is prepended, causing the route to be less preferred.
B.The on-premises prefix is less specific than the VPC CIDR, so the VPC route takes precedence.
C.The VPC CIDR overlaps with the on-premises prefix, and the local route in the VPC route table takes precedence.
D.The BGP route is not being propagated into the VPC route table.
AnswerC

Overlapping CIDRs cause the local route to be used, ignoring Direct Connect.

Why this answer

Option D is correct because when the VPC CIDR and the on-premises prefix overlap, the VPC's local route takes precedence over any other route, including Direct Connect. Traffic destined for the on-premises network would be considered local to the VPC. Option A is wrong because longer prefix match does not apply to overlapping local routes.

Option B is wrong because AWS always prefers more specific routes; the issue is the local route. Option C is wrong because BGP ASN prepending does not affect route preference over the local route.

163
MCQmedium

A company is running a stateful firewall appliance in an EC2 instance in a VPC. The appliance inspects traffic between subnets. The company needs to ensure that traffic from the web tier subnet to the application tier subnet passes through the firewall, but the firewall itself must not affect other traffic. Which configuration should the company implement?

A.Place the firewall in the same subnet as the web tier and use security groups to redirect traffic.
B.Place the firewall in a separate subnet and use network ACLs to force traffic through it.
C.Use a Gateway Load Balancer to deploy the firewall appliance in a separate subnet, and configure route tables to send inter-subnet traffic to the Gateway Load Balancer endpoint.
D.Use a transit gateway with appliance mode and attach all subnets to it, then configure routing to send traffic through the firewall.
AnswerC

GWLB transparently intercepts traffic for inspection.

Why this answer

Option C is correct because using a Gateway Load Balancer with the firewall appliance in a separate subnet and configuring route tables with a route to the GWLBe endpoint for inter-subnet traffic is the recommended pattern. Option A is wrong because a security group cannot route traffic; it only filters. Option B is wrong because a network ACL is stateless and not suitable for stateful inspection.

Option D is wrong because a transit gateway with appliance mode could work but is more complex than GWLB.

164
MCQmedium

A company is designing a multi-region architecture with an Application Load Balancer (ALB) in each region. They need to route traffic to the closest healthy endpoint. Which AWS service should be used for global load balancing?

A.Use a single Application Load Balancer in one region with cross-region VPC peering.
B.Use AWS Global Accelerator with an endpoint group in each region.
C.Use Route 53 latency-based routing with health checks.
D.Use a Network Load Balancer in each region and Route 53 weighted routing.
AnswerB

Global Accelerator provides anycast IP and routes to the closest healthy endpoint.

Why this answer

AWS Global Accelerator provides static IP addresses and routes traffic to the closest healthy endpoint, improving performance and availability. Option A is wrong because an ALB is regional. Option B is wrong because a Network Load Balancer is also regional.

Option C is wrong because Route 53 with latency routing is a DNS-based approach, not as efficient as Global Accelerator for traffic optimization.

165
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs. The network team notices that traffic between two VPCs is taking a suboptimal path through a third VPC. What is the most likely cause?

A.Security groups are blocking the direct path, forcing traffic through a third VPC.
B.BGP is not configured between the VPCs, so traffic defaults through a transit VPC.
C.ECMP routing is enabled, causing traffic to be load-balanced across multiple paths.
D.Incorrect route table associations and propagations in the Transit Gateway.
AnswerD

Route tables determine which attachments can reach each other.

Why this answer

Option A is correct because Transit Gateway route tables control the path of inter-VPC traffic. If routes are not correctly configured, traffic may be forwarded to an unintended attachment. Option B is wrong because ECMP is for load balancing, not path selection.

Option C is wrong because security groups do not affect routing. Option D is wrong because BGP is not used between VPCs in Transit Gateway.

166
MCQeasy

A company is deploying a web application across multiple Availability Zones in a VPC. The application tier consists of EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic between the ALB and the EC2 instances be encrypted. Which solution meets this requirement?

A.Use an internal ALB with a TCP listener and a security group that allows only HTTPS.
B.Use an HTTP listener on the ALB and enable encryption on the security group.
C.Use an HTTPS listener on the ALB with a target group that uses HTTPS.
D.Use a TCP listener on the ALB with a target group that uses TCP.
AnswerC

HTTPS provides end-to-end encryption.

Why this answer

Option B is correct because using an HTTPS listener on the ALB with a target group that uses HTTPS ensures end-to-end encryption. Option A is incorrect because TCP listeners do not encrypt traffic. Option C is incorrect because internal ALBs still require HTTPS listeners for encryption.

Option D is incorrect because security groups do not provide encryption.

167
MCQmedium

A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Direct Connect private VIF. The VPC has a virtual private gateway attached. The on-premises router can ping the private IP of an EC2 instance in the VPC, but application traffic (TCP port 443) fails. What is the most likely cause?

A.The network ACL in the VPC is blocking outbound traffic.
B.The security group for the EC2 instance does not allow inbound HTTPS traffic.
C.The BGP session is in the 'Idle' state.
D.The route table associated with the virtual private gateway does not have a route to the on-premises network.
AnswerB

Security groups are stateful, so outbound return traffic is allowed automatically. The inbound rule for HTTPS must be present.

Why this answer

Since the on-premises router can ping the EC2 instance's private IP, Layer 3 connectivity is working, which rules out routing and BGP issues. The failure of TCP port 443 specifically points to a firewall or access control blocking the application traffic. A security group acts as a virtual firewall at the instance level, and by default it denies all inbound traffic unless explicitly allowed.

Therefore, the most likely cause is that the security group for the EC2 instance does not have an inbound rule permitting HTTPS (TCP 443) traffic.

Exam trap

The trap here is that candidates assume ping success implies full application-layer connectivity, but security groups can selectively block specific protocols or ports while allowing ICMP, leading to a false sense of network health.

How to eliminate wrong answers

Option A is wrong because a network ACL is stateless and operates at the subnet level; if outbound traffic were blocked, the ping reply (ICMP) would also fail, but ping succeeds, so this is not the issue. Option C is wrong because if the BGP session were in the 'Idle' state, the virtual private gateway would not have learned the on-premises routes, making Layer 3 connectivity impossible and ping would fail. Option D is wrong because if the route table associated with the virtual private gateway lacked a route to the on-premises network, return traffic from the VPC would not be forwarded, and ping replies would not reach the on-premises router, yet ping succeeds.

168
Multi-Selecthard

Which TWO scenarios are best suited for using AWS Transit Gateway over VPC peering? (Select TWO.)

Select 2 answers
A.Connecting VPCs in different AWS accounts
B.Connecting a single VPC to an on-premises network
C.Connecting hundreds of VPCs across multiple accounts
D.Connecting VPCs to on-premises via Direct Connect
E.Connecting two VPCs in the same account and region
AnswersC, D

Transit Gateway simplifies hub-and-spoke topology.

Why this answer

Options B and D are correct. Transit Gateway is ideal for many VPCs and for connecting VPCs with Direct Connect. Option A is wrong because one-to-one is simpler with peering.

Option C is wrong because VPC peering can also be used for cross-account. Option E is wrong because a single VPC does not need Transit Gateway.

169
MCQhard

A company is deploying a global application with users in North America and Europe. They have set up an Application Load Balancer (ALB) in us-east-1 and another in eu-west-1. They want to route users to the nearest ALB using AWS Global Accelerator. What is the correct configuration to achieve this?

A.Use Amazon CloudFront with origins pointing to each ALB
B.Place each ALB behind a Network Load Balancer and use Global Accelerator
C.Create a Global Accelerator accelerator with endpoint groups in each region, each pointing to the respective ALB
D.Create a Route 53 latency record set with aliases to each ALB
AnswerC

Correct; Global Accelerator uses Anycast to route to the nearest healthy ALB.

Why this answer

Option A is correct because Global Accelerator uses Anycast IP addresses and health checks to route traffic to the nearest healthy endpoint (ALB). Option B is wrong because Route 53 latency-based routing does not use Anycast; it relies on DNS, which can be cached. Option C is wrong because CloudFront is a CDN, not a load balancer for dynamic content without caching.

Option D is wrong because a Network Load Balancer (NLB) is not needed; Global Accelerator can directly target ALBs.

170
Multi-Selectmedium

A company is designing a VPC with multiple subnets for a three-tier application. They need to ensure that the database tier (private subnet) can be accessed only by the application tier (private subnet) and that no other resources in the VPC can access the database. Which TWO security mechanisms should be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Route tables
B.VPC Flow Logs
C.Security groups
D.Network ACLs
E.IAM policies attached to the database instances
AnswersC, D

Correct; security groups act as virtual firewalls at the instance level.

Why this answer

Option A (Network ACLs) and Option D (Security groups) are correct. Network ACLs provide stateless filtering at the subnet level, and security groups provide stateful filtering at the instance level. By configuring both, you can restrict access to the database subnet only from the application subnet.

Option B is incorrect because VPC Flow Logs are for monitoring, not access control. Option C is incorrect because an IAM policy controls permissions for AWS API calls, not network traffic. Option E is incorrect because a route table controls routing, not filtering.

171
MCQeasy

A network engineer is designing a VPC with public and private subnets. The private subnets must have outbound internet access but not be directly reachable from the internet. Which AWS service should be used?

A.NAT Gateway
B.Elastic IP Address (EIP)
C.Internet Gateway (IGW)
D.Virtual Private Gateway (VGW)
AnswerA

NAT Gateway provides outbound internet without inbound.

Why this answer

Option C is correct because a NAT Gateway enables outbound internet access for private subnets while preventing inbound traffic. Option A is wrong because an Internet Gateway provides bidirectional access. Option B is wrong because a VPN connection is for hybrid connectivity.

Option D is wrong because an EIP is used with NAT Gateway or Internet Gateway, not alone.

172
MCQhard

A company is running a two-tier application with a web tier and a database tier. The web tier must be accessible from the internet, but the database tier should only be accessible from the web tier. Which architecture should they use?

A.Web tier in public subnet, database tier in private subnet with a security group allowing only web tier.
B.Both tiers in public subnets with security groups restricting database access.
C.Both tiers in private subnets with a NAT Gateway for internet access.
D.Web tier in private subnet, database tier in public subnet with a security group.
AnswerA

This architecture provides internet access to the web tier and isolates the database.

Why this answer

The correct answer is C because placing the web tier in a public subnet with an Internet Gateway and the database tier in a private subnet with a security group that allows traffic only from the web tier provides the required security. Option A (both in public) exposes the database. Option B (both in private) prevents internet access.

Option D (database in public) is insecure.

173
MCQhard

A company is deploying a multi-region application and needs to route users to the nearest healthy endpoint. They are using Amazon Route 53 with latency-based routing and health checks. Users in Asia are sometimes routed to the US region even when the Asia endpoint is healthy. What is the most likely cause?

A.The Asia region endpoint's Route 53 geolocation routing policy is misconfigured
B.The health check for the Asia region endpoint is failing or misconfigured
C.The TTL value for the DNS records is set too high
D.The DNS resolver used by users in Asia does not support latency-based routing
AnswerB

If the health check fails, Route 53 excludes the unhealthy endpoint and routes to the next best latency.

Why this answer

Option B is correct because latency-based routing uses the latency between the user and the endpoint; if the health check is misconfigured, the Asia endpoint might be considered unhealthy, causing Route 53 to route to the next best region. Option A is wrong because geolocation routing is different from latency-based. Option C is wrong because TTL affects caching but not routing decisions.

Option D is wrong because DNS resolution does not change routing behavior.

174
Multi-Selectmedium

Which THREE of the following are valid methods to connect a VPC to an on-premises network?

Select 3 answers
A.AWS Direct Connect
B.VPC Peering
C.Site-to-Site VPN
D.AWS Transit Gateway
E.VPC Endpoint
AnswersA, C, D

Direct Connect provides a dedicated private connection.

Why this answer

The correct answers are A, C, and E. VPN, Direct Connect, and Transit Gateway are valid connection methods. Option B (VPC Peering) connects VPCs, not on-premises.

Option D (VPC Endpoint) connects to AWS services.

175
MCQeasy

A company is deploying a public-facing web application on EC2 instances behind an Application Load Balancer. The ALB is configured to terminate HTTPS using a certificate from AWS Certificate Manager. What additional step is required to ensure the ALB can validate the certificate?

A.Attach the certificate to an Amazon CloudFront distribution.
B.Ensure the certificate is in the same AWS region as the ALB.
C.Create a DNS record to validate domain ownership.
D.Import the certificate into AWS Certificate Manager Private Certificate Authority.
AnswerB

ACM certificates are region-specific.

Why this answer

Option B is correct because ACM certificates must be in the same region as the ALB. Option A is wrong because DNS validation is not required for ALB. Option C is wrong because private CA is not needed.

Option D is wrong because CloudFront is a different service.

176
MCQhard

A company has multiple VPCs connected via AWS Transit Gateway. Each VPC has its own route table in the transit gateway. The company wants to restrict traffic between certain VPCs. For example, VPC A should be able to send traffic to VPC B but not to VPC C. VPC B should be able to send traffic to VPC C. Which configuration should the company use?

A.Use network ACLs on the transit gateway attachments to filter traffic.
B.Use security groups on the VPC attachments to allow or deny traffic.
C.Create separate transit gateway route tables for each VPC and add only the desired routes for other VPCs.
D.Create a single transit gateway route table and associate all VPC attachments with it.
AnswerC

Enables selective communication.

Why this answer

Option C is correct because each VPC has its own route table, and you can add routes for specific VPC attachments. By not adding a route for VPC C in VPC A's route table, traffic is blocked. Option A is wrong because a single shared route table would allow all VPCs to communicate.

Option B is wrong because network ACLs are not applied at transit gateway attachments. Option D is wrong because security groups are not used for inter-VPC routing decisions.

177
Multi-Selectmedium

Which TWO of the following are benefits of using an AWS Transit Gateway over VPC peering for connecting multiple VPCs? (Select TWO.)

Select 2 answers
A.Lower data transfer costs between VPCs.
B.Built-in internet gateway for all attached VPCs.
C.Automatic encryption of traffic between VPCs.
D.Transitive routing between all attached VPCs.
E.Centralised management of network policies and routing.
AnswersD, E

Hub-and-spoke model allows any-to-any connectivity.

Why this answer

Options B and C are correct. Transit Gateway provides transitive routing (hub-and-spoke) and centralised management. Option A is wrong because Transit Gateway does not reduce data transfer costs; it may increase.

Option D is wrong because it does not automatically encrypt traffic. Option E is wrong because it does not provide built-in internet access.

178
MCQeasy

A network engineer is setting up a site-to-site VPN connection between an on-premises network and an AWS VPC. The engineer configures the customer gateway device with the correct parameters. However, the VPN tunnel status remains 'DOWN'. What is the most likely cause?

A.The virtual private gateway is not attached to the customer gateway.
B.The VPN connection is not associated with a subnet.
C.The pre-shared key on the customer gateway device does not match the pre-shared key configured in the VPN connection.
D.The security group associated with the VPN endpoint is blocking the traffic.
AnswerC

Mismatched PSK prevents IKE negotiation.

Why this answer

Option B is correct because the VPN tunnel pre-shared keys (PSK) must match exactly between the customer gateway and the AWS VPN endpoint. Option A is wrong because security groups do not affect VPN tunnel establishment; they control traffic within the VPC. Option C is wrong because the virtual private gateway (VGW) is attached to the VPC, not the customer gateway.

Option D is wrong because the VPN connection must be associated with the VGW, not a subnet.

179
MCQmedium

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The VPC uses a virtual private gateway (VGW). The on-premises network advertises a route to a specific subnet (10.0.0.0/24) via BGP. However, traffic from the VPC to that subnet is failing. What should the network engineer check first?

A.Verify that the customer gateway device is advertising the subnet route.
B.Verify that the virtual interface is in the 'available' state and BGP session is established.
C.Verify that the VGW is attached to the VPC.
D.Verify that route propagation is enabled on the VPC's route tables associated with the subnets.
AnswerD

Without route propagation, the BGP routes from Direct Connect are not added to the route tables.

Why this answer

Option B is correct because the route propagation from the VGW to the VPC route tables must be enabled for the learned BGP routes to be used. Option A is wrong because the VGW is the correct attachment. Option C is wrong because the VIF state being up doesn't guarantee route propagation.

Option D is wrong because the customer gateway (CGW) is configured on the AWS side; the on-premises router is separate.

180
MCQhard

A company is migrating a legacy application to AWS. The application requires multicast communication between instances. The company needs to implement a multicast solution within a VPC. Which AWS service or feature should be used to support multicast?

A.Create a Transit Gateway multicast domain
B.Configure multicast in the VPC's route tables
C.Use AWS Global Accelerator for multicast distribution
D.Set up VPC peering to enable multicast between subnets
AnswerA

Transit Gateway supports multicast groups and can distribute multicast traffic.

Why this answer

Option D is correct because AWS Transit Gateway supports multicast groups. Option A is incorrect because VPC does not natively support multicast. Option B is incorrect because AWS Global Accelerator is for anycast, not multicast.

Option C is incorrect because VPC peering does not support multicast.

181
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company has a NAT gateway in the public subnet. The route table for the private subnet has a route 0.0.0.0/0 pointing to the NAT gateway. However, the EC2 instance cannot reach the internet. Which additional configuration is needed?

A.Assign a public IP address to the EC2 instance.
B.Attach a security group to the NAT gateway allowing outbound traffic.
C.Add a route to the NAT gateway in the private subnet's route table for destination 0.0.0.0/0.
D.Ensure the public subnet's route table has a route 0.0.0.0/0 pointing to an internet gateway.
AnswerD

The NAT gateway needs internet access via the internet gateway.

Why this answer

The NAT gateway is in the public subnet, so the public subnet's route table must have a route to an internet gateway for the NAT gateway to function. Option A is wrong because the private subnet already has the correct route. Option C is wrong because security groups on the NAT gateway do not exist.

Option D is wrong because the instance might not have a public IP, but it uses the NAT gateway for outbound traffic, so a public IP is not required.

182
MCQeasy

A company is deploying a new VPC with public and private subnets. The company wants to ensure that EC2 instances in the private subnet can access the internet for software updates. The instances do not need to be accessible from the internet. The network engineer has created a NAT gateway in the public subnet and added a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. However, instances in the private subnet cannot reach the internet. The NAT gateway is in the 'available' state. What is the MOST likely cause?

A.The NAT gateway is not in a public subnet.
B.The NAT gateway does not have an Elastic IP address associated.
C.The private subnet's route table does not have a default route to the NAT gateway.
D.The security group of the EC2 instances blocks outbound traffic.
AnswerB

NAT gateway requires an EIP for internet access.

Why this answer

Option B is correct because an Elastic IP must be associated with the NAT gateway for it to work. Option A is incorrect because the NAT gateway is already in a public subnet. Option C is incorrect because the route is present.

Option D is incorrect because security groups do not block outbound traffic to internet by default.

183
MCQeasy

A company needs to establish a dedicated, private, high-bandwidth connection between its on-premises data center and AWS. Which AWS service should be used?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.VPC peering
AnswerA

Dedicated private connection.

Why this answer

Option B is correct because AWS Direct Connect provides dedicated private connectivity. Option A is wrong because VPN uses the public internet. Option C is wrong because Transit Gateway is a network hub, not a connection type.

Option D is wrong because VPC peering connects VPCs, not on-premises.

184
MCQmedium

A company has an AWS Transit Gateway with multiple VPC attachments. They want to centralize outbound internet traffic through a single VPC that has a NAT gateway and an internet gateway. All other VPCs should route internet-bound traffic through this central VPC. What configuration is required?

A.Attach a virtual private gateway to the central VPC and add a static route in the transit gateway route table pointing 0.0.0.0/0 to the virtual private gateway
B.Add a default route in the central VPC's subnet route tables pointing to the internet gateway
C.Create a route table in the central VPC and associate it with the transit gateway attachment
D.Add a route in the transit gateway route table pointing 0.0.0.0/0 to the NAT gateway in the central VPC
AnswerA

The virtual private gateway can route to the NAT gateway via the central VPC's route tables, and the transit gateway propagates the route to other attachments.

Why this answer

Option D is correct because you need to attach a virtual private gateway to the central VPC and add a static route in the transit gateway route table pointing 0.0.0.0/0 to that VGW, then the other VPCs need a default route in their route tables pointing to the transit gateway attachment. Option A is wrong because TGW attachments do not have route tables; route tables are associated with TGW. Option B is wrong because that would send traffic directly to the internet gateway, not through the central VPC.

Option C is wrong because that would route traffic to the NAT gateway directly in the central VPC, but the transit gateway cannot route to a NAT gateway directly; it needs a VGW or a prefix list.

185
MCQeasy

A company wants to securely connect two VPCs in different AWS regions using AWS infrastructure. Which service should be used?

A.AWS Direct Connect
B.Internet Gateway
C.VPC peering
D.AWS Transit Gateway
AnswerC

VPC peering supports inter-region connections.

Why this answer

Option C is correct because VPC peering supports inter-region peering. Option A is wrong because Direct Connect is for on-premises connectivity, not inter-region. Option B is wrong because Transit Gateway currently does not support inter-region peering natively (requires VPC peering).

Option D is wrong because Internet Gateway is for internet access.

186
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private). They launch a NAT Gateway in the public subnet and add a route in the private subnet route table: destination 0.0.0.0/0, target nat-gateway-id. An EC2 instance in the private subnet can ping an external server, but cannot connect to it via SSH. The security group allows outbound SSH (port 22), and the NACL allows outbound ephemeral ports. What is the likely cause?

A.The NACL on the private subnet is blocking outbound ephemeral ports.
B.The route table in the private subnet does not have a route to the NAT Gateway.
C.The external server's firewall is blocking traffic from the NAT Gateway's Elastic IP address.
D.The NAT Gateway is not configured to allow SSH traffic.
AnswerC

The external server must allow the NAT Gateway's public IP on port 22.

Why this answer

The issue is likely that the external server's security group or firewall is blocking inbound SSH from the NAT Gateway's public IP. The NAT Gateway uses its Elastic IP for outbound traffic, and the external server must allow that IP. Option B is wrong because the NAT Gateway does not block SSH.

Option C is wrong because the NACL is permissive. Option D is wrong because the route is correct.

187
MCQeasy

A company is setting up a VPC with both public and private subnets. The private subnets need outbound internet access for software updates. Which component is required to enable this?

A.A NAT gateway in a public subnet.
B.A VPN connection to an on-premises network that has internet access.
C.A VPC peering connection to a VPC that has internet access.
D.An internet gateway attached to the VPC with a route in the private subnet's route table pointing to the internet gateway.
AnswerA

NAT gateway enables outbound internet for private subnets.

Why this answer

Option A is correct because a NAT gateway in a public subnet provides outbound internet access to instances in private subnets. Option B is wrong because an internet gateway does not provide outbound access for private subnets without a NAT device. Option C is wrong because VPC peering is for connecting VPCs, not internet access.

Option D is wrong because a VPN connection is for site-to-site connectivity, not internet access.

188
Multi-Selectmedium

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. The network team wants to isolate traffic between VPCs while allowing all VPCs to reach the on-premises network. Which TWO configurations should be implemented?

Select 2 answers
A.Attach the Direct Connect virtual interface to a VPN attachment on the Transit Gateway
B.Use a Direct Connect gateway to propagate routes to all VPCs
C.Create separate Transit Gateway route tables for each VPC and associate them with the respective VPC attachments
D.Use a single Transit Gateway route table for all attachments
E.Create VPC peering connections between each VPC
AnswersA, C

Provides on-premises connectivity.

Why this answer

Options B and C are correct because Transit Gateway route tables can be used to isolate traffic, and VPN attachments can be used for segmentation. Option A is wrong because VPC peering is not needed if Transit Gateway is used. Option D is wrong because a single route table would allow all VPCs to communicate.

Option E is wrong because Direct Connect gateway does not isolate traffic between VPCs.

189
MCQhard

A media company runs a latency-sensitive streaming application on Amazon EC2 instances in a VPC. The application sends UDP traffic to multiple on-premises destinations via an AWS Transit Gateway with a VPN attachment. Users report occasional freezing. Network monitoring shows no packet loss on the VPN tunnel, but the application logs show out-of-order packets and high jitter. The company uses a single VPN tunnel with BGP dynamic routing over the public internet. The on-premises router has a 50ms latency to the AWS endpoint. The application requires low jitter and in-order delivery. What should a network engineer do to resolve the issue?

A.Add a second VPN tunnel to the same Transit Gateway to load balance traffic
B.Enable jumbo frames on the VPN tunnel to reduce packet overhead
C.Replace the VPN attachment with an AWS Direct Connect private VIF to provide a consistent path
D.Change the application to use TCP instead of UDP
AnswerC

Direct Connect provides consistent low latency and jitter.

Why this answer

UDP traffic over a single VPN tunnel over the internet can experience jitter and reordering due to variable network conditions. Using AWS Direct Connect provides a consistent, low-latency path that eliminates internet variability. Option A (multiple VPN tunnels) may not resolve jitter inherent to internet transit.

Option B (TCP instead of UDP) changes application protocol, not a network solution. Option D (enable jumbo frames) does not address jitter.

190
Multi-Selecthard

A company has a VPC with multiple subnets spanning three Availability Zones. They have deployed an Application Load Balancer (ALB) in the VPC and need to ensure high availability and scalability for a web application. Which of the following are design considerations for implementing the ALB in this environment? (Choose THREE.)

Select 3 answers
A.Enable the ALB in at least two Availability Zones to provide high availability.
B.Remove an Availability Zone from the ALB if the targets in that AZ are unhealthy.
C.Configure the ALB to use subnets that span multiple Availability Zones.
D.Use VPC peering to connect the ALB to subnets in other VPCs.
E.Enable cross-zone load balancing to evenly distribute traffic across all targets.
AnswersA, B, E

ALB must have targets in multiple AZs to be highly available.

Why this answer

Option A is correct because AWS requires an Application Load Balancer to be enabled in at least two Availability Zones to achieve high availability. If one AZ fails, the ALB can continue routing traffic to healthy targets in the remaining AZs, ensuring fault tolerance and compliance with the ALB's regional service model.

Exam trap

AWS often tests the misconception that subnets can span multiple Availability Zones or that VPC peering can directly integrate an ALB with subnets in another VPC, but both are architecturally invalid in AWS.

191
MCQhard

A company has a multi-tier application deployed in a VPC. The web tier consists of an internet-facing Application Load Balancer (ALB) in public subnets, and EC2 instances in private subnets. The application tier runs on EC2 instances in separate private subnets, and the database tier uses an Amazon RDS for MySQL instance in private subnets. The application tier needs to connect to the database on port 3306. The security group for the RDS instance (sg-database) has an inbound rule allowing TCP 3306 from the security group of the application tier (sg-app). The application tier instances can connect to the database, but the web tier instances cannot. The web tier instances should not have direct database access. What is the most likely reason for the web tier's inability to connect to the database?

A.The network ACL for the database subnet is blocking inbound traffic from the web tier subnets.
B.The security group of the RDS instance does not have an inbound rule allowing traffic from the web tier's security group.
C.The RDS instance is in a public subnet and requires a NAT Gateway for communication.
D.The route table for the web tier subnets does not have a route to the database subnets.
AnswerB

The rule only allows traffic from sg-app, not from the web tier's security group.

Why this answer

The security group rule on sg-database allows traffic from sg-app. Since the web tier instances are in a different security group, they are not allowed. Option A is wrong because the rule is from sg-app, not from the web tier's security group.

Option B is wrong because NACLs are stateless and if they were blocking, the application tier would also be affected. Option C is wrong because the database is in a private subnet and does not need a NAT Gateway. Option D is wrong because the route table is not relevant for security group rules.

192
MCQeasy

A company has an AWS Site-to-Site VPN connection between their on-premises network and a VPC. The VPN tunnel status shows 'UP'. However, instances in the VPC cannot ping an on-premises server at 192.168.1.10. Which step should be taken to troubleshoot?

A.Verify that the internet gateway is attached to the VPC
B.Verify that the VPC route table has a route to the on-premises network via the virtual private gateway
C.Verify that the security group for the instances allows outbound ICMP
D.Verify that the VPN tunnel is up on both ends
AnswerB

Without this route, traffic from VPC to on-premises is dropped.

Why this answer

Option B is correct because the VPC route table must have a route for the on-premises CIDR pointing to the virtual private gateway (or transit gateway). Option A is wrong because the tunnel is up. Option C is wrong because security groups are stateful and usually allow outbound ping.

Option D is wrong because the VPN connection uses the virtual private gateway, not the internet gateway.

193
MCQhard

Refer to the exhibit. A Lambda function is attached to a VPC using the network interface eni-1234567890abcdef0. The Lambda function needs to send traffic to an on-premises server via a Direct Connect connection. The traffic is failing. Which setting on the network interface is most likely causing the issue?

A.The network interface is in a subnet that does not have a route to the Direct Connect.
B.The network interface has two private IP addresses.
C.The SourceDestCheck flag is enabled, which prevents the Lambda function from sending traffic that it is not the source or destination of.
D.The security group attached to the network interface may be blocking outbound traffic.
AnswerC

Lambda functions that forward traffic need to disable source/destination check.

Why this answer

The SourceDestCheck flag is set to true (default). For Lambda functions that are not the source or destination of traffic (e.g., when acting as a NAT or forwarding traffic), this check must be disabled. In this scenario, if the Lambda function is forwarding traffic, the source/destination check would drop packets.

Option A (multiple IPs) is not an issue; Option B (security group) could be but the exhibit doesn't show rules; Option C (subnet) is not the direct cause.

194
MCQhard

Refer to the exhibit. A VPN connection is established between an on-premises network (10.0.0.0/16) and an AWS VPC (172.16.0.0/16). The on-premises network can ping the VPC's private IP addresses, but the VPC cannot ping the on-premises network's IP addresses. The VPC route table has a route to 10.0.0.0/16 pointing to the VGW. What is the MOST likely cause?

A.The VPN tunnels are not both in UP state
B.The VPN acceleration is disabled, causing high latency
C.The VPN connection is configured with static routes only and BGP is not used
D.The on-premises network does not have a route to the VPC CIDR (172.16.0.0/16) pointing to the customer gateway
AnswerD

Without a return route, traffic from VPC reaches on-premises but replies are dropped.

Why this answer

Option B is correct because the VPN connection has a static route for 10.0.0.0/16, but the remote network CIDR is 0.0.0.0/0, which may cause routing issues. However, the main issue is that the VPC has a route to 10.0.0.0/16, but the on-premises network may not have a route back to the VPC's CIDR (172.16.0.0/16). Option A is incorrect because the tunnels are up.

Option C is incorrect because static routes are configured. Option D is incorrect because acceleration is optional.

195
Multi-Selecthard

A company is troubleshooting connectivity issues between two VPCs that are peered using an inter-region VPC peering connection. The VPCs have the following CIDR blocks: VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). Which THREE of the following are possible reasons for the connectivity failure?

Select 3 answers
A.The VPC CIDR blocks overlap.
B.The VPC peering connection is in a 'pending-acceptance' state.
C.The route tables in each VPC do not have routes pointing to the peer VPC's CIDR.
D.The network ACLs in VPC A are blocking inbound traffic from VPC B's CIDR.
E.The security group rules in VPC A do not allow inbound traffic from VPC B's CIDR.
AnswersC, D, E

Without routes, traffic will not be forwarded to the peering connection.

Why this answer

For VPC peering, route tables must have routes to the peer VPC, security groups must allow traffic, and network ACLs must allow traffic. Option A is wrong because overlapping CIDRs are not the issue. Option D is wrong because the peering connection is in 'active' state by default after acceptance.

196
MCQhard

An organization is using AWS Direct Connect with a private VIF to connect to a VPC. They want to extend connectivity to multiple VPCs in the same region without creating multiple private VIFs. Which solution should they implement?

A.Create VPC peering connections from the VPC with the Direct Connect VIF to the other VPCs.
B.Create a Direct Connect gateway and associate it with a Transit Gateway that is attached to the VPCs.
C.Provision separate private VIFs for each VPC.
D.Use a Transit VIF to connect directly to a Transit Gateway.
AnswerB

A Direct Connect gateway can be associated with multiple virtual private gateways or a Transit Gateway to connect to multiple VPCs.

Why this answer

Option A is correct because a Direct Connect gateway allows a single private VIF to connect to multiple VPCs via Transit Gateway or virtual private gateways. Option B is incorrect because Transit VIF is for transit gateways, but Direct Connect gateway is the key. Option C is incorrect because VPC peering does not use Direct Connect.

Option D is incorrect because multiple VIFs would be needed without a Direct Connect gateway.

197
MCQeasy

A company is deploying a new web application on AWS. They need to distribute incoming HTTPS traffic across multiple EC2 instances in different Availability Zones. Which AWS service should they use?

A.Amazon Route 53
B.Amazon CloudFront
C.Application Load Balancer (ALB)
D.Network Load Balancer (NLB)
AnswerC

ALB operates at Layer 7, can terminate HTTPS, and distribute traffic across instances in multiple AZs.

Why this answer

The correct answer is B because an Application Load Balancer (ALB) operates at Layer 7 and can route HTTPS traffic based on content, and it supports cross-zone load balancing. Option A (NLB) operates at Layer 4 and does not support native HTTPS termination. Option C (CloudFront) is a CDN, not a regional load balancer.

Option D (Route 53) is a DNS service.

198
MCQeasy

A company has a VPC with both IPv4 and IPv6 CIDRs. They need to allow outbound IPv6 traffic from private subnets to the internet. What should they use?

A.An internet gateway attached to the VPC.
B.A customer-managed prefix list.
C.A NAT gateway in a public subnet.
D.An egress-only internet gateway.
AnswerD

Designed for outbound-only IPv6 traffic from private subnets.

Why this answer

Option B is correct because an egress-only internet gateway allows outbound IPv6 traffic from private subnets while preventing inbound traffic. Option A is wrong because NAT gateway is for IPv4 only. Option C is wrong because internet gateway allows inbound traffic.

Option D is wrong because the prefix list is for route targets, not a device.

199
MCQeasy

A company wants to deploy a web application on EC2 instances behind an Application Load Balancer (ALB). The application must support sticky sessions (session affinity). What configuration is required on the ALB?

A.Enable stickiness on the target group and specify a cookie duration
B.Use path-based routing
C.Configure health checks on the target group
D.Enable proxy protocol v2
AnswerA

Stickiness (session affinity) ensures the same client is routed to the same target.

Why this answer

Option B is correct because enabling stickiness on the ALB target group with a cookie duration ensures requests from the same client are sent to the same target. Option A is for client IP preservation. Option C is for health checks.

Option D is for routing.

200
Multi-Selectmedium

A company is deploying a web application that will be accessed over the internet. They want to use an Application Load Balancer (ALB) to distribute traffic across EC2 instances in multiple Availability Zones. Which TWO configurations are required to make the ALB internet-facing? (Choose TWO.)

Select 2 answers
A.Configure a security group that allows inbound traffic from 0.0.0.0/0.
B.Assign an Elastic IP address to the ALB.
C.Associate the ALB with private subnets only.
D.Associate the ALB with public subnets that have a route to an Internet Gateway.
E.Select 'Internet-facing' as the scheme when creating the ALB.
AnswersD, E

Required for internet-facing ALB.

Why this answer

An internet-facing ALB must be in public subnets (with a route to an Internet Gateway) and have a public DNS name. Option A is wrong because the ALB does not need its own public IP; it uses the public subnets. Option C is wrong because the ALB can be in public subnets only.

Option D is wrong because security groups do not make it internet-facing.

201
Multi-Selecthard

A company is migrating its on-premises data center to AWS using Direct Connect and a VPN connection as backup. The company has multiple VPCs connected via a Transit Gateway. They want to ensure high availability for the Direct Connect connection. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Replace the VPN backup with a second Direct Connect connection
B.Enable jumbo frames on the Direct Connect connection
C.Use a single Direct Connect connection but with higher bandwidth
D.Configure BGP with multiple virtual interfaces on the Direct Connect connections
E.Provision a second Direct Connect connection at a different location
AnswersD, E

Correct; BGP allows dynamic failover between virtual interfaces.

Why this answer

Option A and Option D are correct. Option A: A second Direct Connect connection provides physical redundancy. Option D: Using BGP with multiple virtual interfaces allows active-active or active-passive failover.

Option B is incorrect because a VPN connection is already in place as backup, but for Direct Connect high availability, you need redundant connections. Option C is incorrect because a single Direct Connect location is a single point of failure; you need two separate locations. Option E is incorrect because increasing bandwidth does not provide redundancy.

202
MCQhard

A network engineer is reviewing VPC Flow Logs for a VPC. The logs show that traffic from 10.0.1.5 to 10.0.2.10 on port 443 is being accepted and rejected intermittently. Both instances are in the same VPC. What is the most likely cause?

A.The security group on the destination instance is configured to allow inbound HTTPS but deny outbound traffic.
B.The network ACL is blocking traffic.
C.The route table is misconfigured.
D.The source instance's security group is denying outbound traffic.
AnswerA

Security groups are stateful; if outbound is denied, return traffic is rejected.

Why this answer

Option C is correct because a security group that allows inbound HTTPS but denies outbound can cause intermittent rejects if the return traffic is blocked. NACLs are stateless and would block consistently. B and D are less likely.

203
MCQmedium

A company has an S3 bucket with the bucket policy shown. The VPC endpoint ID is correct. However, an EC2 instance in a private subnet in the same VPC cannot download objects from the bucket. What is a possible reason?

A.The EC2 instance does not have a route to the VPC endpoint
B.The bucket policy does not allow s3:ListBucket
C.The EC2 instance is accessing S3 via a NAT Gateway instead of the VPC endpoint
D.The VPC endpoint security group is blocking traffic
AnswerC

The policy only allows requests coming through the VPC endpoint; requests via NAT Gateway are denied.

Why this answer

The bucket policy allows access only via the specified VPC endpoint. If the EC2 instance is accessing S3 through a NAT Gateway or internet gateway, the source VPC endpoint will not be present, and access will be denied. The instance should use the VPC endpoint.

204
MCQmedium

A global company wants to connect multiple VPCs across different AWS Regions using a hub-and-spoke model. The hub VPC contains shared services such as Active Directory and DNS. Which AWS service provides the most scalable and maintainable solution for this architecture?

A.AWS VPN CloudHub to interconnect all VPCs.
B.AWS Direct Connect gateway with virtual interfaces to each VPC.
C.VPC peering between each spoke VPC and the hub VPC.
D.AWS Transit Gateway with inter-Region peering attachments.
AnswerD

Transit Gateway provides a scalable hub-and-spoke architecture and supports inter-Region peering.

Why this answer

Option D is correct because AWS Transit Gateway is designed for hub-and-spoke connectivity across many VPCs and Regions, providing scalability and centralized management. Option A is wrong because VPC peering is point-to-point and does not scale well for many VPCs. Option B is wrong because VPN CloudHub is for VPN-based connectivity, not VPC-to-VPC.

Option C is wrong because Direct Connect gateway is for connecting Direct Connect to multiple VPCs, not for VPC-to-VPC peering.

205
MCQhard

A network engineer is troubleshooting high latency on a Direct Connect connection. The engineer notices that the BGP session is flapping intermittently. The connection is a 1 Gbps dedicated connection with a single private VIF. The router configuration uses default BGP timers. What is the most likely cause of the flapping?

A.The MTU size is set to 9001 (jumbo frames) on the Direct Connect interface.
B.The link experiences occasional packet loss causing BGP hold timer expiration.
C.The BGP authentication key is mismatched between the customer router and AWS.
D.The Multi-Exit Discriminator (MED) value is set too high on the customer router.
AnswerB

Packet loss can cause keepalive messages to be lost, leading to hold timer expiry and BGP session reset.

Why this answer

Option D is correct because BGP hold timers (default 90 seconds) may cause the session to drop if the link has high latency or occasional packet loss. Increasing the hold timer can prevent flapping. Option A is wrong because jumbo frames are unrelated to BGP flapping.

Option B is wrong because BGP authentication errors would cause persistent failures, not intermittent flaps. Option C is wrong because the MED attribute is used for inbound traffic engineering, not session stability.

206
MCQeasy

A company is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is internet-facing and uses a public subnet. The EC2 instances are in private subnets. The application needs to be accessible from the internet. The security group for the ALB allows inbound HTTP and HTTPS from 0.0.0.0/0. The security group for the EC2 instances allows inbound traffic from the ALB's security group. The route tables for the private subnets have a default route to a NAT gateway. Users report that they cannot access the application. The ALB target group shows the instances as unhealthy. What is the MOST likely cause?

A.The security group for the EC2 instances does not allow inbound traffic from the ALB's security group on the health check port.
B.The ALB is deployed in a private subnet instead of a public subnet.
C.The ALB does not have an associated internet gateway route.
D.The NAT gateway is not correctly routing traffic from the instances to the internet.
AnswerA

Health checks fail if security group blocks traffic.

Why this answer

Option D is correct because the security group for EC2 instances must allow health check traffic from the ALB. Option A is incorrect because ALB is in public subnet. Option B is incorrect because ALB does not need internet gateway; it's already public.

Option C is incorrect because NAT gateway is for outbound traffic.

207
MCQeasy

A company wants to connect its on-premises data center to AWS using AWS Direct Connect. The company requires a dedicated 1 Gbps connection with low latency and high bandwidth for mission-critical workloads. Which type of Direct Connect interface should be used?

A.AWS Transit VIF
B.VPN Connection
C.Hosted Connection
D.Dedicated Connection
AnswerD

A dedicated connection provides a physical port dedicated to the customer.

Why this answer

Option B is correct because a dedicated connection provides a physical Ethernet link dedicated to the customer. A virtual interface is used on top of a dedicated connection. C and D are incorrect as they are not types of Direct Connect interfaces.

208
MCQmedium

A financial services company has a VPC with a public subnet and a private subnet. EC2 instances in the private subnet need to download patches from the internet. The company has a NAT gateway in the public subnet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT gateway. However, instances cannot reach the internet. The NAT gateway is in an 'available' state and has an Elastic IP attached. The security group for the NAT gateway allows all outbound traffic. What is the most likely cause of the issue?

A.The security group for the NAT gateway is blocking inbound traffic from private instances
B.The NAT gateway is not provisioned with sufficient bandwidth
C.The NAT gateway does not have an IAM role to access the internet
D.The route table for the public subnet does not have a default route (0.0.0.0/0) pointing to an internet gateway
AnswerD

NAT gateway needs internet gateway route to forward traffic.

Why this answer

The most common cause is that the route table for the public subnet (where the NAT gateway resides) does not have a default route to an internet gateway. The NAT gateway needs a route to the internet gateway to forward traffic. Option B is wrong because NAT gateway does not require an IAM role.

Option C is wrong because security group is correct. Option D is wrong because the NAT gateway is in 'available' state and has an EIP, so it is not provisioned incorrectly.

209
MCQeasy

A company is deploying a VPC with IPv6 support. The VPC has a CIDR block of 10.0.0.0/16 and an assigned IPv6 CIDR block of 2600:1f16:xxxx:xxxx::/56. The company wants EC2 instances in a public subnet to be able to communicate with the internet using IPv6. Which configuration is necessary?

A.Attach a NAT gateway to the VPC and add a route for ::/0 to the NAT gateway in the public subnet route table.
B.Attach an internet gateway to the VPC and add a route for 0.0.0.0/0 to the internet gateway in the public subnet route table.
C.Set up a NAT64 translation service to convert IPv6 requests to IPv4.
D.Attach an egress-only internet gateway to the VPC and add a route for ::/0 to the egress-only internet gateway in the public subnet route table.
AnswerD

Provides outbound-only IPv6 internet access.

Why this answer

Option A is correct because an egress-only internet gateway allows outbound IPv6 traffic from EC2 instances while preventing inbound connections, similar to a NAT gateway for IPv4. Option B is wrong because an internet gateway with route 0.0.0.0/0 is for IPv4. Option C is wrong because NAT64 is for translating IPv6 to IPv4, not required here.

Option D is wrong because a NAT gateway is for IPv4 only.

210
MCQmedium

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. The company has a NAT gateway in a public subnet. The EC2 instance can connect to other instances in the VPC but cannot reach the internet. What is the most likely cause?

A.The security group of the EC2 instance blocks outbound HTTPS traffic.
B.The NAT gateway does not have an Elastic IP address.
C.The network ACL of the private subnet blocks inbound traffic from the NAT gateway.
D.The route table in the private subnet does not have a default route to the NAT gateway.
AnswerD

Missing default route prevents internet access.

Why this answer

Option C is correct because the route table associated with the private subnet must have a default route (0.0.0.0/0) pointing to the NAT gateway. Option A is incorrect because the NAT gateway itself does not require a public IP for outbound traffic (though it needs one for inbound). Option B is incorrect because security group rules are stateful and allow outbound traffic.

Option D is incorrect because the NACL must allow outbound traffic, but the route is the primary issue.

211
MCQmedium

A company has deployed a web application behind an Application Load Balancer (ALB) in a VPC with public and private subnets. The ALB is in public subnets, and the web servers are in private subnets. Clients report intermittent connection errors. Investigation shows that the ALB is marking targets as unhealthy. What is the MOST likely cause?

A.The network ACL for the private subnets is blocking inbound traffic from the ALB.
B.The security group for the web servers does not allow inbound traffic from the internet.
C.The ALB is deployed in private subnets and cannot reach the internet.
D.The health check is configured to use the public IP address of the targets, but the targets are in private subnets without public IPs.
AnswerD

Health checks must target the private IP of the instances; using public IPs will fail.

Why this answer

If the ALB health checks are configured to use the public IP of the targets, the private subnet instances will not respond because they do not have public IPs. Option A is wrong because security groups should allow traffic from the ALB. Option B is wrong because the ALB is in public subnets.

Option D is wrong because security groups should be on the instance side.

212
MCQhard

A company is implementing a hybrid network architecture with AWS Direct Connect and a VPN backup. The company has two Direct Connect connections from different providers terminating at two AWS Direct Connect locations, each connecting to a separate AWS Transit Gateway in the same region. The VPCs are attached to both transit gateways. The company needs to ensure that traffic from on-premises to VPCs uses the primary Direct Connect connection when available and fails over to the secondary Direct Connect connection, then to the VPN. How should the company configure routing to achieve this?

A.Configure BGP AS_PATH prepending on the secondary Direct Connect and VPN connections to make them less preferred than the primary Direct Connect.
B.Disable route propagation from the VPN to the transit gateway route tables, and rely on the Direct Connect connections only.
C.Configure equal-cost multipath (ECMP) routing across all three connections to load balance traffic.
D.Use static routes in the transit gateway route tables with higher metric values for the secondary Direct Connect and VPN.
AnswerA

AS_PATH prepending influences BGP best path selection.

Why this answer

Option A is correct because adjusting BGP attributes like AS_PATH prepending on the secondary Direct Connect and VPN connections will influence path selection, with the VPN having the longest AS_PATH. Option B is wrong because static routes cannot be used with Direct Connect; BGP is required. Option C is wrong because disabling route propagation on the VPN would not affect Direct Connect failover order.

Option D is wrong because equal-cost multipath (ECMP) would load balance, not provide failover priority.

213
MCQmedium

A company is deploying a multi-VPC architecture with connectivity requirements. The network team needs to establish private connectivity between VPCs in the same AWS account and region, using services that can scale to 100 Gbps throughput. Which solution meets these requirements?

A.Use AWS PrivateLink with Network Load Balancers to connect VPCs
B.Deploy AWS Client VPN and configure routes between VPCs
C.Create an AWS Transit Gateway and attach all VPCs to it
D.Configure VPC peering connections between each pair of VPCs
AnswerC

Transit Gateway provides scalable connectivity up to 100 Gbps per attachment.

Why this answer

Option C is correct because Transit Gateway supports up to 100 Gbps per attachment and provides centralized connectivity between multiple VPCs. Option A is wrong because VPC peering does not scale to 100 Gbps and is a point-to-point connection. Option B is wrong because AWS PrivateLink is for accessing services across VPCs, not for general VPC-to-VPC connectivity.

Option D is wrong because Client VPN is for remote access, not VPC-to-VPC.

214
MCQmedium

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The on-premises network team reports that they can ping the VPC's private IP addresses, but they cannot reach an internet-facing application hosted on an EC2 instance in a public subnet. The EC2 instance has a public IP and a security group allowing HTTP/HTTPS from 0.0.0.0/0. What is the most likely cause?

A.The route table in the public subnet does not have a default route to an internet gateway.
B.The security group is blocking traffic from the on-premises IP range.
C.The BGP session is not exchanging routes for the public IP range.
D.The private VIF does not route traffic to public IP addresses; the on-premises traffic to the public IP must traverse the internet.
AnswerD

A private VIF only carries traffic destined to private IP addresses in the VPC. Traffic to public IPs must go over the internet.

Why this answer

The issue is that the private VIF uses private IP addresses, and traffic from on-premises to the public IP of the EC2 instance will not go over the private VIF; it must go over the internet. Option A is correct because the private VIF only routes private IPs. Option B is incorrect because the security group allows all inbound HTTP/HTTPS.

Option C is incorrect because the route table can have a default route to an internet gateway. Option D is incorrect because BGP is typically used for prefix exchange and would not block traffic to public IPs.

215
MCQeasy

A company is designing a VPC with public and private subnets. They want EC2 instances in private subnets to be able to access the internet for software updates. Which AWS service should they use?

A.AWS Direct Connect
B.Internet Gateway (IGW)
C.VPC Peering connection
D.NAT Gateway
AnswerD

A NAT Gateway enables outbound internet access for instances in private subnets.

Why this answer

The correct answer is C because a NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Option A (Internet Gateway) is for public subnets. Option B (VPC Peering) is for connecting VPCs.

Option D (Direct Connect) is a dedicated connection to on-premises.

216
MCQmedium

A company has a VPN connection between an on-premises network and AWS using two tunnels for redundancy. The BGP sessions are established, but traffic is only flowing through one tunnel. The engineer wants to ensure both tunnels are actively used. What should be configured?

A.Enable load balancing on the VPN connection in the AWS console.
B.Configure static routes for the second tunnel.
C.Assign different BGP ASNs to each tunnel.
D.Advertise the same BGP prefixes over both tunnels from the on-premises router.
AnswerD

This allows AWS to load balance traffic across both tunnels.

Why this answer

Option D is correct because BGP supports load balancing by advertising the same prefixes from both tunnels. AWS VPN supports active/active mode if the customer gateway device is configured to advertise the same BGP routes over both tunnels. Option A is incorrect because static routes do not provide automatic failover.

Option B is incorrect because different ASNs would break BGP. Option C is incorrect because the VPN connection itself does not have a load balancer.

217
Multi-Selecteasy

A network engineer needs to monitor network traffic in a VPC. Which TWO AWS services can capture and analyze VPC flow logs?

Select 2 answers
A.Amazon GuardDuty
B.Amazon S3
C.VPC Traffic Mirroring
D.Amazon CloudWatch Logs
E.AWS Config
AnswersB, D

Flow logs can be delivered to S3.

Why this answer

Amazon S3 is a correct destination for VPC Flow Logs because you can publish flow log data directly to an S3 bucket, where it can be stored, queried with Amazon Athena, or processed by other analytics tools. Amazon CloudWatch Logs is also a correct destination, allowing you to publish flow logs to a log group for real-time monitoring, metric filters, and integration with CloudWatch alarms or third-party solutions via subscription filters.

Exam trap

AWS often tests the misconception that VPC Traffic Mirroring is a type of flow log, but it is a separate feature for capturing full packet payloads, not the aggregated metadata logs that VPC Flow Logs provide.

218
Multi-Selecteasy

A company is designing a hybrid network using AWS Direct Connect. Which TWO of the following are required to establish a private virtual interface (VIF) to a single VPC?

Select 2 answers
A.A Direct Connect Gateway to connect to the VPC.
B.A VLAN ID for the virtual interface.
C.A public IP address for the AWS side of the BGP session.
D.A BGP session with the AWS Direct Connect endpoint using public IPs.
E.A BGP session to exchange routing information.
AnswersB, E

VLAN ID is required to tag traffic.

Why this answer

A private VIF requires a VLAN ID and a BGP session. Option A is optional; Option C is for public VIF; Option E is for transit VIF.

219
Multi-Selecthard

A company is deploying a global application and wants to use AWS Global Accelerator to improve performance. The application runs behind an Application Load Balancer (ALB) in us-east-1. Which THREE components are part of a Global Accelerator deployment?

Select 3 answers
A.Route 53 hosted zones
B.Endpoint groups
C.AWS edge locations
D.Lambda@Edge functions
E.Two static anycast IP addresses
AnswersB, C, E

Endpoint groups define endpoints and traffic distribution.

Why this answer

Option A, Option C, and Option D are correct. Option A is correct because Global Accelerator uses anycast IP addresses. Option C is correct because it uses edge locations.

Option D is correct because endpoint groups are a core component. Option B is wrong because Lambda@Edge is for CloudFront. Option E is wrong because Route 53 is DNS, not part of Global Accelerator.

220
MCQhard

Refer to the exhibit. A subnet is created in VPC vpc-abcde but no explicit route table association is set. What is the default route for internet-bound traffic from this subnet?

A.Traffic is dropped because no explicit association is set.
B.Traffic goes through the Internet Gateway.
C.Traffic goes through the NAT Gateway nat-67890.
D.Traffic is dropped because no Internet Gateway is present.
AnswerC

The main route table has a route to the NAT Gateway.

Why this answer

Option C is correct because the subnet inherits the main route table (rtb-12345) which has a route to a NAT Gateway for 0.0.0.0/0. Option A is wrong because the local route is for VPC internal traffic. Option B is wrong because an Internet Gateway is not present.

Option D is wrong because no explicit association exists.

221
MCQmedium

An organization needs to securely connect its on-premises data center to multiple VPCs in different AWS Regions. The on-premises network uses BGP. Which AWS service should be used to simplify routing and provide a single point of attachment for the on-premises router?

A.Direct Connect gateway with a private VIF.
B.AWS Transit Gateway with inter-Region peering attachments.
C.VPC Peering connections between each VPC and the on-premises network.
D.AWS Client VPN endpoint.
AnswerB

Centralized hub with BGP and multi-region support.

Why this answer

Option C is correct because Transit Gateway provides a hub for multi-VPC and on-premises connectivity with BGP support. Option A is wrong because VPC peering is point-to-point, not hub. Option B is wrong because Direct Connect gateway doesn't connect multiple regions natively.

Option D is wrong because Client VPN is for individual users.

222
MCQmedium

A company is implementing a network architecture for a critical application that requires ultra-low latency between two Amazon EC2 instances. The instances are launched in two different Availability Zones within the same AWS Region. The network engineer needs to ensure that traffic between the instances uses the lowest latency path possible. The instances are placed in a cluster placement group. The application uses TCP. The engineer has configured the security groups to allow all traffic between the instances. However, latency is higher than expected. What should the engineer do to reduce latency?

A.Configure the instances to use their private IP addresses instead of public IPs for communication.
B.Enable Elastic Network Adapter (ENA) and enhanced networking on both instances.
C.Move the instances to the same subnet within the same Availability Zone.
D.Set up a VPC peering connection between the subnets in the two Availability Zones.
AnswerB

ENA reduces latency by offloading network processing.

Why this answer

Option A is correct because Elastic Network Adapter (ENA) with enhanced networking provides lower latency and higher throughput. Option B is incorrect because cluster placement group is already used. Option C is incorrect because using private IP ensures traffic stays within AWS network, but ENA is more impactful.

Option D is incorrect because VPC peering does not help; instances are in same VPC.

223
Multi-Selecthard

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network engineer needs to ensure that traffic between VPC A and VPC B follows a specific path through a Network Virtual Appliance (NVA) in VPC C. Which TWO actions should the engineer take?

Select 2 answers
A.Associate VPC A's and VPC B's route tables with a different Transit Gateway route table that has a default route pointing to the VPC C attachment.
B.Add a static route in the Transit Gateway route table for VPC A's CIDR pointing to the VPC B attachment with a blackhole.
C.Enable route propagation for VPC A and VPC B attachments in the same Transit Gateway route table.
D.Add a specific route for VPC B's CIDR in the Transit Gateway route table used by VPC A, pointing to the VPC C attachment.
E.Create a VPC peering connection between VPC A and VPC B.
AnswersB, D

This prevents VPC A from directly reaching VPC B via the Transit Gateway.

Why this answer

Option B is correct because adding a static route in the Transit Gateway route table for VPC A's CIDR pointing to the VPC B attachment with a blackhole forces traffic destined to VPC B to be dropped at the Transit Gateway, preventing direct routing. Option D is correct because adding a specific route for VPC B's CIDR in the Transit Gateway route table used by VPC A, pointing to the VPC C attachment, ensures traffic from VPC A to VPC B is forwarded through the NVA in VPC C, enforcing the desired inspection path.

Exam trap

The trap here is that candidates often think enabling route propagation (Option C) is sufficient for traffic inspection, but it actually allows direct routing between VPCs, bypassing the NVA, unless specific static routes are added to override the propagated routes.

224
MCQmedium

An engineer is reviewing VPC Flow Logs for connectivity issues between two EC2 instances (10.0.1.5 and 10.0.2.10) on TCP port 443. The first log entry shows ACCEPT, the second shows REJECT. What is the most likely cause of the REJECT?

A.The destination instance has an incorrect network interface configuration.
B.The network ACL is blocking the traffic due to an incorrect inbound rule.
C.The route table for the subnet does not have a route to the destination.
D.A security group rule is blocking the return traffic.
AnswerD

Security groups are stateful and if the return traffic does not match the allowed outbound rule, it can be rejected.

Why this answer

Option A is correct because the REJECT indicates that the packet was dropped by a security group or NACL. Since the first packet was accepted, a stateful security group might be blocking the return traffic if the session is not tracked. Option B is incorrect because REJECT is not due to routing.

Option C is incorrect because the log shows the traffic as OK. Option D is incorrect because Flow Logs do not indicate interface issues.

225
MCQhard

A company has a VPC (10.0.0.0/16) with two subnets: public (10.0.1.0/24) and private (10.0.2.0/24). They have an Application Load Balancer (ALB) in the public subnet that distributes traffic to EC2 instances in the private subnet. The ALB is internet-facing and has a security group that allows inbound HTTP/S from 0.0.0.0/0. The EC2 instances have a security group that allows inbound HTTP from the ALB's security group. Users report that they can access the application, but the application is slow and sometimes times out. The network engineer checks CloudWatch metrics and sees that the ALB's target response time is high. The engineer suspects that the EC2 instances are overwhelmed. Which action should the engineer take to improve performance?

A.Add a NAT gateway in the public subnet to reduce latency.
B.Replace the ALB with a Network Load Balancer to reduce overhead.
C.Increase the size of the EC2 instances in the private subnet.
D.Add EC2 instances in another Availability Zone and register them with the ALB.
AnswerD

Distributing load across AZs improves performance and availability.

Why this answer

Option C is correct because using multiple Availability Zones increases capacity and fault tolerance. Option A is incorrect because increasing instance size may help but is not the best practice for high availability. Option B is incorrect because a NAT gateway is for outbound internet access.

Option D is incorrect because an NLB does not offload processing from the instances.

← PreviousPage 3 of 6 · 434 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Implementation questions.