CCNA Network Management and Operations Questions

75 of 346 questions · Page 2/5 · Network Management and Operations · Answers revealed

76
MCQhard

A network engineer is troubleshooting connectivity issues between two VPCs that are connected via VPC peering. The VPCs are in the same region and have overlapping CIDR blocks. The engineer can ping the private IP of an instance in the peered VPC from an instance in the first VPC. However, traffic on TCP port 443 (HTTPS) fails. Which is the most likely cause?

A.The network ACL in the target subnet is blocking inbound HTTPS traffic
B.The security group of the target instance does not allow inbound HTTPS traffic from the source
C.The VPC peering connection is not in the 'active' state
D.The route tables in both VPCs do not have routes to the peered VPC's CIDR
AnswerB

Security groups are stateful; ICMP may be allowed but HTTPS not.

Why this answer

Option A is correct because the security group of the target instance must allow inbound HTTPS traffic from the source instance's security group or CIDR. Option B is wrong because ICMP works. Option C is wrong because the route table has a route to the peering connection.

Option D is wrong because NACLs are stateless and would block ICMP too if misconfigured.

77
Multi-Selecthard

A company has a global application deployed across multiple AWS regions. The application uses Application Load Balancers (ALBs) and Auto Scaling groups. The network team wants to route traffic to the nearest region based on latency, and also wants to failover to another region if the primary region becomes unhealthy. Which THREE services should be used together to achieve this? (Choose THREE.)

Select 3 answers
A.Amazon CloudFront with origin failover
B.Amazon Route 53 latency-based routing
C.Amazon CloudWatch alarms to detect regional health
D.AWS Lambda to update Route 53 records on failover
E.AWS Global Accelerator
AnswersB, C, D

Routes based on latency.

Why this answer

Options A, B, and D are correct. Route 53 latency routing routes to the region with lowest latency, CloudWatch alarms can monitor health, and Lambda can automate DNS changes for failover. C is wrong because Global Accelerator uses anycast and does not use Route 53 latency routing.

E is wrong because CloudFront is for content delivery, not regional failover.

78
MCQeasy

A network engineer is troubleshooting high latency to an application hosted in Amazon EC2. The application uses an Application Load Balancer. Which metrics in Amazon CloudWatch should be examined to identify if the load balancer is causing latency?

A.HTTP 5XX Count
B.ActiveConnectionCount
C.TargetResponseTime
D.RequestCount
AnswerC

This metric measures time to respond from targets.

Why this answer

Option C is correct because TargetResponseTime measures the time taken by the target to respond, which directly indicates backend latency. Option A is wrong because RequestCount is a count, not latency. Option B is wrong because ActiveConnectionCount is about concurrent connections.

Option D is wrong because HTTP 5XX count indicates errors, not latency.

79
MCQmedium

A company runs a critical application on EC2 instances in an Auto Scaling group across two Availability Zones in a VPC. The application communicates with an on-premises database over an AWS Direct Connect private VIF. The network team has configured a VPN connection as a backup. Recently, the application experienced intermittent timeouts when accessing the database. The team suspects asymmetric routing because the primary Direct Connect and backup VPN are both active. The network team wants to ensure that all traffic to the on-premises network uses the Direct Connect when it is available, and only fails over to the VPN if Direct Connect goes down. The BGP sessions are configured on both connections. The Direct Connect advertises the on-premises CIDR of 10.0.0.0/16, and the VPN advertises the same CIDR. The team has access to the on-premises router configuration and AWS console. Which action should the team take to resolve the issue?

A.Add a static route in the VPC route table pointing to the Direct Connect virtual interface for the on-premises CIDR.
B.Configure the on-premises router to prepend one or more AS numbers to the routes advertised over the VPN BGP session.
C.Advertise a more specific prefix (e.g., 10.0.0.0/24) over the VPN BGP session to attract traffic.
D.Disable BGP on the VPN connection and use static routes instead.
AnswerB

AS path prepend makes the VPN route less preferred, so Direct Connect is used.

Why this answer

Option C is correct because adjusting the BGP attributes to make the Direct Connect path more preferred ensures all traffic uses Direct Connect when available. Adding AS path prepend on the VPN side makes the VPN path less preferred, so Direct Connect is chosen. Option A is wrong because adding a static route might not be as dynamic and could cause issues if Direct Connect fails.

Option B is wrong because removing the VPN BGP session removes redundancy. Option D is wrong because reducing the prefix size on the VPN side would make the VPN path more specific and thus preferred, causing the same issue.

80
MCQhard

A company uses AWS CloudFormation to deploy a VPC with public and private subnets. The template includes an Internet Gateway and a NAT Gateway. After deployment, instances in the private subnet cannot access the internet. The network engineer checks the route tables and finds that the private subnet route table has a default route pointing to the NAT Gateway. What is the most likely cause of the issue?

A.The NAT Gateway is deployed in the private subnet instead of the public subnet.
B.The security group attached to the NAT Gateway blocks outbound traffic.
C.The private subnet route table does not have a default route (0.0.0.0/0) to the NAT Gateway.
D.The NAT Gateway is in a private subnet and has no route to the internet gateway.
AnswerA

NAT Gateway must be in a public subnet with a route to IGW to function.

Why this answer

Option D is correct because the NAT Gateway must be in a public subnet with a route to the IGW. Option A is wrong because the route is present. Option B is wrong because security groups allow outbound traffic by default.

Option C is wrong because the default route points to NAT Gateway, not IGW.

81
Multi-Selectmedium

A network engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a public subnet and an on-premises server over AWS Direct Connect. The instance can reach the internet but cannot reach the on-premises server. Which TWO actions should the engineer take to diagnose the issue?

Select 2 answers
A.Check the VPC route table to ensure a route exists for the on-premises CIDR pointing to the virtual private gateway
B.Check the VPN connection status to ensure the tunnel is up
C.Check the security group attached to the EC2 instance to ensure it allows inbound traffic from the on-premises CIDR
D.Enable VPC Flow Logs and analyze them for dropped packets
E.Check the network ACLs for the subnet to ensure they allow inbound traffic from on-premises
AnswersA, C

Correct routing is essential.

Why this answer

Options B and D are correct. Checking route tables verifies that the on-premises CIDR is pointing to the virtual private gateway. Checking security groups ensures inbound traffic from on-premises is allowed.

Option A is incorrect because NACLs are stateless and usually allow return traffic if properly configured. Option C is incorrect because flow logs are for logging, not real-time diagnosis. Option E is incorrect because the VPN is not involved.

82
MCQhard

A network engineer is configuring an AWS Site-to-Site VPN with dynamic routing (BGP). The customer gateway device is a Cisco router. The VPN tunnel is established, but BGP is not forming. Which configuration on the Cisco router is most likely missing?

A.The VPN connection's local IP address.
B.The correct IP address for the tunnel interface.
C.The pre-shared key for IKE phase 1.
D.The BGP neighbor statement with the correct Amazon ASN (64512).
AnswerD

ASN mismatch is a common cause of BGP not forming.

Why this answer

Option C is correct. The BGP neighbor must have the correct ASN; a mismatch prevents session formation. Option A is wrong because the tunnel is already established, so IKE is fine.

Option B is wrong because the tunnel interface is up. Option D is wrong because it's a routing protocol, not a VPN parameter.

83
MCQeasy

A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and AWS over a Direct Connect connection. The issue occurs only during peak business hours. CloudWatch metrics show increased latency and packet loss at the Direct Connect virtual interface. What is the MOST likely cause?

A.VPN tunnel misconfiguration over Direct Connect
B.Asymmetric routing between on-premises and AWS
C.BGP peering session flapping
D.Insufficient bandwidth on the Direct Connect connection
AnswerD

Congestion during peak hours causes latency and packet loss.

Why this answer

Option A is correct because insufficient bandwidth leads to congestion during peak hours, causing latency and packet loss. Option B is incorrect because asymmetric routing would cause persistent issues, not intermittent. Option C is incorrect because BGP peering issues would cause complete loss, not just latency/packet loss.

Option D is incorrect because VPN over Direct Connect is not a common configuration and would not cause these symptoms.

84
Multi-Selecthard

A company wants to implement a network monitoring solution that provides real-time traffic analysis and anomaly detection. Which THREE AWS services should be used together?

Select 3 answers
A.AWS Config
B.Amazon GuardDuty
C.VPC Flow Logs
D.AWS CloudTrail
E.Amazon CloudWatch
AnswersB, C, E

GuardDuty provides anomaly detection using VPC Flow Logs data.

Why this answer

The correct answers are A, B, and E. VPC Flow Logs capture traffic, CloudWatch provides metrics and alarms, and GuardDuty provides anomaly detection. Option C is wrong because CloudTrail is for API logs, not traffic analysis.

Option D is wrong because AWS Config is for configuration tracking.

85
MCQhard

A company has a multi-account AWS environment using AWS Organizations. They want to centralize VPC flow logs from all accounts into a single Amazon S3 bucket in the management account. The management account S3 bucket policy allows the log delivery service to write logs. However, flow logs are failing to deliver from member accounts. What is the most likely reason?

A.Flow logs cannot be delivered cross-account; they must be in the same account
B.The member account's IAM role for flow logs does not have permission to write to the bucket
C.The S3 bucket policy does not include a principal condition for the member account's log delivery service
D.The S3 bucket uses SSE-KMS encryption and the member account does not have access to the KMS key
AnswerC

The bucket policy must allow the log delivery service from the member account.

Why this answer

Option C is correct because the S3 bucket policy must explicitly allow the log delivery service principal (delivery.logs.amazonaws.com) from the member account to write objects. Option A is incorrect because flow logs can be delivered cross-account with proper permissions. Option B is incorrect because the bucket policy is evaluated, not the member account's VPC flow log role.

Option D is incorrect because encryption is not the issue.

86
Multi-Selectmedium

A company is designing a highly available network architecture using AWS Direct Connect. Which TWO actions should be taken to ensure redundancy?

Select 2 answers
A.Create a single private VIF on the Direct Connect connection
B.Set up a VPN connection over the internet as a backup
C.Provision two Direct Connect connections at different locations
D.Use a single Direct Connect connection with multiple VIFs
E.Configure BGP with different ASNs on each connection
AnswersC, E

Two connections at different locations provide physical diversity.

Why this answer

Option A and C are correct because using two separate Direct Connect connections and configuring BGP with different ASNs provide path diversity and failover. Option B is wrong because a single connection is a single point of failure. Option D is wrong because VPN backup over the same internet connection does not provide true diversity.

Option E is wrong because a single VIF on a single connection offers no redundancy.

87
MCQmedium

A company uses AWS Client VPN to provide remote access to its VPC resources. Users report that they can connect to the VPN but cannot reach any resources in the VPC. The VPN endpoint is associated with a subnet in VPC A. The VPC's route table has a route for the Client VPN CIDR (10.200.0.0/16) pointing to the VPN endpoint. The security group assigned to the VPN endpoint allows inbound traffic from the VPN clients. What is the most likely cause of the issue?

A.The Client VPN endpoint's authentication is failing.
B.The VPN endpoint is not associated with the correct subnet.
C.The route table in VPC A does not have a route for the Client VPN CIDR.
D.The security group associated with the VPN endpoint does not allow inbound traffic from the VPN client CIDR.
AnswerD

The security group must allow inbound traffic from the client CIDR (10.200.0.0/16) to reach VPC resources.

Why this answer

The most likely cause is that the security group associated with the VPN endpoint does not allow inbound traffic from the VPN client CIDR (10.200.0.0/16). Even though users can connect to the VPN, the security group acts as a virtual firewall for the endpoint; without an inbound rule permitting traffic from the client CIDR, packets from clients are dropped before they can be routed to VPC resources. The question states that the security group allows inbound traffic from 'the VPN clients' but not specifically from the client CIDR range, which is a common misconfiguration.

Exam trap

The trap here is that candidates assume a successful VPN connection implies all traffic is allowed, but AWS security groups operate independently of the VPN tunnel and must explicitly permit traffic from the client CIDR range.

How to eliminate wrong answers

Option A is wrong because if authentication were failing, users would not be able to connect to the VPN at all; the issue is that they can connect but cannot reach resources. Option B is wrong because the VPN endpoint is already associated with a subnet in VPC A, and the question confirms this association; if it were associated with the wrong subnet, the VPN connection itself would likely fail or be misrouted. Option C is wrong because the question explicitly states that the VPC's route table has a route for the Client VPN CIDR (10.200.0.0/16) pointing to the VPN endpoint, so this is not the issue.

88
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. The network team notices that traffic from an on-premises data center to a VPC is intermittently dropping. CloudWatch metrics show no errors on the Direct Connect virtual interface. What is the most likely cause of the intermittent drops?

A.Latency spikes on the Direct Connect link due to AWS VPN backup path
B.MTU mismatch causing packet fragmentation for jumbo frames
C.BGP keepalive timer mismatch between the on-premises router and the Direct Connect router
D.Asymmetric routing due to missing or incorrect route propagation in Transit Gateway route tables
AnswerD

Asymmetric routing can cause intermittent drops if return traffic takes a different path.

Why this answer

Option B is correct because asymmetric routing can cause packet drops when Transit Gateway does not have a route back to the source. Option A is wrong because BGP timers would cause sustained loss. Option C is wrong because MTU mismatch typically causes packet loss only for large packets.

Option D is wrong because VPN would not be in path if Direct Connect is used.

89
MCQeasy

A company wants to centralize VPC flow log management from multiple accounts into a single S3 bucket in the management account. Which combination of AWS services should be used?

A.AWS CloudTrail and Amazon S3
B.AWS Lambda and Amazon S3
C.Amazon Kinesis Data Firehose and Amazon S3
D.AWS Organizations and Amazon S3 bucket policy
AnswerD

Using Organizations, you can set a bucket policy that allows flow logs from member accounts to be delivered to the central bucket.

Why this answer

AWS Organizations with SCP can allow cross-account S3 bucket policies. AWS CloudTrail is not needed for flow logs. Option D is correct.

Options A, B, and C either miss key services or include unnecessary ones.

90
MCQmedium

A company has a VPC with public and private subnets. The security team wants to analyze all traffic to and from the internet for security incidents. Which AWS service should be used to capture and analyze this traffic?

A.AWS Shield Advanced
B.AWS Network Firewall
C.AWS WAF
D.VPC Flow Logs
AnswerD

Flow Logs capture IP traffic metadata for analysis.

Why this answer

The correct answer is C because VPC Flow Logs capture IP traffic information for network interfaces, including traffic to/from the internet. Option A is wrong because AWS WAF filters web traffic but does not provide traffic logs. Option B is wrong because AWS Shield Advanced provides DDoS protection, not traffic analysis.

Option D is wrong because AWS Network Firewall provides firewall capabilities but not detailed traffic logs like Flow Logs.

91
MCQmedium

A company has a VPC with an Application Load Balancer (ALB) in front of EC2 instances. The security group for the ALB allows inbound HTTP traffic from 0.0.0.0/0. The security group for the EC2 instances allows inbound traffic only from the ALB security group. However, the health checks are failing. What is the most likely cause?

A.The target group is not configured with the correct health check path
B.The ALB is in a private subnet
C.The EC2 security group does not allow inbound traffic from the ALB security group
D.The ALB security group does not allow outbound traffic
AnswerC

Health checks originate from ALB; security group must allow from ALB.

Why this answer

Option C is correct because ALB health checks come from the ALB's private IP addresses, which are in the VPC CIDR; the security group must allow traffic from the ALB security group, not from the internet. Option A is wrong because the ALB security group is correct. Option B is wrong because the ALB subnet is not relevant.

Option D is wrong because the target group configuration is separate.

92
MCQeasy

A company uses AWS CloudFormation to manage its network infrastructure. After a recent update, the stack fails to update, with an error indicating that a security group rule conflicts with an existing rule. What is the most likely cause?

A.The CIDR block in the rule is not in the same VPC.
B.The referenced security group was deleted outside of CloudFormation.
C.The stack update exceeded the service quota for security groups.
D.The template attempts to add a security group rule that already exists.
AnswerD

AWS rejects duplicate rules to avoid ambiguity.

Why this answer

Option B is correct because a duplicate security group rule (same protocol, port, and source) causes a conflict. Option A is wrong because IAM permissions cause a different error. Option C is wrong because it would not cause a conflict error.

Option D is wrong because security groups are typically referenced by ID, not name.

93
MCQmedium

A company wants to centralize logging of VPC Flow Logs from multiple accounts into a single Amazon S3 bucket. The logs must be encrypted at rest using an AWS KMS CMK. What is the recommended approach?

A.Enable encryption on VPC Flow Logs using a KMS key in each account and aggregate logs using AWS Logs cross-account subscription.
B.Create a centralized S3 bucket with default encryption using a KMS CMK and a bucket policy that allows cross-account writes from the source accounts.
C.Create a bucket with SSE-S3 encryption and have each account write flow logs directly.
D.Use a single bucket with a bucket policy that denies access unless encryption headers are present, and use a KMS key shared across accounts.
AnswerB

This ensures encryption and centralized logging.

Why this answer

Option D is correct because using a centralized S3 bucket with appropriate bucket policies to allow cross-account writes and enabling default encryption with a KMS CMK is the best practice. Option A is wrong because SSE-S3 is not a CMK. Option B is wrong because enabling encryption at the flow log level uses SSE-S3 or CloudWatch Logs encryption, not S3 bucket encryption.

Option C is wrong because bucket policies control access, not encryption.

94
MCQeasy

A network engineer needs to monitor the network traffic between EC2 instances in a VPC. Which AWS service should be used to capture IP traffic information?

A.VPC Flow Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerA

VPC Flow Logs capture IP traffic information for network interfaces.

Why this answer

Option D is correct because VPC Flow Logs capture IP traffic information for network interfaces. Option A is wrong because CloudWatch Logs can store logs but does not capture network traffic. Option B is wrong because AWS Config tracks resource configuration changes.

Option C is wrong because CloudTrail records API calls.

95
MCQmedium

A company has a hybrid network architecture with multiple VPCs connected via a transit gateway and on-premises via Direct Connect. The network team wants to automate the response to a BGP session failure on a Direct Connect virtual interface. Which AWS service can be used to monitor the BGP status and trigger an automated action?

A.AWS Lambda with VPC Flow Logs
B.AWS Systems Manager Automation
C.AWS CloudWatch Events (EventBridge) with Direct Connect BGP metric alarms
D.AWS Config rules
AnswerC

EventBridge can trigger actions based on CloudWatch alarms for BGP status.

Why this answer

Option C is correct because AWS CloudWatch Events (EventBridge) can monitor Direct Connect BGP session status via the `bgp_session_state` metric in the `AWS/DX` namespace. When the BGP session transitions to the `down` state, you can create an EventBridge rule that triggers an automated action, such as invoking a Lambda function or sending an SNS notification, enabling a rapid response to BGP failures without manual intervention.

Exam trap

AWS often tests the misconception that VPC Flow Logs or AWS Config can monitor BGP status, but candidates must remember that BGP is a control-plane protocol and only Direct Connect metrics in CloudWatch provide the BGP session state for automation.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture IP traffic metadata (e.g., source/destination IPs, ports, protocols) and cannot monitor BGP session state, which is a Layer 3 control-plane protocol between routers. Option B is wrong because AWS Systems Manager Automation is designed for operational tasks on EC2 instances and on-premises resources (e.g., patching, configuration), not for reacting to real-time network events like BGP session failures. Option D is wrong because AWS Config rules evaluate resource configurations for compliance (e.g., checking if a Direct Connect virtual interface has the correct VLAN ID) but cannot monitor dynamic BGP session state changes or trigger actions based on metric thresholds.

96
MCQmedium

A company has a Direct Connect connection with a private VIF to a VPC. They want to add a second Direct Connect connection for redundancy. The two connections will terminate on different AWS Direct Connect locations. Which configuration will provide the HIGHEST availability?

A.Use the same customer gateway device for both connections
B.Use the same Direct Connect location for both connections
C.Use the same BGP ASN for both connections
D.Use different customer gateway devices and different Direct Connect locations
AnswerD

Physical diversity.

Why this answer

Option C is correct because using two different devices and different locations provides physical diversity, increasing availability. Option A is incorrect because using the same device introduces a single point of failure. Option B is incorrect because using the same location reduces diversity.

Option D is incorrect because using the same ASN can cause issues but is not the primary concern.

97
MCQhard

A company is deploying a hybrid network using AWS Direct Connect and a VPN backup. The Direct Connect connection is established, and BGP is running over the private VIF. The company wants to use the VPN as a backup only when Direct Connect fails. The network engineer configures BGP communities on the Direct Connect VIF to influence route preference. However, during a Direct Connect failure, failover to VPN takes several minutes. What can the engineer do to reduce failover time?

A.Configure AS path prepending on the VPN BGP session to deprioritize it
B.Use static routes instead of BGP for the Direct Connect VIF
C.Enable Bidirectional Forwarding Detection (BFD) on the Direct Connect VIF
D.Decrease the BGP keepalive and hold timers on both the Direct Connect and VPN BGP sessions
AnswerC

BFD provides fast failure detection.

Why this answer

Option D is correct because BFD can detect failures in sub-second time, reducing failover time. Option A is wrong because BGP timers can be adjusted but are typically already low; BFD is faster. Option B is wrong because static routes are less flexible and increase administrative overhead.

Option C is wrong because AS prepending is for route preference, not failover speed.

98
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices that traffic from on-premises to the VPC is intermittently dropping. You check the Direct Connect virtual interface status and find it is 'down'. Which AWS service should you use to troubleshoot the physical layer connectivity?

A.Amazon CloudWatch
B.VPC Flow Logs
C.AWS Support
D.AWS Direct Connect console
AnswerD

The console provides LOA-CFA status and physical link information.

Why this answer

The correct answer is D because AWS Direct Connect Troubleshooting Guide recommends checking the cross-connect and using the AWS Direct Connect console to view the LOA-CFA status. Option A is wrong because AWS Support is not a service but a support plan. Option B is wrong because CloudWatch metrics show logical metrics, not physical layer.

Option C is wrong because VPC Flow Logs capture IP traffic logs, not physical connectivity.

99
MCQeasy

A network engineer needs to monitor network traffic to an Amazon RDS instance for security analysis. Which AWS service should be used to capture and analyze network traffic?

A.Amazon Inspector
B.VPC Flow Logs
C.VPC Traffic Mirroring
D.AWS CloudTrail
AnswerC

Traffic Mirroring captures and inspects network traffic for analysis.

Why this answer

Option C is correct because VPC Traffic Mirroring allows capturing and inspecting network traffic from an RDS instance. Option A is wrong because AWS CloudTrail records API activity, not network traffic. Option B is wrong because Amazon Inspector is for vulnerability assessment.

Option D is wrong because VPC Flow Logs provide metadata about traffic, not full packet capture.

100
MCQhard

A network engineer is designing a hybrid network with Direct Connect and VPN backup. The company has multiple VPCs connected via Transit Gateway. They want to use BGP to exchange routes. Which BGP feature should be configured to fail over from Direct Connect to VPN if the Direct Connect link goes down?

A.BGP communities
B.Multi-Exit Discriminator (MED)
C.Bidirectional Forwarding Detection (BFD)
D.AS_PATH prepending
AnswerA

AWS uses BGP community tags to set local preference and control route priority.

Why this answer

Option C is correct because BGP communities allow controlling route preference; AWS uses community tags to influence route priority. Option A is wrong because BFD detects failures faster but does not control preference. Option B is wrong because AS_PATH prepending is used to influence inbound routes, not outbound.

Option D is wrong because MED is used to influence inbound routes.

101
MCQhard

A company has a Direct Connect connection with a private VIF attached to a Direct Connect Gateway. The Direct Connect Gateway is associated with a Transit Gateway. The on-premises network advertises a prefix via BGP, but the prefix does not appear in the Transit Gateway route table. What is the most likely cause?

A.Route propagation is not enabled on the Transit Gateway route table.
B.The on-premises router is not sending the BGP community attribute.
C.The Transit Gateway is not associated with the Direct Connect Gateway.
D.The prefix is not included in the allowed prefixes list for the Direct Connect Gateway.
AnswerD

The allowed prefixes list controls which BGP prefixes are accepted.

Why this answer

Option C is correct because the allowed prefixes list on the Direct Connect Gateway filters which prefixes are accepted. Option A is incorrect because route propagation is for VPCs, not Direct Connect. Option B is incorrect because Transit Gateway associations are for attachments, not prefix filtering.

Option D is incorrect because BGP communities are used for tagging, not for prefix acceptance.

102
Multi-Selecteasy

Which TWO services can be used to centrally manage and monitor VPN connections across multiple AWS accounts? (Choose 2.)

Select 2 answers
A.AWS Network Manager
B.AWS Transit Gateway
C.AWS CloudFormation
D.AWS Organizations
E.AWS Direct Connect Gateway
AnswersA, B

Monitors global network across accounts.

Why this answer

AWS Network Manager centrally manages and monitors VPN connections across multiple AWS accounts by providing a global view of your network topology, including on-premises and AWS resources. It integrates with Transit Gateway to monitor VPN tunnel status and performance metrics, enabling cross-account visibility via resource shares.

Exam trap

AWS often tests the misconception that AWS Organizations itself provides network monitoring, but it only handles account governance, not VPN management or monitoring.

103
MCQmedium

A company uses a centralized inspection VPC for traffic inspection. All VPCs route traffic to the inspection VPC via Transit Gateway. The security team wants to ensure that all traffic between VPCs is inspected by a network virtual appliance in the inspection VPC. Which Transit Gateway feature should be configured?

A.Transit Gateway flow logs
B.Transit Gateway multicast
C.Transit Gateway route tables
D.Transit Gateway peering
AnswerA

Flow logs can be analyzed to verify that traffic passes through the inspection VPC.

Why this answer

Option D is correct because Transit Gateway flow logs can be used to verify that traffic is flowing as expected. Option A is wrong because Transit Gateway peering is for connecting TGWs, not for inspection. Option B is wrong because Transit Gateway route tables are used for routing decisions, not for ensuring inspection.

Option C is wrong because Transit Gateway multicast is for multicast traffic.

104
MCQmedium

A company is experiencing intermittent SSH connection failures to their EC2 instances in a VPC. The instances are in a private subnet with a NAT gateway. The security group allows inbound SSH from the corporate CIDR. The network ACL is set to default allow all. The route table has a route to the NAT gateway for 0.0.0.0/0. What is the most likely cause of the intermittent failures?

A.The network ACL inbound rule is blocking ephemeral ports.
B.The instances are behind a proxy that is not configured.
C.The security group outbound rules are not allowing return traffic.
D.The NAT gateway does not have an Elastic IP associated.
AnswerC

Security groups are stateful, but if outbound rules are restrictive, return traffic may be blocked. However, by default, security groups allow all outbound. The actual cause is likely the NAT gateway's public IP changing or a missing route.

Why this answer

Option C is correct because security groups are stateful, but if the security group does not allow inbound ICMP or the specific ephemeral ports for SSH, connections may fail intermittently due to session tracking issues. However, the more common cause in such scenarios is the NAT gateway's IP address changing if it is not associated with an Elastic IP, or the security group outbound rule not allowing return traffic. Option A is plausible but less likely as NACLs are stateless and would not cause intermittent issues.

Option B is incorrect because the NAT gateway does not use an Elastic IP if not configured. Option D is incorrect because a proxy is not typically needed.

105
Multi-Selectmedium

A company has a VPC with multiple subnets. They want to implement network segmentation such that traffic between subnets is controlled by a centralized firewall. Which three components are required? (Choose THREE.)

Select 3 answers
A.AWS Transit Gateway
B.Route tables in each subnet that route traffic to the Transit Gateway
C.Gateway Load Balancer
D.VPC peering connections
E.NAT Gateway
AnswersA, B, C

Provides transitive routing between VPCs.

Why this answer

Centralized firewall inspection requires a Transit Gateway to route traffic to the firewall VPC, a Gateway Load Balancer to distribute traffic to firewall instances, and appropriate route tables to direct traffic accordingly. VPC peering does not support transitive routing. NAT Gateway is for outbound internet access.

106
Multi-Selectmedium

A company has a VPC with public and private subnets. The private subnets have a route to a NAT gateway. The network team wants to monitor DNS queries from EC2 instances in private subnets to a custom DNS resolver on-premises over a VPN. Which TWO services can capture this traffic?

Select 2 answers
A.Amazon Route 53 Resolver query logs
B.Amazon CloudWatch
C.VPC Flow Logs
D.AWS Network Firewall
E.AWS CloudTrail
AnswersC, D

Flow logs capture all IP traffic, including DNS queries.

Why this answer

Option A is correct because VPC Flow Logs capture all IP traffic including DNS. Option D is correct because AWS Network Firewall can capture and log DNS traffic. Option B is incorrect because Route 53 Resolver query logs capture queries to Route 53, not custom resolvers.

Option C is incorrect because CloudTrail logs API calls. Option E is incorrect because CloudWatch does not capture traffic directly.

107
Multi-Selectmedium

A company is designing a multi-account strategy using AWS Organizations. The security team wants to centrally manage VPC Flow Logs from all accounts. Which THREE steps are required to achieve this?

Select 3 answers
A.Set up a VPN connection between the logging account and each member account.
B.Enable VPC Flow Logs in each account, specifying the central S3 bucket as the destination.
C.Create an S3 bucket in the central logging account with a bucket policy that grants write access to the member accounts.
D.Configure the central S3 bucket to use server-side encryption with AWS KMS (SSE-KMS).
E.Create a VPC peering connection between all accounts to allow log delivery.
AnswersB, C, D

Flow logs must be configured to send to the central bucket.

Why this answer

To centralize flow logs, you need a central S3 bucket with appropriate permissions, enable flow logs in each account, and send them to the central bucket. The bucket policy must allow cross-account writes.

108
MCQeasy

A company uses AWS Direct Connect with a private VIF to connect to their VPC. They want to monitor the network latency between their on-premises router and the AWS Direct Connect location. Which AWS service should they use?

A.AWS Direct Connect metrics in CloudWatch
B.AWS X-Ray
C.VPC Flow Logs
D.Amazon CloudWatch Synthetics
AnswerA

Direct Connect publishes metrics like latency to CloudWatch.

Why this answer

Option D is correct because AWS Direct Connect provides CloudWatch metrics including latency and BGP status. Option A is incorrect because VPC Flow Logs capture traffic metadata, not latency. Option B is incorrect because CloudWatch Synthetics monitors endpoint availability, not Direct Connect.

Option C is incorrect because AWS X-Ray traces application requests, not network links.

109
MCQhard

A company is using a centralized egress VPC model with a NAT gateway for outbound traffic from multiple VPCs. The network team notices that some EC2 instances are having connectivity timeouts when accessing the internet. The team has verified the route tables and security groups. Which additional check should be performed to troubleshoot the issue?

A.Check the security group rules for outbound traffic
B.Check the VPC Flow Logs for denied traffic
C.Check the route tables for the internet gateway
D.Check the NAT gateway CloudWatch metrics for error packets and connection counts
AnswerD

High connection counts or error packets indicate resource exhaustion.

Why this answer

Option D is correct because NAT Gateway CloudWatch metrics, specifically `ErrorPortAllocation` and `PacketsDropCount`, directly indicate whether the NAT Gateway is running out of available ports or dropping packets due to connection limits. In a centralized egress model with multiple VPCs, high connection counts can exhaust the NAT Gateway's ephemeral port capacity (65,535 per IP), causing connectivity timeouts even when route tables and security groups are correctly configured.

Exam trap

AWS often tests the misconception that VPC Flow Logs or security group checks are sufficient for diagnosing NAT Gateway issues, when in fact the root cause is often port exhaustion or packet drops at the NAT Gateway itself, which requires CloudWatch metrics to identify.

How to eliminate wrong answers

Option A is wrong because the team has already verified security groups, and outbound rules are typically permissive by default; the issue is at the NAT Gateway level, not the instance's security group. Option B is wrong because VPC Flow Logs capture traffic metadata but do not show NAT Gateway-specific errors like port exhaustion; denied traffic would appear as 'ACCEPT' or 'REJECT' based on security group/NACL rules, not NAT Gateway capacity. Option C is wrong because route tables for the internet gateway are irrelevant in a centralized egress model where traffic is routed through the NAT Gateway in the egress VPC, not directly to an IGW from the spoke VPCs.

110
MCQeasy

A network engineer is troubleshooting SSH connectivity to an EC2 instance in subnet subnet-0abcd1234efgh5678, which is associated with the network ACL shown. The security group allows inbound SSH. Why can't the engineer SSH to the instance?

A.The security group is blocking SSH traffic
B.The network ACL is not associated with the subnet
C.The network ACL has a rule that denies all traffic (rule 300) which overrides the allow rule
D.The network ACL rule 200 denies SSH traffic, overriding rule 100
AnswerB

A NACL must be associated with the subnet to affect traffic.

Why this answer

Option C is correct because network ACLs are evaluated in order of rule number; rule 100 allows SSH, but rule 200 denies SSH (same port, but deny overrides allow because it is evaluated later? Actually, in NACLs, rules are evaluated from lowest to highest, and the first matching rule determines the action. Since rule 100 allows, rule 200 is never reached. However, rule 300 denies all traffic.

Since rule 300 has a higher number, it will not override earlier allow rules. Wait: The correct behavior: NACL rules are processed in order; the first rule that matches the traffic determines the action. Since rule 100 matches SSH traffic and allows it, rule 200 and 300 are not evaluated for that traffic.

So SSH should be allowed. But the question says can't SSH. Let me re-check: The exhibit shows rule 100 allows SSH, rule 200 denies SSH (same criterion), rule 300 denies all traffic.

Since rule 100 matches first, SSH should be allowed. So maybe the issue is that the subnet is not associated with this NACL? Or maybe the security group is blocking? But the security group allows SSH. The most likely cause is that the NACL's inbound rule 100 allows SSH, but the outbound rules might be blocking.

However, the exhibit only shows inbound entries. Option A is incorrect because rule 300 is a deny-all, but it is evaluated after rule 100. Option B is incorrect because rule 200 is a deny, but it is not evaluated.

Option D is incorrect because security groups are stateful. Actually, the correct answer might be that the NACL's outbound rules are causing the issue, but the exhibit does not show outbound rules. However, since the question asks about the exhibit, we need to pick the best answer.

The exhibit shows only inbound rules; maybe the outbound default deny is blocking return traffic? But NACLs are stateless, so return traffic must be allowed by outbound rules. The exhibit does not show outbound rules. The default outbound rule is deny all.

So that could be the issue. But among the options, none mention outbound. Let me re-read the options.

Option A: 'The network ACL has a rule that denies all traffic (rule 300) which overrides the allow rule.' This is incorrect because rule 100 is processed first. Option B: 'The network ACL rule 200 denies SSH traffic, overriding rule 100.' Incorrect because rule 100 is processed first. Option C: 'The network ACL is not associated with the subnet.' This could be the reason.

Option D: 'The security group is blocking SSH traffic.' But the scenario says security group allows SSH. So most likely, the NACL is not associated. Therefore, option C is correct.

111
Multi-Selecthard

A company is using AWS Global Accelerator to improve performance for a global application. The application uses an Application Load Balancer (ALB) in each region. The network team wants to ensure that traffic is distributed evenly across regions and that failover happens quickly. Which THREE steps should the team take? (Select THREE.)

Select 3 answers
A.Configure multiple endpoint groups, one per region, and set traffic dials to distribute load
B.Enable health checks on each endpoint and set a low threshold for failure detection
C.Set the traffic dial for each endpoint group to a value that reflects the desired distribution
D.Enable client IP address preservation on the Global Accelerator
E.Use Route 53 weighted routing in front of Global Accelerator
AnswersA, B, C

Traffic dials control the percentage of traffic to each region.

Why this answer

Options A, C, and D are correct. A: Multiple endpoint groups with traffic dials allow distributing traffic across regions. C: Health checks on endpoints ensure quick failover.

D: Adjusting traffic dials can fine-tune distribution. Option B is wrong because weighted routing is not a Global Accelerator feature; it uses proximity. Option E is wrong because client IP preservation is not related to traffic distribution.

112
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. The network team wants to monitor BGP session status for all Transit Gateway attachments. Which AWS service should be used?

A.AWS Config
B.VPC Flow Logs
C.AWS Transit Gateway Network Manager
D.Amazon CloudWatch with Transit Gateway metrics
AnswerC

Network Manager provides a central dashboard for monitoring BGP sessions and connectivity.

Why this answer

Option A is correct because Transit Gateway Network Manager provides monitoring of BGP sessions and network topology. Option B is incorrect because CloudWatch can monitor metrics but not BGP session status directly. Option C is incorrect because VPC Flow Logs capture traffic, not routing protocol status.

Option D is incorrect because AWS Config can track configuration changes but not real-time BGP status.

113
MCQhard

A company is using AWS Database Migration Service (DMS) to replicate data from an on-premises Oracle database to an Amazon RDS for Oracle instance. The replication is failing intermittently with connection timeouts. The network connectivity uses a Direct Connect private VIF. What should the network team investigate first?

A.The MTU settings on the on-premises router and the AWS Direct Connect interface.
B.The route table of the VPC to ensure it has a route to the on-premises CIDR via the Direct Connect virtual interface.
C.The VPN connection status as a backup path.
D.The security group of the RDS instance to ensure it allows traffic from the on-premises IP range.
AnswerA

MTU mismatch can cause intermittent connectivity issues, especially with DMS.

Why this answer

Option B is correct because the MTU mismatch between on-premises and AWS can cause packet fragmentation or drops, leading to timeouts. Option A is wrong because security groups do not apply to on-premises traffic. Option C is wrong because routing is point-to-point, no internet.

Option D is wrong because VPN is not used.

114
Multi-Selectmedium

A network engineer must design a solution to monitor and troubleshoot connectivity from an on-premises data center to a VPC over an AWS Direct Connect connection. The solution must provide visibility into BGP routing, packet loss, and latency. Which TWO services or features should the engineer use? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Logs for Direct Connect
B.AWS CloudTrail
C.Amazon CloudWatch metrics for Direct Connect
D.VPC Flow Logs
E.AWS X-Ray
AnswersA, C

Can ingest Direct Connect logs for monitoring.

Why this answer

Amazon CloudWatch metrics for Direct Connect can monitor BGP session state, packet loss, and latency. AWS CloudTrail logs API calls but not network performance. VPC Flow Logs capture IP traffic metadata but not BGP details or latency.

AWS X-Ray is for application tracing. Amazon Inspector is for security assessments.

115
MCQhard

Refer to the exhibit. A company has created a VPC endpoint for S3. However, an EC2 instance in the subnet associated with the route table cannot access S3 via the endpoint. The route table has a route to the endpoint. What is the most likely cause?

A.The endpoint is in 'pending' state
B.The route table is not associated with the subnet
C.Private DNS is not enabled
D.The security group is blocking traffic
AnswerC

Without Private DNS, the instance does not resolve S3 to the endpoint IP.

Why this answer

The correct answer is C because the endpoint policy is set to Allow all, which is fine. However, the PrivateDnsEnabled is false, meaning that DNS resolution for S3 endpoints does not resolve to the endpoint IP. To use the endpoint, either enable Private DNS or use the endpoint-specific DNS name.

Option A is wrong because the endpoint state is 'available'. Option B is wrong because the route table is associated. Option D is wrong because the security group is not specified (empty), but default SG allows all outbound traffic.

116
Multi-Selecteasy

A company has a VPC with public and private subnets. They want to allow instances in the private subnet to download software updates from the internet while blocking inbound internet traffic. Which TWO components are required? (Select TWO.)

Select 2 answers
A.A Virtual Private Gateway.
B.An Internet Gateway attached to the VPC.
C.A VPC Peering connection.
D.A NAT Gateway in a public subnet.
E.A route in the private subnet's route table pointing to the NAT Gateway.
AnswersD, E

NAT Gateway enables outbound internet access.

Why this answer

Option A is correct because a NAT Gateway provides outbound internet access to instances in private subnets. Option D is correct because the private subnet's route table must have a route to the NAT Gateway for internet-bound traffic. Option B is wrong because an Internet Gateway is used for public subnets, not private.

Option C is wrong because a Virtual Private Gateway is for VPN connections. Option E is wrong because a VPC Peering connection connects VPCs, not to the internet.

117
MCQhard

A company has a Direct Connect connection with multiple virtual interfaces (VIFs). They want to ensure that traffic from on-premises to a specific VPC uses a specific VIF for security compliance. The VPC is associated with a virtual private gateway. Which configuration ensures this?

A.Configure the on-premises router to use a different BGP ASN for each VIF
B.Use BGP community tags on the Direct Connect gateway to influence routing
C.Assign different IP addresses to each VIF and add static routes
D.Create a separate virtual private gateway for each VIF
AnswerB

BGP communities allow you to tag routes and influence path selection.

Why this answer

To steer traffic to a specific VIF, you can use BGP communities on the Direct Connect gateway. Option C is correct. Options A, B, and D do not provide the necessary granularity.

118
Multi-Selecthard

A company is designing a multi-region architecture with VPCs connected via VPC peering. They need to ensure high availability and low latency. Which THREE design principles should they follow? (Choose three.)

Select 3 answers
A.Use VPC endpoints for all AWS service access
B.Deploy redundant VPN connections to each region
C.Use a single NAT gateway for all outbound traffic
D.Use AWS Direct Connect for low-latency connectivity
E.Use a transit gateway for inter-region peering
AnswersB, D, E

Ensures high availability.

Why this answer

Option A, Option B, and Option D are correct. Using a transit gateway simplifies management and supports transitive routing. Deploying redundant VPN connections ensures failover.

Direct Connect provides consistent low latency. Option C is incorrect because a single NAT gateway is a single point of failure. Option E is incorrect because VPC endpoints are for service access, not inter-region connectivity.

119
MCQmedium

A company's VPC includes a public subnet with a NAT gateway and a private subnet with EC2 instances. The EC2 instances in the private subnet need to access the internet for software updates. The NAT gateway's Elastic IP is associated correctly, and the route tables are configured. However, the EC2 instances cannot reach the internet. What is the most likely cause?

A.The NAT gateway is in the private subnet.
B.The route table for the private subnet is missing a default route pointing to the NAT gateway.
C.The network ACL for the private subnet is blocking outbound traffic.
D.The security group for the EC2 instances does not allow outbound traffic.
AnswerB

This is the most likely cause; without a default route to the NAT gateway, traffic cannot be routed out.

Why this answer

The most common issue is that the route table for the private subnet does not have a default route (0.0.0.0/0) pointing to the NAT gateway. Without this route, traffic from the private subnet cannot be directed to the NAT gateway, and thus cannot reach the internet.

120
MCQmedium

A company is experiencing intermittent connectivity issues between two VPCs connected via a VPC peering connection. The VPCs are in different AWS regions. VPC A has CIDR 10.0.0.0/16 and VPC B has CIDR 10.1.0.0/16. The route tables in both VPCs have been updated to include routes pointing to the peering connection. Security groups and network ACLs are configured to allow all traffic for testing. However, traffic from VPC A to VPC B fails intermittently. Which of the following is the most likely cause of this intermittent failure?

A.The security group rules in VPC A are not allowing inbound traffic from VPC B's CIDR. The security group must reference the VPC B CIDR explicitly.
B.The route tables in both VPCs must include explicit routes for each other's CIDR blocks, but they should also include routes to the internet gateway for proper routing.
C.The VPCs are in different regions, and cross-region VPC peering is not supported. A transit gateway must be used instead.
D.The VPC peering connection does not support transitive routing. If any traffic is being routed through an intermediate device (e.g., a NAT instance or a VPN connection), the peering connection will not forward that traffic.
AnswerD

VPC peering does not support transitive routing, and intermittent failures suggest that some traffic is being sent through an unsupported path.

Why this answer

The intermittent failure is most likely due to VPC peering's lack of transitive routing. If traffic from VPC A to VPC B is routed through an intermediate device (e.g., a NAT instance, VPN connection, or another VPC), the VPC peering connection will not forward that traffic because it does not support transitive routing. This can cause intermittent failures when the intermediate device's route or state changes, even though direct routes and security groups are correctly configured.

Exam trap

The trap here is that candidates assume security groups or route table misconfigurations are the cause, but the real issue is the fundamental non-transitive nature of VPC peering, which AWS tests by describing an intermittent failure that points to a transitive routing dependency.

How to eliminate wrong answers

Option A is wrong because the security groups in VPC A are explicitly configured to allow all traffic for testing, and the issue is intermittent, not a persistent inbound rule mismatch. Option B is wrong because adding routes to an internet gateway is irrelevant for VPC peering traffic; the route tables already have the correct peering routes, and internet gateway routes are for internet-bound traffic, not inter-VPC traffic. Option C is wrong because cross-region VPC peering is fully supported by AWS; the statement that it is not supported is incorrect, and a transit gateway is not required for this scenario.

121
MCQeasy

A network engineer is monitoring network traffic using VPC Flow Logs. The engineer wants to capture traffic that is rejected by security groups and network ACLs. Which flow log format should be used?

A.Default format
B.Flow logs are delivered to CloudWatch Logs with DNS query logs
C.Custom format with 'srcaddr' and 'dstaddr' only
D.Custom format with 'action' field
AnswerD

The action field shows ACCEPT or REJECT.

Why this answer

Option D is correct because the default format includes only the first 20-30 bytes of the packet, not the action field. To capture rejections, the custom format must include 'action'. Option A is incorrect because the default format omits action.

Option B is incorrect because the default format does not include it. Option C is incorrect because DNS is not involved.

122
MCQmedium

A company manages multiple VPCs connected via a transit gateway. Each VPC has a VPN connection to an on-premises data center. The network team wants to monitor the bandwidth utilization on each VPN connection. Which approach is the most efficient?

A.Use Amazon CloudWatch metrics for the VPN tunnels.
B.Enable VPC Flow Logs on each VPC and aggregate them in CloudWatch Logs Insights.
C.Use Transit Gateway Network Manager to view VPN bandwidth.
D.Use AWS Config rules to monitor VPN bandwidth changes.
AnswerA

CloudWatch provides built-in metrics for VPN tunnel throughput.

Why this answer

Option A is correct because CloudWatch metrics for VPN tunnels provide bandwidth utilization. Option B is wrong because VPC Flow Logs are for packet-level logs, not metrics. Option C is wrong because AWS Config tracks configuration.

Option D is wrong because Transit Gateway Network Manager provides topology, not bandwidth metrics.

123
MCQhard

A company has a VPC with a public subnet and a private subnet. The private subnet hosts a web application that needs to access an external API over the internet. The private subnet uses a NAT Gateway in the public subnet for outbound internet access. The web application is failing to reach the external API. The engineer has verified the following: the NAT Gateway has an Elastic IP attached, the route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway, the security group for the web application allows outbound HTTPS (TCP 443) to 0.0.0.0/0, the network ACL for the private subnet allows inbound and outbound TCP ephemeral ports (1024-65535) from and to 0.0.0.0/0, and the IAM role attached to the EC2 instance allows outbound HTTPS. The engineer also confirmed that the NAT Gateway is in the public subnet which has a route to an Internet Gateway. Despite all these checks, the web application still cannot reach the external API. What should the engineer do next?

A.Add an inbound rule to the security group for the external API's IP address.
B.Move the NAT Gateway to the private subnet.
C.Verify that the route table is correctly associated with the private subnet.
D.Add a specific route for the external API's IP address to the route table.
AnswerC

Misassociation is a common issue.

Why this answer

Option D is correct because even though the route table has a default route to the NAT Gateway, the subnet association might be incorrect. The route table associated with the private subnet might not be the one being used. Checking the subnet association ensures that the correct route table is applied.

Option A is incorrect because the NAT Gateway is already in the public subnet. Option B is incorrect because the default route is present. Option C is incorrect because the security group already allows outbound HTTPS.

124
MCQeasy

A network engineer is configuring a new AWS Direct Connect connection and needs to establish BGP peering with the AWS side. The engineer has received the BGP configuration from the AWS Direct Connect endpoint. Which information is required to complete the BGP configuration on the on-premises router?

A.The AWS Side BGP password and MD5 hash
B.The AWS BGP peer IP address and the BGP ASN
C.The Amazon side routing table and prefix list
D.The Direct Connect virtual interface ID and VLAN ID
AnswerB

These are the key BGP parameters.

Why this answer

B is correct because BGP peering requires the remote peer's IP address and Autonomous System Number (ASN) to establish a TCP connection and exchange routing information. AWS provides these two values in the Direct Connect endpoint configuration, and the on-premises router must use them to configure the BGP neighbor statement. Without both, the BGP session cannot be established.

Exam trap

The trap here is that candidates often confuse Layer 2 parameters (VLAN ID, VIF ID) with Layer 3 BGP requirements, or assume authentication is mandatory, when in fact only the BGP peer IP and ASN are essential to establish the BGP session.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect does not require a BGP password or MD5 hash for basic BGP peering; MD5 authentication is optional and not a mandatory parameter. Option C is wrong because the Amazon side routing table and prefix list are not needed for BGP configuration; routes are learned dynamically via BGP after peering is established. Option D is wrong because the Direct Connect virtual interface ID and VLAN ID are used for Layer 2 configuration (802.1Q tagging) and are not part of the BGP peering configuration on the router.

125
MCQeasy

A network engineer is troubleshooting a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel is up, but traffic is not flowing from the on-premises network to a VPC. The VPC has a virtual private gateway attached, and the route table has a route pointing to the virtual private gateway for the on-premises CIDR (192.168.0.0/16). The on-premises firewall shows that traffic is being sent to the VPN tunnel. What should the engineer check next?

A.Verify that the virtual private gateway is attached to the VPC.
B.Verify that the on-premises route table has a route to the VPC CIDR via the VPN tunnel.
C.Verify that the on-premises firewall is not blocking UDP port 500 for IKE.
D.Verify that the VPN tunnel's pre-shared key matches on both sides.
AnswerB

Without a return route, traffic from on-premises may not reach the VPC.

Why this answer

Since the VPN tunnel is up and the on-premises firewall confirms traffic is being sent to the tunnel, the issue is likely on the on-premises routing side. For traffic to flow from on-premises to the VPC, the on-premises router must have a route pointing to the VPC CIDR via the VPN tunnel interface. Without this route, packets will not be forwarded into the tunnel, even though the tunnel itself is operational.

Exam trap

The trap here is that candidates assume a 'tunnel up' status guarantees traffic flow, but the ANS-C01 exam tests the distinction between control plane (tunnel establishment) and data plane (routing) issues.

How to eliminate wrong answers

Option A is wrong because the virtual private gateway is already attached to the VPC (the route table has a route pointing to it, and the VPN tunnel is up, which requires attachment). Option C is wrong because UDP port 500 (IKE) is used for tunnel establishment, not for data plane traffic; since the tunnel is up, IKE negotiation succeeded. Option D is wrong because a mismatched pre-shared key would prevent the tunnel from coming up; the tunnel is up, so the keys match.

126
MCQeasy

A company has a VPC with multiple EC2 instances that need to access an Amazon S3 bucket. The network team wants to ensure that traffic to S3 stays within the AWS network and does not traverse the internet. The VPC has a VPC endpoint for S3 (Gateway type). The team has created the endpoint and attached the appropriate policy allowing access to the specific S3 bucket. However, EC2 instances in a private subnet cannot access the S3 bucket. The private subnet route table has a default route pointing to a NAT Gateway. Which change should the network team make to allow private instances to access S3 via the endpoint?

A.Modify the VPC endpoint policy to allow all principals.
B.Change the private subnet route table's default route to point to the VPC endpoint.
C.Remove the default route from the private subnet route table.
D.Add a route in the private subnet route table for the S3 prefix list (com.amazonaws.region.s3) pointing to the VPC endpoint.
AnswerD

This ensures S3 traffic uses the endpoint instead of the NAT Gateway.

Why this answer

For a Gateway VPC endpoint to work, the route table associated with the subnet must have a route that points to the endpoint for S3 (prefix list id). The existing default route to NAT Gateway would route traffic to the internet, not through the endpoint. Option A is correct because adding a route for the S3 prefix list to the endpoint overrides the default route for S3 traffic.

Option D would cause asymmetric routing and potential issues.

127
MCQeasy

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The network team wants to monitor the latency and packet loss on the Direct Connect virtual interfaces. Which AWS service should be used to measure these metrics?

A.AWS Config
B.AWS CloudWatch
C.AWS X-Ray
D.AWS CloudTrail
AnswerB

CloudWatch metrics for Direct Connect include latency and packet loss.

Why this answer

AWS CloudWatch is the correct service because it provides built-in metrics for Direct Connect virtual interfaces, including 'VirtualInterfaceRxNoPacket' and 'VirtualInterfaceTxNoPacket' for packet loss, and you can derive latency by monitoring the 'VirtualInterfaceBpsEgress' and 'VirtualInterfaceBpsIngress' metrics with appropriate alarms. CloudWatch also supports custom metrics and logs that can be used to calculate round-trip time (RTT) by analyzing ping results or using AWS Direct Connect's native health checks. This allows the network team to set up dashboards and alarms for latency and packet loss directly from the Direct Connect metrics.

Exam trap

The trap here is that candidates often confuse AWS CloudWatch with AWS X-Ray, assuming X-Ray can measure network latency because it traces HTTP requests, but X-Ray operates at the application layer and cannot measure Layer 2 or Layer 3 packet loss or latency on a Direct Connect virtual interface.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating, auditing, and assessing the configurations of AWS resources against desired policies, not for monitoring real-time network performance metrics like latency or packet loss. Option C is wrong because AWS X-Ray is designed for tracing and analyzing application-level requests and distributed transactions, not for measuring network-level metrics such as latency or packet loss on Direct Connect virtual interfaces. Option D is wrong because AWS CloudTrail records API activity and user actions for auditing and governance, but it does not capture network performance metrics like latency or packet loss.

128
MCQmedium

A company has a VPC with multiple subnets and an internet gateway. The security team wants to detect and block malicious traffic patterns. Which AWS service should be used to provide intrusion detection and prevention?

A.AWS Network Firewall
B.Network ACLs
C.Security Groups
D.AWS WAF
AnswerA

Network Firewall provides managed intrusion detection and prevention.

Why this answer

The correct answer is C because AWS Network Firewall provides managed intrusion detection and prevention capabilities. Option A is wrong because AWS WAF is for web application layer. Option B is wrong because Security Groups provide stateful filtering but not IPS.

Option D is wrong because NACLs are stateless and do not provide intrusion prevention.

129
MCQmedium

A company has deployed a multi-VPC architecture with AWS Transit Gateway. The network team notices that traffic between two VPCs is intermittently dropped. Both VPCs are attached to the same transit gateway. Which action should the network engineer take to troubleshoot the issue?

A.Configure AWS Direct Connect to route traffic between the VPCs.
B.Use Transit Gateway Network Manager to view the network topology.
C.Enable CloudWatch metrics for the transit gateway attachments.
D.Enable VPC Flow Logs on the subnets of the VPCs.
AnswerD

VPC Flow Logs capture detailed traffic data, including dropped packets.

Why this answer

Option B is correct because enabling VPC Flow Logs captures IP traffic information, which helps identify dropped packets. Option A is wrong because CloudWatch metrics do not provide packet-level details. Option C is wrong because Transit Gateway Network Manager provides topology visualization, not packet drops.

Option D is wrong because Direct Connect is unrelated to inter-VPC traffic.

130
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises data centers. The network team notices that traffic between two VPCs is taking an unexpected path through the on-premises network instead of staying within the Transit Gateway. What is the most likely cause?

A.The Transit Gateway route table is not associated with the VPC attachments.
B.The VPC subnet route tables are not pointing to the Transit Gateway as the target.
C.The on-premises network is advertising more specific routes via BGP that override the Transit Gateway routes.
D.VPC peering connections are being used alongside Transit Gateway, creating conflicting routes.
AnswerC

BGP routes from on-premises can be more specific and take precedence, causing traffic to be sent on-premises.

Why this answer

Option B is correct because route propagation from the on-premises network via the VPN or Direct Connect can introduce more specific routes that override the local Transit Gateway routes. Option A is wrong because route tables are attached to the Transit Gateway, not specific VPC attachments. Option C is wrong because VPC peering is not used with Transit Gateway.

Option D is wrong because subnet associations do not affect Transit Gateway routing.

131
Multi-Selecteasy

A network engineer needs to monitor network performance between an on-premises data center and AWS via Direct Connect. Which TWO metrics should the engineer monitor in Amazon CloudWatch?

Select 2 answers
A.VirtualInterfaceBgpState
B.ConnectionBandwidthUtilization
C.Jitter
D.PacketLoss
E.Latency
AnswersA, B

This metric indicates the BGP session state.

Why this answer

The correct answers are B and D. Direct Connect provides metrics for connection bandwidth utilization and virtual interface BGP state. Option A is wrong because latency is not a standard Direct Connect metric (it's available via other methods).

Option C is wrong because packet loss is not a standard metric. Option E is wrong because jitter is not a standard metric.

132
Multi-Selectmedium

A company is deploying a new application across multiple Availability Zones in a VPC. The application needs to be highly available and must handle traffic from both internal users and external customers. Which TWO options should the network team implement to meet these requirements? (Choose two.)

Select 2 answers
A.Attach an Internet Gateway to the VPC.
B.Use a Network Load Balancer to distribute traffic across AZs.
C.Provision a NAT Gateway in each AZ for outbound connectivity from private subnets.
D.Create a single NAT Gateway in one AZ for outbound traffic.
E.Deploy an Application Load Balancer in each public subnet across multiple AZs.
AnswersC, E

Provides high availability for outbound traffic.

Why this answer

Option A is correct because an ALB can route traffic to targets across multiple AZs, providing high availability. Option C is correct because NAT Gateways in each AZ allow instances in private subnets to initiate outbound traffic to the internet while maintaining high availability. Option B is wrong because a single NAT Gateway in one AZ creates a single point of failure.

Option D is wrong because a Network Load Balancer is for TCP/UDP traffic, but the question does not specify protocol requirements, and ALB is more common for HTTP applications. Option E is wrong because an Internet Gateway is a single point of failure only if the VPC has only one, but IGWs are highly available by design, but the question asks for actions to implement, and IGW is already present.

133
Multi-Selectmedium

A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and a VPC over a Direct Connect connection. The engineer reviews the CloudWatch metrics for the virtual interface and sees an increase in 'ConnectionReset' and 'PacketDropRate'. Which TWO actions should the engineer take to resolve the issue? (Choose TWO.)

Select 2 answers
A.Add additional BGP peers to the Direct Connect connection
B.Increase the MTU on the virtual interface to 1500
C.Check the BGP session status and metrics on the virtual interface
D.Increase the bandwidth of the VPN connection as a backup
E.Check the physical layer metrics such as light levels and signal strength
AnswersC, E

BGP issues can cause connection resets.

Why this answer

Options B and D are correct. B: Checking BGP metrics can reveal route flapping. D: Checking physical layer metrics like light levels and signal strength can identify physical issues.

A is wrong because increasing MTU could cause more drops. C is wrong because more routing peers is not directly relevant. E is wrong because VPN bandwidth does not affect Direct Connect.

134
MCQhard

A company has a hybrid network with multiple VPCs connected via AWS Transit Gateway and an on-premises network via Direct Connect. The network team is planning to migrate a legacy application from on-premises to a new VPC. The application requires low-latency access to an RDS database running in an existing VPC. The team wants to minimize changes to the existing routing. What should the team do to meet these requirements?

A.Attach the new VPC to the existing transit gateway and ensure the transit gateway route tables permit traffic between the new VPC and the RDS VPC.
B.Set up a VPN connection from the new VPC to the on-premises network, and route traffic through on-premises to the RDS VPC.
C.Create a VPC peering connection between the new VPC and the RDS VPC.
D.Migrate the RDS database to the new VPC to keep the application and database in the same VPC.
AnswerA

Correct: Leveraging existing transit gateway minimizes routing changes.

Why this answer

Option D is correct because attaching the new VPC to the existing transit gateway allows immediate connectivity to the RDS VPC without changing existing routes, provided the route tables are configured correctly. Option A is wrong because VPC peering requires route table updates in both VPCs. Option B is wrong because a VPN connection adds complexity and latency.

Option C is wrong because moving the RDS instance changes the database endpoint and may cause downtime.

135
MCQhard

A company has a global application deployed across multiple AWS Regions. The application uses Amazon Route 53 latency-based routing. The network team wants to monitor the health of the application endpoints. They configure Route 53 health checks with fast interval (10 seconds) for each endpoint. After a few days, they notice an increase in costs. Which change will reduce costs while maintaining adequate health monitoring?

A.Disable health checks and rely on Route 53 latency measurements.
B.Change the health check interval to standard (30 seconds).
C.Use CloudWatch alarms instead of Route 53 health checks.
D.Remove health checks for endpoints that are in the same Region.
AnswerB

Standard interval reduces frequency and cost, still adequate for latency-based routing.

Why this answer

Health checks are billed per check. Using a slower interval reduces the number of checks. Standard interval (30 seconds) is sufficient for most cases.

Disabling end-to-end health checks or removing health checks would reduce functionality. Using CloudWatch alarms is additional cost.

136
MCQmedium

A company is designing a multi-region architecture using AWS Transit Gateway inter-region peering. They need to ensure that traffic between VPCs in different regions can traverse the TGW peering attachment without being inspected by a central security appliance. Which configuration should be used?

A.Create TGW peering attachments and configure the route tables to point to each other's TGW attachment.
B.Route all inter-region traffic through a centralized inspection VPC in one region.
C.Set up a VPN connection between the two TGWs for encrypted traffic.
D.Use VPC peering between the VPCs instead of TGW peering.
AnswerA

This allows direct traffic flow between TGWs, bypassing inspection.

Why this answer

Option D is correct. TGW peering attachments allow traffic to bypass the central inspection VPC if routing is set up to go directly between TGWs. Option A is wrong because it forces inspection.

Option B is wrong because VPN is not needed. Option C is wrong because VPC peering does not support transitive routing via TGW.

137
MCQeasy

A network engineer is setting up a site-to-site VPN connection between an on-premises network and AWS. After configuring the customer gateway, virtual private gateway, and VPN tunnel, the tunnel status shows 'DOWN'. Which step should the engineer take FIRST to troubleshoot?

A.Verify that route propagation is enabled on the VPC route table
B.Enable detailed CloudWatch metrics on the VPN connection
C.Test connectivity by pinging an EC2 instance in the VPC
D.Check the on-premises VPN device configuration for mismatched parameters
AnswerD

Configuration mismatch is common cause.

Why this answer

Option D is correct because the first step is to check the VPN configuration on the on-premises device to ensure it matches AWS settings. Option A is incorrect because CloudWatch metrics may not show tunnel status. Option B is incorrect because the VPN is down, so connectivity tests will fail.

Option C is incorrect because checking route propagation is secondary.

138
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet for software updates. The instance is associated with an Elastic IP address. The route table for the private subnet has a default route (0.0.0.0/0) pointing to a NAT gateway. The NAT gateway is in the public subnet and has an Elastic IP. Despite this, the instance cannot reach the internet. The security groups and NACLs are properly configured. What is the likely cause?

A.The NAT gateway's Elastic IP is not associated with the NAT gateway
B.The NAT gateway is not in a public subnet
C.The private subnet's network ACL is blocking outbound traffic
D.The EC2 instance does not have a route to the internet
AnswerA

If the NAT gateway lacks an Elastic IP, it cannot communicate with the internet.

Why this answer

If an instance has a public IP (Elastic IP) and is in a private subnet, the route to the internet must go through a NAT gateway or Internet Gateway. The private subnet's route table points to NAT, which is correct. However, the NAT gateway itself must have a route to the internet via an Internet Gateway.

Option C is correct. Options A, B, and D are common misconfigurations but not the most likely given the setup.

139
MCQmedium

A network engineer is designing a hybrid network with AWS Direct Connect and a VPN backup. The company has multiple VPCs connected to an AWS Transit Gateway. The on-premises network advertises the same prefixes over both Direct Connect (via private VIF) and VPN (via BGP). The engineer wants to ensure that traffic from the VPCs to on-premises prefers the Direct Connect path. What should the engineer do?

A.Set a higher local preference on the Transit Gateway for Direct Connect routes
B.Decrease the AS path length on the Direct Connect BGP advertisements
C.Configure AS path prepending on the VPN BGP advertisements from on-premises
D.Set a higher MED on the Direct Connect BGP advertisements
AnswerC

Longer AS path makes the VPN route less preferred.

Why this answer

Option A is correct because adjusting the AS path prepending length makes the VPN path appear longer (less preferred) in BGP route selection. Option B is incorrect because MED is only compared between routes from the same AS. Option C is incorrect because local preference is used within a single AS, not across ASes.

Option D is incorrect because decreasing the AS path length would make the path more preferred.

140
MCQmedium

A network engineer is setting up a VPC peering connection between two VPCs (VPC-A and VPC-B) in different AWS accounts. The VPCs are in the same region. After accepting the peering request, instances in VPC-A cannot communicate with instances in VPC-B. What should the engineer check first?

A.The security groups in both VPCs allow traffic from the peer VPC CIDR.
B.The network ACLs in both VPCs allow traffic from the peer VPC CIDR.
C.The route tables in both VPCs have routes to the peer VPC CIDR.
D.The VPC peering connection status is 'active'.
AnswerC

Without routes, traffic cannot traverse the peering connection.

Why this answer

Option C is correct because route tables must be updated with routes to the peer VPC CIDR. Without these routes, traffic is not directed to the peering connection. Option A is incorrect because security groups can be configured to allow cross-account traffic, but they are not the first check.

Option B is incorrect because the peering connection is already accepted. Option D is incorrect because NACLs are not the primary issue; routes are.

141
MCQhard

A network engineer is monitoring a hybrid network with a VPN connection to AWS. The engineer notices periodic packet loss and high latency during peak hours. The VPN tunnel uses static routing. The on-premises bandwidth is 100 Mbps, and the VPN connection is limited to 1.25 Gbps. What is the most likely cause?

A.The VPC route table has a blackhole route for the on-premises CIDR.
B.The on-premises internet connection is saturated.
C.The VPN tunnel is using the incorrect encryption algorithm.
D.The VPN tunnel is exceeding its maximum bandwidth limit.
AnswerB

The 100 Mbps link is likely overwhelmed during peak hours, causing packet loss and high latency.

Why this answer

The VPN connection's bandwidth (1.25 Gbps) is sufficient, but if the on-premises link is only 100 Mbps, any traffic exceeding that will cause congestion and packet loss. The VPN tunnel itself is not the bottleneck.

142
MCQeasy

A network administrator is setting up VPC Flow Logs to monitor traffic to an Amazon RDS instance. The logs are sent to Amazon S3. After enabling Flow Logs, the administrator notices that no logs are being delivered. What is the most likely cause?

A.The VPC Flow Logs are not enabled for the correct VPC
B.The IAM role for Flow Logs does not have permissions to write to S3
C.The RDS instance is in a private subnet
D.The S3 bucket is in a different region
AnswerB

Flow Logs need an IAM role with s3:PutObject permission on the bucket.

Why this answer

Flow Logs require a service-linked role or an IAM role with permissions to publish to S3. If the role is missing or incorrect, logs will not be delivered.

143
MCQeasy

A company has a VPC with a public subnet and a private subnet. The public subnet contains a web server (EC2 instance) that must be accessible from the internet. The private subnet contains a database server (EC2 instance) that should only be accessible from the web server. The web server's security group allows HTTP (80) and HTTPS (443) from 0.0.0.0/0. The database server's security group allows MySQL (3306) from the web server's security group. However, the web server cannot connect to the database server. The network engineer has verified that the web server can reach the internet and that the database server's security group is correctly configured. What is the most likely cause of the connectivity problem?

A.The route table for the private subnet does not have a route to the public subnet.
B.The web server's security group does not allow outbound traffic to the database server.
C.The network ACL associated with the private subnet is blocking inbound MySQL traffic from the web server.
D.The database server does not have a route to the internet gateway.
AnswerC

Correct: A custom NACL can block traffic even if security groups allow it.

Why this answer

Option B is correct because the default network ACL in a VPC allows all inbound and outbound traffic, but if a custom NACL is associated with the private subnet, it may block traffic if not properly configured. Option A is wrong because the route table does not affect traffic within the same VPC. Option C is wrong because security groups are stateful, so outbound traffic is automatically allowed.

Option D is wrong because internet gateway is not needed for VPC internal traffic.

144
MCQeasy

A company uses AWS Site-to-Site VPN to connect its on-premises network to AWS. The VPN connection is established, but traffic from on-premises to AWS is not working. The on-premises network team confirms that the on-premises firewall is allowing traffic to the VPC CIDR. What should the network engineer check in AWS to resolve the issue?

A.Verify that the VPN tunnel status is UP.
B.Review the customer gateway configuration for incorrect BGP settings.
C.Ensure the virtual private gateway is attached to the correct VPC.
D.Check the VPC route tables to ensure routes to the on-premises network point to the virtual private gateway.
AnswerD

Missing routes in the VPC route table would prevent inbound traffic from reaching instances.

Why this answer

Option D is correct because even if the VPN tunnel is up and BGP is peering, traffic will not flow unless the VPC route tables have a route pointing to the virtual private gateway (VGW) for the on-premises CIDR. Without this route, the VPC has no path to forward return traffic back to the on-premises network, causing asymmetric routing or blackholing.

Exam trap

The trap here is that candidates assume a tunnel status of UP (Option A) guarantees traffic flow, but AWS explicitly separates tunnel health from routing configuration, and the exam tests this distinction by requiring you to check the VPC route tables for the correct target.

How to eliminate wrong answers

Option A is wrong because a tunnel status of UP only indicates the IPsec tunnel is established; it does not guarantee that routing or traffic forwarding is configured correctly. Option B is wrong because BGP settings on the customer gateway affect dynamic route exchange, but the question states the VPN connection is established, and BGP misconfiguration would typically prevent route propagation, not cause traffic failure if static routes are used. Option C is wrong because if the VGW were attached to the wrong VPC, the VPN connection would not be established at all, as the VGW is a required endpoint for the VPN; the question confirms the VPN is established, so the VGW is correctly attached.

145
MCQeasy

A network engineer is troubleshooting intermittent connectivity issues between an EC2 instance in a VPC and an on-premises data center over a Direct Connect virtual interface. The engineer notices that the BGP session is flapping. Which configuration should the engineer verify first?

A.Verify that the BGP hold timer and keepalive interval are consistent between the on-premises router and the AWS side.
B.Verify that the MTU setting on the Direct Connect virtual interface matches the on-premises router.
C.Verify that the on-premises router is advertising the correct prefix to AWS.
D.Verify that the Direct Connect virtual interface is in the 'available' state.
AnswerA

BGP timer mismatch causes session flapping.

Why this answer

Option B is correct because BGP timers mismatch is a common cause of BGP session flapping. Option A is wrong because MTU mismatch typically causes packet loss, not BGP flap. Option C is wrong because VIF state being active is required for BGP but flapping suggests a configuration issue.

Option D is wrong because route propagation is about route distribution, not BGP session stability.

146
Multi-Selecthard

A company is using AWS Transit Gateway to connect multiple VPCs and Direct Connect. The network team wants to monitor network performance and detect anomalies. Which THREE AWS services should the team use together to achieve this goal? (Select THREE.)

Select 3 answers
A.Amazon CloudWatch
B.AWS Trusted Advisor
C.AWS Network Manager
D.VPC Flow Logs
E.AWS X-Ray
AnswersA, C, D

For log aggregation and metric analysis.

Why this answer

Options A, C, and D are correct. A: VPC Flow Logs capture IP traffic information. C: Amazon CloudWatch can aggregate and analyze logs and metrics.

D: AWS Network Manager provides a global view of Transit Gateway networks and performance metrics. Option B is wrong because AWS X-Ray is for application tracing, not network performance. Option E is wrong because AWS Trusted Advisor provides best practice checks, not real-time monitoring.

147
MCQeasy

A company is using AWS Client VPN to provide remote access to their VPC. Users report that they can connect to the VPN but cannot reach any resources in the VPC. What is the most likely cause?

A.The authorization rules do not include the client's group.
B.The Client VPN endpoint does not have a subnet association.
C.The Client VPN endpoint security group does not allow inbound traffic from the client CIDR.
D.The client's VPN software is not configured with the correct DNS server.
AnswerB

Without a subnet association, traffic cannot be routed to the VPC.

Why this answer

Option D is correct because the subnet associations for the Client VPN endpoint route traffic to the VPC; without a proper subnet association, traffic is not forwarded. Option A is incorrect because the security group for the Client VPN endpoint controls access, but the endpoint can still be reachable. Option B is incorrect; the authorization rules allow specific users/groups, but connectivity issues are likely routing.

Option C is incorrect because the client is already connected.

148
MCQhard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking a suboptimal path, going through the on-premises network instead of staying within AWS. What is the most likely cause?

A.The Transit Gateway route table has a propagated route from the on-premises network with a longer prefix
B.The VPCs are also peered directly, creating a conflict
C.VPC Flow Logs are enabled, causing latency
D.Security groups are blocking direct traffic between VPCs
AnswerA

More specific routes override default routes, sending traffic on-premises.

Why this answer

Option D is correct because Transit Gateway route propagation from on-premises (VPN or Direct Connect) can advertise more specific routes that override the local VPC routes. Option A is wrong because VPC peering is not used with Transit Gateway. Option B is wrong because security groups do not affect routing.

Option C is wrong because flow logs are for monitoring, not routing decisions.

149
MCQmedium

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise the 10.0.0.0/8 prefix to AWS. The VPC has a route table that includes a route to the Virtual Private Gateway for 10.0.0.0/8. On-premises hosts can ping EC2 instances in the VPC, but EC2 instances cannot ping on-premises hosts. The VPC has an Internet Gateway and a NAT Gateway. The EC2 instances are in private subnets with routes to the NAT Gateway for 0.0.0.0/0. What is the most likely cause?

A.The Direct Connect virtual interface is configured for public VIF instead of private VIF.
B.The EC2 instances' security group outbound rules are blocking ICMP.
C.The VPC route table has a more specific local route (10.0.0.0/16) that overrides the route to the VGW for part of the on-premises CIDR.
D.The on-premises router is not advertising the 10.0.0.0/8 route to AWS.
AnswerC

Because the VPC uses 10.0.0.0/16, any on-premises IP within that range is considered local and not forwarded to the VGW.

Why this answer

For EC2 instances to reach on-premises hosts, the VPC route table must have a route for the on-premises CIDR pointing to the Virtual Private Gateway. The engineer has that route. However, the on-premises hosts are in the 10.0.0.0/8 range, and the VPC also uses 10.0.0.0/16.

The issue is that the VPC route table has a local route for 10.0.0.0/16, which is more specific than the 10.0.0.0/8 route to the VGW. Traffic from EC2 to on-premises hosts within the 10.0.0.0/16 range will be routed locally within the VPC, not through the VGW. The on-premises hosts must be in a different CIDR than the VPC's CIDR, or the VPC must use a different CIDR.

Since the VPC uses 10.0.0.0/16, any on-premises host with an IP in that range will be considered local and won't go through the VGW. The solution is to ensure the VPC CIDR does not overlap with the on-premises CIDR.

150
MCQeasy

A company uses AWS Client VPN to provide remote access to its VPC. Users report slow connection speeds. The CloudWatch metrics show high packet loss on the VPN connections. What is the most likely cause?

A.The client certificate has expired.
B.The Client VPN subnet is too small.
C.MTU mismatch between the client and the VPN endpoint.
D.Route propagation is not enabled in the VPC route table.
AnswerC

MTU mismatch leads to fragmentation and packet loss.

Why this answer

Option A is correct because MTU issues cause fragmentation and packet loss. Option B is incorrect because subnet size does not affect packet loss. Option C is incorrect because client authentication doesn't cause packet loss.

Option D is incorrect because route propagation does not cause packet loss.

← PreviousPage 2 of 5 · 346 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Management and Operations questions.