CCNA Network Design Questions

75 of 504 questions · Page 1/7 · Network Design topic · Answers revealed

1
MCQhard

Refer to the exhibit. A bucket policy allows access to an S3 bucket. What is the intended effect?

A.Allows requests from any public IP address
B.Allows any request to the bucket
C.Denies all requests because the IP condition uses a private IP range
D.Allows requests only from a VPC with CIDR 10.0.0.0/16
AnswerC

Private IPs are not seen by S3, so the condition never matches.

Why this answer

The bucket policy includes a condition that denies requests unless the source IP is within the private IP range 10.0.0.0/16. Since private IP addresses are not routable over the public internet, any request originating from outside the VPC (i.e., from the internet) will not have a source IP in that range, causing the Deny statement to block the request. This effectively denies all requests because the only allowed IP range is a private CIDR that cannot be the source of a public internet request.

Exam trap

AWS often tests the misconception that a Deny statement with a NotIpAddress condition acts as an Allow for the specified IP range, but candidates forget that the Deny effect overrides any Allow and that private IP ranges cannot be the source of public internet requests, leading them to incorrectly choose Option D.

How to eliminate wrong answers

Option A is wrong because the policy explicitly denies requests that do not originate from the 10.0.0.0/16 range, so requests from any public IP address are denied, not allowed. Option B is wrong because the policy does not allow any request; it denies requests that do not match the IP condition, and since private IPs cannot be the source of internet requests, all external requests are denied. Option D is wrong because the policy does not allow requests only from a VPC; it uses a Deny effect with a NotIpAddress condition, which means requests from 10.0.0.0/16 are allowed only if they are not blocked by other statements, but the explicit Deny overrides any Allow, and the condition effectively blocks all internet-originated requests, not just those from a specific VPC.

2
Multi-Selectmedium

Which TWO of the following are valid methods to connect multiple VPCs in the same AWS region? (Select TWO.)

Select 2 answers
A.VPC peering
B.AWS Direct Connect
C.VPC endpoints
D.Site-to-Site VPN
E.Transit gateway
AnswersA, E

Direct connection between two VPCs.

Why this answer

VPC peering (Option A) is a valid method to connect multiple VPCs in the same AWS region. It uses the AWS global network infrastructure to create a one-to-one, private IPv4 or IPv6 routing connection between two VPCs, allowing traffic to flow as if they were on the same network. This is a direct, non-transitive connection that does not require a separate transit hub.

Exam trap

The trap here is that candidates often confuse VPC endpoints (which are for service access) with VPC peering or transit gateway, or mistakenly think Direct Connect or Site-to-Site VPN can connect VPCs directly, when they are actually designed for hybrid connectivity.

3
MCQhard

An enterprise is migrating a critical application to AWS. The application requires low latency (under 5 ms) between two EC2 instances that are in different VPCs in the same region. The company also needs to ensure that traffic is encrypted in transit and that the connection is highly available. Which design should be used?

A.Use an AWS Direct Connect connection between the VPCs
B.Configure VPC Peering and use an AWS Transit Gateway with VPN attachments
C.Use VPC endpoints with PrivateLink
D.Establish an AWS Site-to-Site VPN between the VPCs
AnswerB

Correct; VPC Peering provides low latency, and Transit Gateway with VPN adds encryption and high availability.

Why this answer

Option B is correct because AWS Transit Gateway with VPN attachments provides encrypted transit (using IPsec) and high availability (via redundant VPN tunnels) between VPCs in the same region. VPC Peering alone does not encrypt traffic, but when combined with Transit Gateway VPN attachments, it meets the sub-5 ms latency requirement (since both VPCs are in the same region and traffic stays within the AWS backbone). This design also supports the required encryption and high availability without the complexity of Direct Connect or the latency overhead of internet-based VPNs.

Exam trap

The trap here is that candidates assume VPC Peering alone (Option B's first part) is sufficient, but they overlook the encryption requirement; the correct answer combines Transit Gateway with VPN attachments to satisfy both low latency and encryption, while a standalone Site-to-Site VPN (Option D) introduces internet latency that fails the 5 ms requirement.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated physical connection from on-premises to AWS, not between VPCs; it does not inherently encrypt traffic (unless combined with a VPN) and adds unnecessary cost and complexity for inter-VPC connectivity. Option C is wrong because VPC endpoints with PrivateLink are designed for private access to AWS services or third-party services, not for routing traffic between two EC2 instances in different VPCs; they do not provide a general-purpose network path for inter-VPC communication. Option D is wrong because an AWS Site-to-Site VPN between VPCs would route traffic over the public internet, introducing variable latency that likely exceeds the 5 ms requirement, and it lacks the high availability of Transit Gateway with multiple VPN attachments.

4
MCQmedium

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company wants to minimize cost and management overhead. Which solution should be used?

A.Deploy a NAT Gateway in each Availability Zone for high availability.
B.Launch a NAT instance in a public subnet and configure routing.
C.Attach an Internet Gateway to the VPC and add a default route pointing to the IGW in private subnets.
D.Deploy a single NAT Gateway in one public subnet and configure route tables to route 0.0.0.0/0 traffic to it.
AnswerD

A single NAT Gateway provides internet access for all private subnets with minimal cost and management.

Why this answer

Option A is correct because a single NAT Gateway in one AZ provides internet access for all private subnets with low cost. Option B is wrong because using a NAT Gateway per AZ increases cost unnecessarily. Option C is wrong because an Internet Gateway alone does not provide private subnet access; it requires a NAT device.

Option D is wrong because a NAT instance requires management and is less reliable.

5
Multi-Selecthard

A company has a VPC with a CIDR of 10.0.0.0/16. The company needs to add a new subnet for a container cluster that requires at least 2000 IP addresses. Which TWO subnet CIDR blocks meet this requirement? (Choose two.)

Select 2 answers
A.10.0.0.0/24
B.10.0.0.0/25
C.10.0.0.0/20
D.10.0.0.0/21
E.10.0.0.0/26
AnswersC, D

4096 addresses, more than 2000.

Why this answer

Option C (10.0.0.0/20) provides 2^(32-20) = 4096 IP addresses, and option D (10.0.0.0/21) provides 2^(32-21) = 2048 IP addresses. Both meet the requirement of at least 2000 usable IP addresses (after subtracting AWS reserved addresses, each still offers well over 2000).

Exam trap

AWS often tests the misconception that a /24 subnet (256 addresses) is sufficient for 2000 IPs, or that candidates forget to calculate total addresses as 2^(32-prefix) and instead guess based on the prefix number alone.

6
Multi-Selecthard

A company has a Direct Connect connection with a private VIF attached to a virtual private gateway. The VPC has multiple subnets in two Availability Zones. The on-premises network advertises a default route (0.0.0.0/0) via BGP. The company wants all internet-bound traffic from the VPC to go through the on-premises network. Which THREE actions are required to achieve this?

Select 3 answers
A.Deploy a NAT Gateway in a public subnet.
B.Add a default route pointing to the virtual private gateway in the private subnet route tables.
C.Remove the default route to the internet gateway from the main route table.
D.Attach an internet gateway to the VPC.
E.Enable route propagation on the VPC route tables.
AnswersB, C, E

Ensures private subnet traffic goes through Direct Connect.

Why this answer

Option B is correct because adding a default route (0.0.0.0/0) pointing to the virtual private gateway in the private subnet route tables ensures that all internet-bound traffic from those subnets is forwarded over the Direct Connect private VIF to the on-premises network. This leverages the BGP-advertised default route from the on-premises network, allowing the company to enforce its security and routing policies for internet access.

Exam trap

AWS often tests the misconception that a NAT Gateway or internet gateway is required for outbound internet traffic, but in this scenario, the on-premises network acts as the internet gateway, so the correct approach is to route traffic over the Direct Connect connection using the virtual private gateway.

7
MCQhard

A company is migrating a legacy application to AWS. The application requires a fixed IP address that must not change. The application will be deployed on Amazon EC2 instances behind an Application Load Balancer. Which solution meets the requirement for a static IP address?

A.Assign an Elastic IP address to the Application Load Balancer.
B.Replace the ALB with a Network Load Balancer and assign an Elastic IP to it.
C.Place the ALB behind AWS Global Accelerator, which provides static IP addresses.
D.Use an Elastic IP address on each EC2 instance and point a CNAME record to the ALB.
AnswerC

Global Accelerator provides two static anycast IPs that route traffic to the ALB.

Why this answer

Option C is correct because AWS Global Accelerator provides two static Anycast IP addresses that serve as fixed entry points for traffic. Traffic is then routed over the AWS global network to the Application Load Balancer, preserving the static IP requirement while still allowing the ALB to handle HTTP/HTTPS traffic. This decouples the static IP from the underlying load balancer, ensuring the IP does not change even if the ALB is replaced or recreated.

Exam trap

The trap here is that candidates assume an Elastic IP can be attached to any AWS resource, but ALBs are DNS-based and cannot accept Elastic IPs, leading them to incorrectly choose Option A or B without considering Global Accelerator.

How to eliminate wrong answers

Option A is wrong because an Elastic IP address cannot be directly assigned to an Application Load Balancer; ALBs are DNS-based and do not support Elastic IP attachments. Option B is wrong because while a Network Load Balancer can have Elastic IPs assigned, it operates at Layer 4 and does not support the HTTP/HTTPS header inspection, path-based routing, or sticky sessions that the legacy application likely requires from an ALB. Option D is wrong because assigning Elastic IPs to individual EC2 instances does not provide a single static IP for the application; traffic would still flow through the ALB's DNS name, and the Elastic IPs on instances are not used when the ALB is the frontend.

8
MCQmedium

A company has deployed a multi-tier web application in a single AWS region. The architecture includes a VPC with public and private subnets across two Availability Zones. The web tier uses an Application Load Balancer (ALB) in the public subnets, and the application tier runs on EC2 instances in the private subnets. The database tier uses an Amazon RDS Multi-AZ deployment in the database subnets. The company is experiencing intermittent connectivity issues between the application tier and the database tier. The application logs show connection timeouts. The network engineer has verified that the security groups and network ACLs are correctly configured. The RDS instance is reachable from the application tier via a telnet test from one specific instance, but not consistently from all instances. What is the most likely cause of the intermittent connectivity?

A.The RDS Multi-AZ failover is causing the primary instance to change, and the application is not reconnecting to the new endpoint.
B.The network ACLs on the database subnets are blocking ephemeral ports used by the application.
C.The database subnets are in different Availability Zones than the application subnets, and the route tables in the application subnets do not have routes to the database subnet CIDRs.
D.The security group for the database is allowing traffic only from the application tier's security group, but the application tier instances are using a different security group.
AnswerC

Correct: Missing routes cause intermittent connectivity depending on which AZ the instance is in.

Why this answer

Option B is correct because if the RDS subnet group spans subnets in different AZs, the RDS endpoint may resolve to an IP in a different subnet that is not routable due to missing route table entries. Option A is wrong because RDS Multi-AZ does not use a separate IP for failover; the DNS CNAME changes. Option C is wrong because security groups are stateful and allow return traffic.

Option D is wrong because network ACLs are stateless but if configured correctly they should allow traffic.

9
MCQmedium

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add IPv6 connectivity for their internet-facing applications. The VPC currently has an internet gateway attached. What is the MOST efficient way to enable IPv6?

A.Assign an Amazon-provided IPv6 CIDR block to the VPC and subnets, and update route tables to use an internet gateway for IPv6
B.Create a transit gateway and attach the VPC, then route IPv6 traffic through a VPN
C.Create a NAT Gateway in a public subnet and route IPv6 traffic through it
D.Assign an IPv6 CIDR to the VPC and subnets, and add an egress-only internet gateway
AnswerA

The internet gateway supports both IPv4 and IPv6; route tables can direct IPv6 traffic to it.

Why this answer

Option A is correct because the most efficient way to enable IPv6 for an existing VPC with an internet gateway is to request an Amazon-provided IPv6 CIDR block (a /56 block) for the VPC, assign a /64 IPv6 CIDR to each subnet, and then update the route tables to direct ::/0 traffic to the internet gateway. The internet gateway is a dual-stack resource that inherently supports both IPv4 and IPv6 traffic, so no additional gateway is needed for outbound-only or inbound IPv6 connectivity.

Exam trap

AWS often tests the misconception that an egress-only internet gateway is required for all IPv6 traffic, but the trap here is that an egress-only internet gateway is only for outbound-only scenarios, whereas internet-facing applications need bidirectional IPv6 traffic, which requires a standard internet gateway.

How to eliminate wrong answers

Option B is wrong because a transit gateway is used for inter-VPC or hybrid connectivity, not for enabling IPv6 internet access for a single VPC; routing IPv6 through a VPN would add unnecessary complexity and cost. Option C is wrong because a NAT Gateway only supports IPv4 traffic and cannot forward IPv6 packets; IPv6 traffic must be routed through an internet gateway or an egress-only internet gateway. Option D is wrong because an egress-only internet gateway is designed for outbound-only IPv6 traffic from private subnets and does not allow inbound IPv6 connections, which are required for internet-facing applications.

10
Multi-Selectmedium

A company is designing a Direct Connect solution for high availability. Which TWO actions meet the requirement for diverse physical paths?

Select 2 answers
A.Provision two Direct Connect connections at the same Direct Connect location.
B.Provision two Direct Connect connections at two different Direct Connect locations.
C.Use a Transit Gateway with attachments to multiple Direct Connect gateways.
D.Provision a single Direct Connect connection and use link aggregation (LAG).
E.Use a single Direct Connect connection with a VPN backup.
AnswersB, C

Different locations ensure physical diversity.

Why this answer

Option B is correct because provisioning two Direct Connect connections at two different Direct Connect locations ensures that the physical paths are geographically diverse, eliminating a single point of failure. Option C is correct because using a Transit Gateway with attachments to multiple Direct Connect gateways allows traffic to be routed over separate connections, providing path diversity even if the connections are at the same location, as long as they are associated with different gateways and virtual interfaces.

Exam trap

The trap here is that candidates often assume that multiple connections at the same Direct Connect location provide diversity, but AWS explicitly requires different locations for physical path diversity, as the same location shares common infrastructure like power and fiber entrance facilities.

11
MCQmedium

A company is designing a network for a multi-tier application. The web tier must be accessible from the internet, and the application tier must only be accessible from the web tier. Which architecture should they use?

A.Web servers in private subnets with a NAT Gateway for outbound traffic, and application servers in public subnets
B.Web servers in public subnets with an Internet Gateway, and application servers in private subnets with security groups allowing traffic only from the web tier
C.All servers in a single VPC with VPC Peering to another VPC
D.Web servers and application servers in public subnets, each with their own security group
AnswerB

This follows best practices for multi-tier architectures.

Why this answer

Option A is correct because public subnets for web servers with Internet Gateway and private subnets for app servers with no direct internet access is standard. Option B is wrong because placing app servers in public subnets exposes them. Option C is wrong because NAT Gateway is for outbound, not inbound.

Option D is wrong because VPC Peering is not needed.

12
MCQmedium

A company has a VPC with public and private subnets in three Availability Zones. They have EC2 instances in private subnets that need to download patches from the internet. The company requires that all outbound traffic to the internet is logged and inspected. Which solution meets these requirements with the highest availability?

A.Launch a NAT instance in one public subnet and configure all private subnet route tables to send 0.0.0.0/0 to the NAT instance.
B.Place a single NAT Gateway in one public subnet and configure all private subnet route tables to send 0.0.0.0/0 to that NAT Gateway.
C.Attach an internet gateway to the VPC and add a route in the private subnet route tables to send 0.0.0.0/0 to the internet gateway.
D.Create a centralized egress VPC with a NAT Gateway in each AZ. Peer the application VPCs to the egress VPC and route 0.0.0.0/0 traffic through a firewall appliance in the egress VPC.
AnswerD

NAT Gateways in each AZ provide high availability, and centralized inspection allows logging.

Why this answer

Option D is correct because it meets the requirements for logging and inspecting all outbound internet traffic by routing it through a centralized firewall appliance in an egress VPC, while also providing high availability through NAT Gateways deployed in each Availability Zone. This architecture ensures that traffic is inspected before reaching the internet, and the use of multiple NAT Gateways eliminates single points of failure, achieving the highest availability compared to single-instance or single-gateway solutions.

Exam trap

The trap here is that candidates often assume a single NAT Gateway or NAT instance provides sufficient availability and inspection, overlooking the requirement for logging and inspection, which necessitates a firewall or inspection appliance, and the need for multi-AZ deployment to achieve high availability.

How to eliminate wrong answers

Option A is wrong because a single NAT instance in one public subnet is a single point of failure and does not provide high availability; additionally, NAT instances do not inherently support traffic logging and inspection without additional configuration, and they are not managed for automatic failover. Option B is wrong because a single NAT Gateway in one Availability Zone is not highly available; if that AZ fails, all private subnets lose internet connectivity, and NAT Gateways do not provide built-in traffic inspection or logging capabilities. Option C is wrong because attaching an internet gateway to the VPC and routing 0.0.0.0/0 from private subnets directly to the internet gateway would bypass any inspection or logging, and private subnets require a NAT device or transit gateway to access the internet through an internet gateway; direct routing would fail because internet gateways do not accept traffic from private IP addresses without source NAT.

13
Multi-Selecthard

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They have subnets in three Availability Zones. They need to add IPv6 connectivity to the VPC and allow instances in private subnets to initiate outbound IPv6 connections to the internet, but not allow inbound connections from the internet. Which TWO actions must be taken?

Select 2 answers
A.Create an egress-only internet gateway and add a route for ::/0 to it in the private subnet route tables.
B.Create an internet gateway and add a route for ::/0 to it in the private subnet route tables.
C.Allocate an IPv6 CIDR block to the VPC.
D.Create a NAT gateway in a public subnet.
E.Configure a security group that allows outbound IPv6 traffic.
AnswersA, C

An egress-only internet gateway allows outbound-only IPv6 traffic.

Why this answer

Option A is correct: Allocate an IPv6 CIDR block to the VPC and associate it with subnets. Option D is correct: Create an egress-only internet gateway and add a route for ::/0 to it in the private subnet route tables. Option B is incorrect because a NAT gateway is for IPv4.

Option C is incorrect because an internet gateway allows bidirectional IPv6 traffic, which would allow inbound connections. Option E is incorrect because a security group is used for fine-grained control but does not provide internet connectivity.

14
MCQeasy

A company has a VPC with a CIDR block of 172.16.0.0/16. They have a public subnet (172.16.1.0/24) and a private subnet (172.16.2.0/24). They have an internet gateway attached to the public subnet. They launch an EC2 instance in the public subnet with a public IP address. The instance is running a web server on port 80. They also launch an EC2 instance in the private subnet that needs to download updates from the internet. The private subnet does not have a route to the internet. The company wants to provide internet access to the private instance in a secure and cost-effective manner. Which solution should they implement?

A.Create a NAT Gateway in the public subnet and add a route in the private subnet's route table pointing to the NAT Gateway
B.Create a VPC Gateway Endpoint for S3 and configure the private instance to use it
C.Create a forward proxy server in the public subnet and configure the private instance to use it
D.Create a NAT instance in the public subnet and configure the private instance to use it
AnswerA

NAT Gateway provides outbound internet access for private instances.

Why this answer

A NAT Gateway in the public subnet allows instances in the private subnet to initiate outbound connections to the internet (e.g., for downloading updates) while preventing inbound connections from the internet. The private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway. This is secure because the NAT Gateway uses Elastic IPs and does not accept unsolicited inbound traffic, and it is cost-effective as it is a managed service with no maintenance overhead.

Exam trap

The trap here is that candidates often confuse a NAT Gateway with a NAT instance or assume a VPC Gateway Endpoint can provide general internet access, but the key distinction is that a NAT Gateway is a managed service for outbound-only internet access, while Gateway Endpoints are specific to AWS services like S3 and DynamoDB.

How to eliminate wrong answers

Option B is wrong because a VPC Gateway Endpoint for S3 only provides private connectivity to Amazon S3, not general internet access; it cannot be used to download updates from arbitrary internet hosts. Option C is wrong because a forward proxy server (e.g., Squid) is a valid but less cost-effective and more complex solution compared to a NAT Gateway; it requires manual configuration, patching, and scaling, and is not the simplest managed solution. Option D is wrong because a NAT instance is a legacy, self-managed EC2 instance that requires manual configuration (e.g., disabling Source/Destination Check), patching, and high-availability setup; it is less reliable and more operationally expensive than a managed NAT Gateway.

15
MCQeasy

A company wants to connect its on-premises data center to AWS using a dedicated, private network connection. Which AWS service should be used to establish a 1 Gbps dedicated connection?

A.AWS Direct Connect
B.AWS Transit Gateway
C.VPC Peering
D.AWS Site-to-Site VPN
AnswerA

Direct Connect provides a dedicated private connection.

Why this answer

AWS Direct Connect is the correct service for establishing a dedicated, private network connection from an on-premises data center to AWS. It provides a 1 Gbps (or higher) physical Ethernet link that bypasses the public internet, delivering consistent network performance and reduced bandwidth costs for high-volume data transfer.

Exam trap

AWS often tests the misconception that a VPN can provide a dedicated private connection, but VPNs traverse the public internet and lack the physical isolation and consistent latency of Direct Connect.

How to eliminate wrong answers

Option B is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not itself provide a physical dedicated connection; it relies on underlying connections like Direct Connect or VPN. Option C is wrong because VPC Peering connects two VPCs within AWS using the AWS global network, but it cannot extend to an on-premises data center. Option D is wrong because AWS Site-to-Site VPN creates an encrypted tunnel over the public internet, which does not offer the dedicated, private, or consistent performance characteristics of a physical dedicated connection.

16
MCQmedium

A company is designing a multi-region architecture using AWS Global Accelerator and Application Load Balancers (ALBs) in two AWS Regions. They want to route traffic to the closest healthy endpoint and minimize latency. Which configuration best meets these requirements?

A.Deploy a single ALB in one region and use Route 53 geolocation routing to direct traffic.
B.Use Amazon Route 53 latency-based routing with ALBs in each region.
C.Create a Global Accelerator with endpoint groups in each region, each pointing to the regional ALB.
D.Use an Application Load Balancer in one region and a Network Load Balancer in another with cross-zone load balancing.
AnswerC

Global Accelerator uses anycast IPs to route traffic to the nearest healthy endpoint, with built-in health checks and fast failover.

Why this answer

AWS Global Accelerator uses the Anycast IP address to route traffic to the nearest edge location, then forwards it over the AWS global network to the closest healthy endpoint group. By configuring endpoint groups in each region, each pointing to the regional ALB, Global Accelerator provides both low-latency routing and automatic failover, meeting the requirement for multi-region traffic distribution to the closest healthy endpoint.

Exam trap

AWS often tests the misconception that Route 53 latency-based routing is equivalent to Global Accelerator for multi-region traffic optimization, but candidates must remember that DNS-based routing introduces caching delays and lacks the anycast edge routing and fast health check failover that Global Accelerator provides.

How to eliminate wrong answers

Option A is wrong because deploying a single ALB in one region with Route 53 geolocation routing does not provide multi-region architecture; it forces all traffic to a single region, increasing latency for distant users and creating a single point of failure. Option B is wrong because Route 53 latency-based routing relies on DNS resolution, which introduces caching and TTL delays, and does not provide fast failover or static anycast IPs; it also cannot route traffic based on endpoint health in real-time as efficiently as Global Accelerator. Option D is wrong because using an ALB in one region and a Network Load Balancer in another with cross-zone load balancing does not address multi-region traffic routing or latency optimization; cross-zone load balancing is a feature for distributing traffic within a single region, not between regions.

17
MCQhard

A company is designing a network for a large-scale e-commerce platform that must handle sudden traffic spikes. The architecture uses an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances across multiple Availability Zones. The ALB is internet-facing. To protect against DDoS attacks, which AWS services should be used at the network edge?

A.Subscribe to AWS Shield Advanced and deploy AWS WAF on the ALB.
B.Configure network ACLs to allow only known IP ranges.
C.Enable AWS Shield Standard and configure security groups to block traffic from suspicious sources.
D.Use Amazon Route 53 with DNS-based failover to redirect traffic away from the ALB during an attack.
AnswerA

Shield Advanced provides DDoS protection at the edge, and WAF filters application-layer attacks.

Why this answer

Option D is correct. AWS Shield Advanced provides enhanced protection against DDoS attacks, and AWS WAF can be integrated with ALB to filter malicious traffic. Option A is wrong because Network ACLs are not at the edge; they are subnet-level.

Option B is wrong because AWS Shield Standard is included automatically but does not provide advanced protection. Option C is wrong because Route 53 is for DNS, not DDoS mitigation at the network edge.

18
Multi-Selectmedium

A company is designing a multi-VPC architecture in a single AWS Region. The company has three VPCs: Production, Development, and Shared Services. They want to enable transitive routing between all VPCs while minimizing operational overhead. Which TWO solutions meet these requirements?

Select 2 answers
A.Establish VPC peering connections between each pair of VPCs.
B.Configure a VPN connection between each VPC.
C.Use AWS Transit Gateway to connect all VPCs.
D.Configure AWS Direct Connect connections from each VPC to the same on-premises router.
E.Use Transit Gateway with VPN attachments to an on-premises router that performs routing between VPCs.
AnswersC, E

Transit Gateway enables transitive routing between all attached VPCs.

Why this answer

Option A is correct: Transit Gateway provides transitive routing between multiple VPCs and supports hub-and-spoke architecture. Option D is correct: A centralized VPN to on-premises can provide transitive routing if all VPCs connect to the same VPN via Transit Gateway. Option B is incorrect because VPC peering is not transitive; each pair must be explicitly peered.

Option C is incorrect because a VPN connection between two VPCs would require each pair to be connected. Option E is incorrect because Direct Connect alone does not provide transitive routing between VPCs.

19
MCQeasy

A company needs to monitor network traffic to and from EC2 instances for security analysis. Which AWS service should they use?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS Config
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture IP traffic information.

Why this answer

VPC Flow Logs capture IP traffic information for network interfaces in a VPC, including metadata such as source/destination IPs, ports, protocols, and packet accept/reject decisions. This makes it the correct service for monitoring network traffic to and from EC2 instances for security analysis, as it provides detailed network-level logs without requiring any agent installation on the instances.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (API auditing) with network traffic monitoring, or assume CloudWatch Logs can capture network flows directly, but VPC Flow Logs are the only service that provides raw network traffic metadata at the VPC level.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity and management events (e.g., who launched an EC2 instance), not the actual network traffic flowing through the VPC. Option B is wrong because Amazon CloudWatch Logs is a service for storing and monitoring log files from applications, OS, or AWS services, but it does not natively capture network traffic metadata from EC2 instances. Option C is wrong because AWS Config evaluates resource configurations and compliance rules (e.g., whether a security group is too permissive), but it does not log or monitor network traffic flows.

20
MCQhard

A company has a global application that uses Amazon Route 53 for DNS. The application is deployed in us-east-1 and eu-west-1. The company wants to route users to the Region with the lowest latency, but also provide failover if one Region becomes unhealthy. Which Route 53 routing policy should be used?

A.Weighted routing with equal weights
B.Failover routing with primary in us-east-1
C.Latency-based routing with health checks
D.Geoproximity routing
AnswerC

Latency routing sends to lowest latency region; health checks ensure failover.

Why this answer

Option D is correct because latency-based routing with health checks automatically routes to the lowest latency region that is healthy. Option A is wrong because geoproximity routing uses location, not latency. Option B is wrong because failover routing does not consider latency.

Option C is wrong because weighted routing does not consider latency or health.

21
MCQeasy

A company has a VPC with public and private subnets in two Availability Zones. The private subnets need to access the internet for software updates. Which configuration meets this requirement securely?

A.Deploy a NAT Gateway in a public subnet and update the private subnet route tables to point 0.0.0.0/0 to the NAT Gateway.
B.Attach an Internet Gateway to the VPC and add a route to 0.0.0.0/0 in the private subnet route tables pointing to the Internet Gateway.
C.Create a VPC Peering connection to a second VPC that has an Internet Gateway and route all traffic through it.
D.Configure a Virtual Private Gateway and use an AWS Direct Connect connection to the internet.
AnswerA

Correct: NAT Gateway enables outbound internet access for private subnets.

Why this answer

Option A is correct because a NAT Gateway in a public subnet allows private instances to initiate outbound traffic to the internet. Option B is wrong because an Internet Gateway does not allow private instances to reach the internet. Option C is wrong because a VPC Peering connection does not provide internet access.

Option D is wrong because a Virtual Private Gateway is used for VPN connections.

22
Multi-Selectmedium

A company is deploying a new application in a VPC. The application consists of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The ALB must only receive traffic from the company's on-premises network via an AWS Site-to-Site VPN. Which THREE steps should the network engineer take to meet this requirement?

Select 3 answers
A.Place the ALB in a private subnet and use a Transit Gateway.
B.Place the ALB in a public subnet.
C.Configure the network ACL on the ALB's subnet to allow inbound traffic from the on-premises CIDR range.
D.Configure the ALB security group to allow inbound traffic from the on-premises CIDR range.
E.Create a NAT gateway in the public subnet for outbound traffic.
AnswersB, C, D

The ALB needs to be internet-facing to respond to the VPN traffic.

Why this answer

Option B is correct because an Application Load Balancer (ALB) must be placed in a public subnet to be reachable from an on-premises network via an AWS Site-to-Site VPN. The VPN connection terminates on a virtual private gateway or transit gateway, which routes traffic to the VPC, but the ALB itself needs a public subnet with a route to the internet gateway (or virtual private gateway) to accept inbound traffic from the VPN. Without a public subnet, the ALB cannot receive traffic from outside the VPC, including VPN traffic.

Exam trap

AWS often tests the misconception that an ALB in a private subnet can receive traffic from a VPN via a Transit Gateway or NAT gateway, but the ALB must be in a public subnet to have a route to the virtual private gateway for inbound traffic from on-premises.

23
MCQmedium

A network engineer is troubleshooting an issue where an AWS Lambda function cannot create an Elastic Network Interface (ENI) in a VPC. The function has the IAM policy shown in the exhibit. Which statement explains why the function is failing?

A.The policy denies the ec2:CreateVpc action which is required to create an ENI
B.The policy allows ec2:DescribeInstances which conflicts with ENI creation
C.The policy denies the ec2:CreateNetworkInterface action
D.The policy is missing the ec2:CreateNetworkInterfacePermission action
AnswerD

Lambda requires ec2:CreateNetworkInterfacePermission to create ENIs on behalf of the function; without it, the call fails.

Why this answer

The correct answer is D because creating an Elastic Network Interface (ENI) in a VPC requires the `ec2:CreateNetworkInterfacePermission` action in addition to `ec2:CreateNetworkInterface`. The IAM policy shown in the exhibit explicitly denies `ec2:CreateNetworkInterface`, but even if that denial were removed, the Lambda function would still fail without the permission action, as it is necessary for cross-account or service-linked ENI creation scenarios. AWS Lambda uses this permission to allow the Lambda service to attach the ENI to the VPC on your behalf.

Exam trap

The trap here is that candidates focus on the explicit denial of `ec2:CreateNetworkInterface` in the policy and overlook the separate requirement for `ec2:CreateNetworkInterfacePermission`, which is necessary for Lambda to delegate ENI management to the AWS service.

How to eliminate wrong answers

Option A is wrong because the `ec2:CreateVpc` action is not required to create an ENI; ENIs are created within an existing VPC, and the VPC must already exist. Option B is wrong because allowing `ec2:DescribeInstances` does not conflict with ENI creation; it is a read-only action that does not interfere with resource creation. Option C is wrong because the policy in the exhibit explicitly denies `ec2:CreateNetworkInterface`, but the question asks why the function is failing, and the core missing permission is `ec2:CreateNetworkInterfacePermission`, not just the denial of `CreateNetworkInterface`.

24
MCQhard

A company has a hybrid network with multiple VPCs connected via a Transit Gateway. They need to centralize outbound internet traffic through a single VPC. Which architecture should be used?

A.Attach a NAT Gateway to each VPC's private subnets.
B.Attach an Internet Gateway to each VPC and route 0.0.0.0/0 to the IGW.
C.Designate one VPC as an egress VPC with a NAT Gateway and Internet Gateway, and use Transit Gateway route tables to route 0.0.0.0/0 from other VPCs to the egress VPC.
D.Use a VPN connection to an on-premises data center for internet access.
AnswerC

This centralizes outbound traffic through a single VPC.

Why this answer

Option D is correct because an egress VPC with a NAT Gateway and Internet Gateway can centralize outbound traffic via Transit Gateway route tables. Option A is wrong because each VPC with its own NAT Gateway does not centralize. Option B is wrong because a VPN does not provide internet access.

Option C is wrong because an Internet Gateway in each VPC does not centralize.

25
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). The public subnet has an internet gateway attached, and the private subnet has a NAT Gateway in the public subnet for outbound internet access. The company is deploying an Amazon RDS for MySQL database in a Multi-AZ configuration. The database should be accessible only from the application servers running in the private subnet. The company wants to ensure that the database is highly available and that failover does not require any changes to the application. Which networking configuration should they use?

A.Place the RDS instances behind an internal Network Load Balancer and configure the application to connect to the NLB's DNS name
B.Create the RDS instance in the public subnet and restrict access using a security group that allows traffic from the private subnet
C.Configure the application to use the IP address of the primary RDS instance and update the application when failover occurs
D.Create a DB subnet group with subnets in two Availability Zones, launch the RDS instance with Multi-AZ enabled, and configure the application to connect to the RDS endpoint DNS name
AnswerD

Multi-AZ provides automatic failover; the DNS endpoint handles the switch.

Why this answer

Option D is correct because creating a DB subnet group with subnets in two Availability Zones and enabling Multi-AZ on the RDS instance ensures automatic failover to a standby in another AZ. The application connects to the RDS endpoint DNS name, which automatically points to the current primary instance, so no application changes are needed during failover. This satisfies the high availability and access requirements while keeping the database in private subnets.

Exam trap

The trap here is that candidates may think an internal NLB is needed for high availability with RDS, but RDS Multi-AZ already handles failover via DNS, making the NLB redundant and incorrect for this scenario.

How to eliminate wrong answers

Option A is wrong because placing RDS instances behind an internal Network Load Balancer is unnecessary and adds complexity; RDS Multi-AZ already provides automatic failover with a DNS endpoint, and NLB does not improve the failover process for RDS. Option B is wrong because creating the RDS instance in the public subnet exposes it to the internet (even with security group restrictions) and violates the requirement that the database be accessible only from the private subnet; also, RDS should not be in a public subnet for production databases. Option C is wrong because configuring the application to use the IP address of the primary RDS instance requires manual updates during failover, which contradicts the requirement that failover does not require any changes to the application.

26
MCQeasy

A company has an Amazon Route 53 private hosted zone associated with a VPC. The company wants to resolve custom domain names for resources within that VPC. Which configuration is required for EC2 instances in the VPC to resolve these private hosted zone records?

A.Configure a Route 53 Resolver inbound endpoint in the VPC
B.Create a Route 53 Resolver outbound endpoint in the VPC
C.Ensure that the VPC has the enableDnsHostnames and enableDnsSupport attributes set to true
D.Establish a VPC peering connection with the Route 53 hosted zone
AnswerC

These settings enable DNS resolution within the VPC using the Route 53 Resolver, allowing instances to resolve private hosted zone records.

Why this answer

Option C is correct because for EC2 instances in a VPC to resolve records in a Route 53 private hosted zone, the VPC must have both the `enableDnsHostnames` and `enableDnsSupport` attributes set to `true`. These settings enable the VPC's built-in DNS resolver (the Amazon-provided DNS server at the VPC's base CIDR +2 address) to query the private hosted zone and return the custom domain names to instances. Without these attributes, the VPC DNS resolver cannot perform resolution for private hosted zones, even if the zone is associated with the VPC.

Exam trap

The trap here is that candidates often assume a private hosted zone automatically works for all instances in the VPC, overlooking the mandatory VPC DNS attributes (`enableDnsHostnames` and `enableDnsSupport`) that must be enabled for the VPC's DNS resolver to query the private hosted zone.

How to eliminate wrong answers

Option A is wrong because a Route 53 Resolver inbound endpoint is used to allow DNS queries from on-premises networks into a VPC, not to enable EC2 instances within the VPC to resolve private hosted zone records. Option B is wrong because a Route 53 Resolver outbound endpoint is used to forward DNS queries from the VPC to on-premises DNS servers, which is unrelated to resolving private hosted zones within the same VPC. Option D is wrong because VPC peering connections do not automatically enable DNS resolution across peered VPCs; even if peering is established, the private hosted zone must be explicitly associated with the peered VPC, and the VPC's DNS attributes must still be enabled for resolution to work.

27
MCQeasy

A company is designing a VPC with public and private subnets in two Availability Zones. The private subnets host databases that must be accessible only from the application servers in the public subnets. Which VPC feature should be used to allow the application servers to access the databases while preventing direct internet access to the databases?

A.Create a VPC Peering connection between the public and private subnets.
B.Attach a NAT Gateway in a public subnet and update the route table of the private subnets to point to the NAT Gateway for outbound traffic.
C.Attach an Internet Gateway to the VPC and update the route table of the private subnets to point to the Internet Gateway.
D.Attach a Virtual Private Gateway to the VPC and update the route table of the private subnets.
AnswerB

A NAT Gateway allows private instances to initiate outbound traffic to the internet but blocks inbound traffic from the internet, meeting the security requirement.

Why this answer

Option B is correct because a NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet, but it does not allow inbound traffic from the internet, which aligns with the requirement. Option A is wrong because an Internet Gateway would allow inbound traffic from the internet. Option C is wrong because a VPC Peering connection is used for connecting VPCs.

Option D is wrong because a Virtual Private Gateway is used for VPN connections.

28
Multi-Selectmedium

A company is designing a VPC with a CIDR of 10.0.0.0/16. They need to create subnets for a three-tier application (web, application, database) across two Availability Zones. They also need a /20 subnet for a future expansion. Which TWO subnet CIDR allocations are valid and efficient?

Select 2 answers
A.10.0.0.0/20
B.10.0.0.0/18
C.10.0.0.0/16
D.10.0.16.0/20
E.10.0.0.0/28
AnswersA, D

Valid /20 subnet within the VPC.

Why this answer

Option A is correct because 10.0.0.0/20 is a valid subnet within the 10.0.0.0/16 VPC, providing 4096 IP addresses. It is an efficient allocation as it leaves contiguous space for the other required subnets (e.g., /20 for future expansion) without overlapping, and it aligns with the need for subnets across two Availability Zones.

Exam trap

The trap here is that candidates often confuse the VPC CIDR with a subnet CIDR, selecting the entire /16 as a subnet, or they fail to recognize that a /20 subnet like 10.0.16.0/20 is valid and efficient for future expansion, while smaller subnets like /28 are impractical for production workloads.

29
MCQeasy

A company needs to ensure that all traffic between their VPC and on-premises network is encrypted. Which solution meets this requirement?

A.AWS Direct Connect with a private VIF
B.VPC Peering connection
C.AWS Internet Gateway
D.AWS Site-to-Site VPN
AnswerD

Site-to-Site VPN creates IPsec encrypted tunnels over the internet.

Why this answer

Option C is correct because AWS VPN uses IPsec tunnels to encrypt traffic. Option A is wrong because Direct Connect does not encrypt by default. Option B is wrong because VPC Peering is for VPC-to-VPC, not on-premises.

Option D is wrong because Internet Gateway does not encrypt traffic.

30
MCQmedium

A financial services company requires that all traffic between two VPCs in the same region be encrypted in transit. The VPCs are in separate AWS accounts and use non-overlapping CIDR blocks. Which solution meets the requirement with the least operational overhead?

A.Set up a VPC peering connection and configure VPN encryption using a virtual private gateway in each VPC.
B.Use VPC endpoints to connect the VPCs via AWS PrivateLink.
C.Attach both VPCs to an AWS Direct Connect connection.
D.Establish a VPC peering connection between the VPCs.
AnswerA

Provides encrypted traffic over VPC peering.

Why this answer

Option A is correct because it combines a VPC peering connection (for private, low-latency connectivity between VPCs in the same region) with VPN encryption via a virtual private gateway in each VPC. This ensures all traffic between the VPCs is encrypted in transit, meeting the compliance requirement with minimal operational overhead, as it leverages existing AWS-managed VPN capabilities without requiring additional third-party appliances or complex routing.

Exam trap

The trap here is that candidates often assume VPC peering alone provides encryption because it uses AWS's private network, but AWS explicitly states that VPC peering traffic is not encrypted; the exam tests whether you know that additional encryption (e.g., VPN) is required for compliance with encryption-in-transit mandates.

How to eliminate wrong answers

Option B is wrong because AWS PrivateLink (VPC endpoints) is designed for accessing services privately within a VPC or across accounts, not for routing general traffic between two entire VPCs; it does not provide a full mesh network connection or encryption of all inter-VPC traffic. Option C is wrong because attaching both VPCs to an AWS Direct Connect connection does not inherently encrypt traffic between the VPCs; Direct Connect provides a private physical connection but encryption (e.g., IPsec) must be explicitly configured, and this setup introduces higher operational overhead and cost compared to a VPC peering plus VPN solution. Option D is wrong because a standard VPC peering connection does not encrypt traffic in transit; it relies on AWS's internal network, which is not encrypted by default, thus failing the encryption requirement.

31
MCQhard

A network engineer is troubleshooting connectivity to a VPC endpoint service. The engineer runs the CLI command shown in the exhibit. The output shows two service names. Which statement is correct based on this output?

A.The engineer can create an interface VPC endpoint to the services
B.The services are Gateway VPC endpoints
C.The services are VPC peering connections
D.The services are Gateway Load Balancer endpoint services
AnswerA

Correct; the command returns interface endpoint services, which can be used to create interface VPC endpoints.

Why this answer

The CLI command `aws ec2 describe-vpc-endpoint-services` returns a list of AWS services that support VPC endpoints. The output shows two service names, which are AWS-managed services (e.g., `com.amazonaws.vpce.us-east-1.s3`). These services can be accessed via interface VPC endpoints, which use Elastic Network Interfaces (ENIs) with private IP addresses to route traffic privately within the VPC.

Therefore, the engineer can create an interface VPC endpoint to these services.

Exam trap

AWS often tests the distinction between Gateway VPC endpoints and Interface VPC endpoints, and the trap here is that candidates may assume any service name returned by `describe-vpc-endpoint-services` is a Gateway endpoint, but the command lists all endpoint services, and the correct interpretation depends on the service name format and the type of endpoint supported.

How to eliminate wrong answers

Option B is wrong because Gateway VPC endpoints are used for services like Amazon S3 and DynamoDB, and they are identified by service names starting with `com.amazonaws.<region>.s3` or `com.amazonaws.<region>.dynamodb`, not by the generic service names shown in the output. Option C is wrong because VPC peering connections are not listed by `describe-vpc-endpoint-services`; they are managed via `ec2 describe-vpc-peering-connections` and are not endpoint services. Option D is wrong because Gateway Load Balancer endpoint services are identified by service names that include `com.amazonaws.vpce.<region>.gateway-load-balancer-endpoint`, and the output does not contain such a pattern; also, Gateway Load Balancer endpoints are a type of VPC endpoint service but the question's output does not indicate that.

32
MCQeasy

A company needs to provide internet access to instances in a private subnet. The instances must not be directly accessible from the internet. Which AWS service should be used?

A.VPC Peering
B.AWS Direct Connect
C.Internet Gateway
AnswerD

Provides outbound internet access for private instances.

Why this answer

A NAT Gateway enables instances in a private subnet to initiate outbound IPv4 traffic to the internet (e.g., for software updates) while preventing unsolicited inbound connections from the internet. It resides in a public subnet with an Elastic IP and uses source network address translation (SNAT) to translate the private IPs of the instances to the gateway's public IP, ensuring the instances remain inaccessible from the outside.

Exam trap

AWS often tests the misconception that an Internet Gateway can be used in a private subnet by simply not assigning public IPs, but the trap is that an IGW in a private subnet's route table would still allow direct inbound traffic if the instance has a public IP or if the IGW is misconfigured, whereas a NAT Gateway explicitly blocks unsolicited inbound connections by design.

How to eliminate wrong answers

Option A is wrong because VPC Peering connects two VPCs privately using AWS's internal infrastructure and does not provide internet access; it is used for inter-VPC communication, not for outbound internet connectivity. Option B is wrong because AWS Direct Connect establishes a dedicated private network connection from on-premises to AWS, but it does not inherently provide internet access; it bypasses the public internet and requires additional routing or a separate internet gateway for internet-bound traffic. Option C is wrong because an Internet Gateway (IGW) allows both inbound and outbound internet traffic to instances in a public subnet, but it would directly expose instances to the internet if attached to a private subnet, violating the requirement that instances must not be directly accessible from the internet.

33
Multi-Selectmedium

A company is designing a network for a high-traffic web application that must be highly available across multiple AWS Regions. The application uses Application Load Balancers (ALBs) in each region. Which TWO actions should be taken to route traffic to the nearest healthy endpoint?

Select 2 answers
A.Use Amazon Route 53 weighted routing
B.Use Amazon Route 53 latency-based routing with health checks
C.Use Amazon Route 53 multi-value answer routing
D.Use AWS Global Accelerator with endpoint groups in each region
E.Use Amazon Route 53 failover routing
AnswersB, D

Latency routing sends traffic to the region with lowest latency, and health checks ensure only healthy ALBs receive traffic.

Why this answer

Route 53 latency-based routing directs traffic to the region with the lowest latency. Health checks ensure traffic is only sent to healthy endpoints. Global Accelerator also provides routing to the nearest healthy endpoint via anycast.

Weighted routing does not consider latency. Failover routing is for active-passive. Multi-value answer routing is for DNS-based load balancing without health check integration with latency.

34
Multi-Selectmedium

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to another VPC with CIDR 10.0.0.0/16 via VPC Peering. They encounter an error because of overlapping CIDRs. Which TWO actions can resolve this issue?

Select 2 answers
A.Use a subnet-level peering connection
B.Create a new VPC with a non-overlapping CIDR and peer with that
C.Modify the CIDR of one VPC to a non-overlapping range
D.Use AWS Transit Gateway with separate route tables
E.Use a NAT Gateway to translate IPs
AnswersB, D

New VPC can be peered.

Why this answer

Option B is correct because creating a new VPC with a non-overlapping CIDR and establishing a VPC peering connection resolves the conflict. VPC peering requires that the CIDR blocks of the two VPCs do not overlap, as overlapping ranges prevent proper route table entries and cause routing ambiguity. By using a non-overlapping CIDR, you enable direct connectivity between the VPCs without IP address conflicts.

Exam trap

The trap here is that candidates often think they can modify a VPC's CIDR after creation or use subnet-level peering, but AWS does not support either, and they may overlook Transit Gateway as a valid solution for overlapping CIDRs.

35
MCQmedium

An organization has multiple VPCs connected to a common Transit Gateway. The network team wants to centrally manage and enforce routing policies, such as allowing or denying traffic between specific VPCs based on tags. Which AWS feature should be used to implement this requirement?

A.AWS Transit Gateway Network Manager
B.AWS Direct Connect Gateway
C.Amazon Route 53 Resolver
D.VPC Peering with route tables
AnswerA

Correct; Network Manager provides centralized visibility and policy-based management for Transit Gateway.

Why this answer

AWS Transit Gateway Network Manager provides a central dashboard to manage and monitor transit gateways, on-premises networks, and attached VPCs. It supports defining and enforcing routing policies based on tags, enabling the network team to centrally allow or deny traffic between specific VPCs without manually managing individual route tables.

Exam trap

The trap here is that candidates often confuse Transit Gateway Network Manager with basic Transit Gateway route tables, assuming manual route table configuration is sufficient, but the question specifically requires centralized, tag-based policy enforcement which only Network Manager provides.

How to eliminate wrong answers

Option B is wrong because AWS Direct Connect Gateway is used to connect on-premises networks to multiple VPCs via Direct Connect, not for centrally managing routing policies between VPCs based on tags. Option C is wrong because Amazon Route 53 Resolver is a DNS service that resolves domain names across VPCs and on-premises networks, not a routing policy enforcement mechanism. Option D is wrong because VPC Peering with route tables requires manual, point-to-point peering connections and route table updates, lacking centralized policy management and tag-based enforcement across multiple VPCs.

36
MCQhard

A company uses AWS Direct Connect with a private VIF to access a VPC. They also have a site-to-site VPN as backup. They notice that during Direct Connect maintenance, the VPN does not take over traffic as expected. All routes are advertised over BGP. What is the most likely reason?

A.The Direct Connect virtual interface is still in the 'available' state even though the physical link is down.
B.The VPN tunnel is using a different BGP ASN than the Direct Connect.
C.The VPN BGP advertisements have a longer AS PATH than the Direct Connect advertisements, making them less preferred.
D.The VPN is configured with a higher local preference than Direct Connect.
AnswerC

BGP prefers the shortest AS PATH, so VPN routes with longer AS PATH are not used when Direct Connect is available. During maintenance, they should become active but may be delayed.

Why this answer

Option A is correct because if the Direct Connect and VPN BGP advertisements have the same AS PATH length, the route with the lower local preference is preferred. If local preference is the same, the route with the lower MED is preferred. Typically, Direct Connect routes have a higher local preference by default, so when Direct Connect goes down, the VPN routes are available but may have a lower local preference, causing them to be ignored if the Direct Connect routes are still present.

However, the scenario says Direct Connect is down, so the VPN routes should be active. Another common issue is that the VPN BGP session does not come up due to misconfiguration, but the most likely reason is that the VPN's BGP advertisements have a longer AS PATH, making them less preferred. Option B is wrong because the VPN is a backup.

Option C is wrong because Direct Connect is down. Option D is wrong because the VPN is expected to have a longer AS PATH.

37
MCQmedium

A network engineer needs to create a set of IAM permissions for a DevOps team to monitor network resources. The policy above is proposed. What critical missing permission is required to allow the team to list and describe VPCs?

A.ec2:DescribeVpcPeeringConnections
B.ec2:DescribeVpcs
C.ec2:DescribeSubnets
D.ec2:CreateVpc
AnswerB

The policy does not include describe for VPCs; it only allows DescribeInstances and DescribeSecurityGroups.

Why this answer

The correct permission to list and describe VPCs is `ec2:DescribeVpcs`. This API call returns information about one or more VPCs, including their CIDR blocks, state, and tags. Without this specific permission, the DevOps team cannot retrieve VPC details, even if they have other EC2 describe permissions.

Exam trap

AWS often tests the distinction between read and write permissions, and the trap here is that candidates confuse `ec2:CreateVpc` (a write action) with the ability to list VPCs, or assume that broader EC2 describe permissions like `ec2:Describe*` are implicitly granted.

How to eliminate wrong answers

Option A is wrong because `ec2:DescribeVpcPeeringConnections` only lists VPC peering connections, not the VPCs themselves. Option C is wrong because `ec2:DescribeSubnets` lists subnets within a VPC, but does not provide VPC-level information. Option D is wrong because `ec2:CreateVpc` is a write action that creates a new VPC, not a read action for listing or describing existing VPCs.

38
MCQhard

A company is migrating a legacy on-premises application to AWS. The application requires multicast traffic between instances within a VPC. The network engineer must design a solution that supports multicast without modifying the application. Which AWS service or feature should be used?

A.AWS Transit Gateway with multicast domain.
B.VPC peering connections between all instance subnets.
C.Application Load Balancer with UDP listener.
D.AWS Site-to-Site VPN connections with multicast routing enabled.
AnswerA

Transit Gateway supports multicast domains for forwarding multicast traffic.

Why this answer

AWS Transit Gateway supports multicast through the creation of a multicast domain, which allows multicast traffic to flow between instances in different subnets within the same VPC or across attached VPCs without modifying the application. This is the only native AWS service that provides multicast forwarding, making it the correct choice for this requirement.

Exam trap

The trap here is that candidates often assume VPC peering or VPN can handle multicast because they support general IP routing, but AWS explicitly blocks multicast and broadcast traffic on these connections, making Transit Gateway the only viable option.

How to eliminate wrong answers

Option B is wrong because VPC peering does not support multicast traffic; it only allows unicast traffic between peered VPCs and does not forward broadcast or multicast frames. Option C is wrong because an Application Load Balancer (ALB) operates at Layer 7 and only supports HTTP/HTTPS traffic; it does not have a UDP listener and cannot handle multicast traffic. Option D is wrong because AWS Site-to-Site VPN connections do not support multicast routing; they are designed for unicast IPsec tunnels and cannot forward multicast traffic without additional overlay solutions like GRE tunnels.

39
MCQeasy

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company has created a NAT gateway in the public subnet and added a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. However, the EC2 instance cannot reach the internet. The network engineer verifies that the NAT gateway has an Elastic IP address, the security group and network ACLs allow outbound traffic, and the route table for the public subnet has a route to an internet gateway. What is the most likely cause of the issue?

A.The security group for the EC2 instance does not allow outbound traffic.
B.The route table associated with the NAT gateway's subnet does not have a route to an internet gateway.
C.The route table for the private subnet does not have a route to the NAT gateway.
D.The NAT gateway does not have an Elastic IP address assigned.
AnswerB

The NAT gateway's subnet route table must have a route to IGW.

Why this answer

Option D is correct. The NAT gateway must be in a public subnet with a route to an internet gateway. The question states the public subnet has that route, so that's fine.

However, the NAT gateway itself needs to be associated with a route table that has a route to the internet gateway. The most likely cause is that the NAT gateway's route table does not have a default route to the internet gateway. Option A is incorrect because the NAT gateway has an Elastic IP.

Option B is incorrect because the security group is not the issue. Option C is incorrect because the private subnet's route is correct.

40
MCQeasy

A company is designing a VPC with public and private subnets for a three-tier web application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which combination of route tables and security groups achieves this?

A.Public subnet route table: 0.0.0.0/0 -> Internet Gateway. Web SG: allow 0.0.0.0/0 on port 443. App SG: allow from Web SG. DB SG: allow from App SG.
B.Public subnet route table: 0.0.0.0/0 -> NAT Gateway. Web SG: allow 0.0.0.0/0 on port 443. App SG: allow from Web SG. DB SG: allow from App SG.
C.Private subnet route table: 0.0.0.0/0 -> Internet Gateway. Web SG: allow 0.0.0.0/0 on port 443. App SG: allow from Web SG. DB SG: allow from App SG.
D.Public subnet route table: 0.0.0.0/0 -> Internet Gateway. Web SG: allow 0.0.0.0/0 on port 443. App SG: allow from Web SG. DB SG: allow from 0.0.0.0/0 on port 3306.
AnswerA

This follows best practices for tiered security and routing.

Why this answer

Option A is correct because it uses an Internet Gateway (IGW) in the public subnet route table to enable inbound internet traffic to the web tier, and security groups (SGs) are referenced by logical ID (Web SG, App SG, DB SG) to enforce strict, stateful traffic flow: Web SG allows HTTPS from 0.0.0.0/0, App SG allows traffic only from Web SG, and DB SG allows traffic only from App SG. This layered SG approach ensures that each tier can only be reached from the preceding tier, meeting the access requirements without relying on network ACLs or routing.

Exam trap

AWS often tests the distinction between Internet Gateway and NAT Gateway in route tables, and the trap here is that candidates mistakenly associate a NAT Gateway with inbound internet access or place an IGW route in a private subnet, confusing outbound-only connectivity with inbound public access.

How to eliminate wrong answers

Option B is wrong because it specifies a NAT Gateway in the public subnet route table for 0.0.0.0/0; a NAT Gateway is used for outbound internet access from private subnets, not for inbound internet traffic to a public subnet, so the web tier would not be reachable from the internet. Option C is wrong because it places the 0.0.0.0/0 route to an Internet Gateway in the private subnet route table; private subnets must not have a direct IGW route for inbound internet traffic, as this would expose private resources directly to the internet and break the tier isolation. Option D is wrong because the DB SG allows traffic from 0.0.0.0/0 on port 3306 (MySQL), which would permit any internet host to access the database directly, violating the requirement that the database tier must only be accessible from the application tier.

41
MCQeasy

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an Amazon DynamoDB table. The company wants to avoid sending traffic over the internet. A VPC gateway endpoint for DynamoDB is created and attached to the route table of the private subnet. The EC2 instance has an IAM role that grants access to DynamoDB. However, the application running on the instance cannot connect to DynamoDB. The network team confirms that the route table has a route to the DynamoDB prefix list. What is the MOST likely cause?

A.The security group on the EC2 instance blocks outbound traffic to DynamoDB.
B.The IAM role does not include the dynamodb:PutItem action.
C.The route table does not have a route to the DynamoDB prefix list.
D.The VPC does not have DNS resolution enabled, or the endpoint's private DNS option is disabled.
AnswerD

Correct: Without private DNS, the public endpoint is used, which routes over the internet.

Why this answer

Option D is correct because a VPC gateway endpoint for DynamoDB requires DNS resolution to resolve the DynamoDB public hostnames to private IP addresses within the VPC. If DNS resolution is disabled or the endpoint's private DNS option is disabled, the EC2 instance will resolve DynamoDB endpoints to public IPs, causing traffic to attempt internet routing rather than using the gateway endpoint. Since the route table already has the prefix list route, the most likely remaining issue is DNS-related.

Exam trap

AWS often tests the misconception that a route to the prefix list alone is sufficient for gateway endpoint connectivity, ignoring the critical requirement for DNS resolution to redirect traffic through the endpoint.

How to eliminate wrong answers

Option A is wrong because security groups are stateful; outbound traffic to DynamoDB is implicitly allowed by default unless explicitly denied, and the question states the instance has an IAM role granting access, so a missing outbound rule is unlikely to be the primary cause. Option B is wrong because the IAM role may lack specific actions like dynamodb:PutItem, but the question states the role 'grants access to DynamoDB' and the symptom is a complete inability to connect, not a specific action failure—connectivity issues are network/DNS related, not authorization. Option C is wrong because the network team confirmed the route table has a route to the DynamoDB prefix list, so this option directly contradicts the given information.

42
MCQeasy

A company is building a serverless application using API Gateway, Lambda, and DynamoDB. The API must be accessible from the internet and be resilient to Regional failures. Which design provides the HIGHEST availability?

A.Deploy in two Regions with API Gateway, Lambda, and DynamoDB global tables. Use Route 53 failover routing with health checks.
B.Deploy API Gateway, Lambda, and DynamoDB in a single Region with multi-AZ.
C.Deploy API Gateway in two Regions behind a Global Accelerator accelerator.
D.Use a single API Gateway with CloudFront distribution in front, and Lambda@Edge for compute.
AnswerA

Active-passive failover across regions provides highest availability.

Why this answer

Option B is correct because using a custom domain with Route 53 failover routing to API Gateway in two regions provides regional failover. Option A is wrong because a single region is not resilient. Option C is wrong because CloudFront does not provide active-active for API Gateway across regions.

Option D is wrong because Global Accelerator does not support API Gateway as an endpoint.

43
MCQeasy

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to add IPv6 support for their application. What is the simplest way to enable IPv6 communication for instances in the VPC?

A.Assign an Amazon-provided IPv6 CIDR block to the VPC and subnets, and create an Egress-Only Internet Gateway for outbound traffic.
B.Create a VPN connection to an external IPv6 network.
C.Configure a NAT Gateway in a public subnet and assign IPv6 addresses to instances.
D.Use an Internet Gateway with NAT for IPv6 traffic.
AnswerA

Correct: Standard IPv6 enablement.

Why this answer

Option A is correct because assigning an IPv6 CIDR to the VPC and subnet, and using an Egress-Only Internet Gateway for outbound, is the standard method. Option B is wrong because NAT Gateways are IPv4-only. Option C is wrong because IPv6 does not use NAT.

Option D is wrong because VPN does not provide IPv6 internet access.

44
MCQmedium

A company runs a critical web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application experiences intermittent timeouts during peak hours. The network team suspects that the security group or network ACL is misconfigured. They enable VPC Flow Logs and notice that outbound traffic from the ALB to the EC2 instances on port 8080 shows 'ACCEPT' records, but the ALB returns 504 errors. The ALB health check is configured to hit the EC2 instances on port 8080/health. What is the most likely cause of the 504 errors?

A.The network ACL for the private subnet is blocking inbound traffic from the ALB.
B.The security group for the EC2 instances is missing an outbound rule to allow traffic from the ALB.
C.The health check path is incorrectly configured, causing the ALB to mark all targets as unhealthy.
D.The ALB idle timeout is set too low, and the application takes longer to respond.
AnswerD

ALB idle timeout default is 60 seconds; if app response exceeds that, 504 occurs.

Why this answer

Option C is correct. ALB requires idle timeout settings on both client and target sides; if the target response exceeds the ALB idle timeout, it returns 504. Option A is incorrect because flow logs show ACCEPT.

Option B is incorrect because health checks failing would cause unhealthy targets, but the issue is intermittent. Option D is incorrect because security group rules are stateful and outbound traffic is allowed.

45
MCQhard

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The company wants to use the same Direct Connect connection to access multiple VPCs in the same AWS Region. Which solution should the company implement?

A.Use a public virtual interface and route traffic through the internet.
B.Create a transit virtual interface on the Direct Connect connection and associate it with a Direct Connect gateway.
C.Request a hosted virtual interface from an AWS Direct Connect partner.
D.Create additional private virtual interfaces for each VPC.
AnswerB

Transit VIF enables connectivity to multiple VPCs via Transit Gateway.

Why this answer

Option B is correct because a transit virtual interface (VIF) on a Direct Connect connection can be associated with a Direct Connect gateway, which enables connectivity to multiple VPCs in the same AWS Region. The Direct Connect gateway acts as a hub, allowing the single physical connection to route traffic to multiple VPCs via the transit VIF, without needing separate private VIFs for each VPC.

Exam trap

The trap here is that candidates often assume you need a separate private virtual interface for each VPC, not realizing that a Direct Connect gateway with a transit VIF can aggregate multiple VPCs under a single physical connection, which is a key design pattern tested in the ANS-C01 exam.

How to eliminate wrong answers

Option A is wrong because a public virtual interface is used for accessing public AWS services (e.g., S3, DynamoDB) and routes traffic over the internet, not for private connectivity to VPCs; it does not provide secure, private access to multiple VPCs. Option C is wrong because a hosted virtual interface is provisioned by an AWS Direct Connect partner for a customer to connect to a single VPC or Direct Connect gateway, but it does not inherently solve the requirement of using the same Direct Connect connection to access multiple VPCs; it is typically used when the customer does not own the physical connection. Option D is wrong because creating additional private virtual interfaces for each VPC would require separate VLANs and BGP sessions, but a single Direct Connect connection can support only one private VIF per VPC (or per Direct Connect gateway) and cannot directly attach to multiple VPCs without a Direct Connect gateway; this approach would also exceed the maximum number of private VIFs per connection (typically 50) and is less scalable.

46
MCQmedium

A company is designing a multi-Region Active-Active architecture with an Application Load Balancer (ALB) in us-east-1 and us-west-2. They want to route users to the nearest healthy endpoint using a custom domain name. Which AWS service should they use to accomplish this with the lowest latency and minimal operational overhead?

A.Use Amazon Route 53 latency-based routing with health checks.
B.Use Amazon Route 53 geolocation routing policy.
C.Use AWS Global Accelerator with endpoint groups in each region.
D.Use Amazon Route 53 weighted routing policy.
AnswerA

Latency-based routing directs traffic to the region with the lowest latency, and health checks ensure availability.

Why this answer

Amazon Route 53 latency-based routing directs user traffic to the AWS region that provides the lowest latency for the end user, based on latency measurements between DNS resolvers and AWS endpoints. Combined with health checks, it automatically routes users away from unhealthy ALBs, meeting the requirement for nearest healthy endpoint with minimal operational overhead since it is a fully managed DNS service with no additional infrastructure to deploy.

Exam trap

AWS often tests the distinction between latency-based routing (which optimizes for actual network performance) and geolocation routing (which optimizes for geographic compliance or content localization), leading candidates to confuse the two when the requirement is 'nearest healthy endpoint' rather than 'route by location.'

How to eliminate wrong answers

Option B is wrong because geolocation routing routes traffic based on the geographic location of the user's IP address, not the lowest latency, which can result in suboptimal routing if the nearest region is not the user's geographic region (e.g., a user in Europe might be routed to us-east-1 instead of a closer region). Option C is wrong because AWS Global Accelerator, while providing low latency via Anycast IPs and endpoint groups, introduces additional operational overhead (managing accelerator, listeners, endpoint groups) and cost compared to Route 53 latency-based routing, which is simpler for this ALB-only scenario. Option D is wrong because weighted routing distributes traffic based on assigned weights, not latency or health, so it cannot dynamically route users to the nearest healthy endpoint.

47
MCQmedium

Refer to the exhibit. A route table shows routes for a VPC. What is the correct interpretation of this route table?

A.The VPC has CIDR 10.0.0.0/16, an internet gateway, and a VPC peering connection to a VPC with CIDR 192.168.0.0/16
B.The VPC has CIDR 10.0.0.0/16, a NAT gateway, and a VPN connection to 192.168.0.0/16
C.The VPC has CIDR 192.168.0.0/16, an internet gateway, and a VPC peering connection to 10.0.0.0/16
D.The VPC has CIDR 10.0.0.0/16, a virtual private gateway, and a peering connection
AnswerA

Local route indicates VPC CIDR, default route to IGW, and peering route to peer CIDR.

Why this answer

Option A is correct because the route table shows a local route for 10.0.0.0/16, which is the VPC's CIDR, a default route (0.0.0.0/0) pointing to an internet gateway (igw-xxx), and a specific route for 192.168.0.0/16 pointing to a VPC peering connection (pcx-xxx). This configuration allows traffic destined for the peered VPC's CIDR to be routed over the peering connection, while all other internet-bound traffic goes through the internet gateway.

Exam trap

AWS often tests the distinction between internet gateway, NAT gateway, and virtual private gateway in route table entries, and the trap here is confusing the target of the default route (0.0.0.0/0) with the type of gateway used for internet access versus VPN or peering connections.

How to eliminate wrong answers

Option B is wrong because the default route points to an internet gateway, not a NAT gateway; a NAT gateway would be used for outbound-only internet access from private subnets, and the route to 192.168.0.0/16 points to a VPC peering connection, not a VPN connection. Option C is wrong because the VPC's CIDR is 10.0.0.0/16 (as indicated by the local route), not 192.168.0.0/16, and the peering connection is to a VPC with CIDR 192.168.0.0/16, not the other way around. Option D is wrong because the default route points to an internet gateway, not a virtual private gateway, and the route to 192.168.0.0/16 points to a VPC peering connection, not a peering connection to an unspecified target.

48
MCQhard

A company has multiple VPCs connected via AWS Transit Gateway. One VPC contains a shared services endpoint (e.g., Amazon S3) using a VPC Gateway Endpoint. How can other VPCs access this endpoint?

A.Create Gateway Endpoints in each VPC that needs access
B.Use AWS PrivateLink to access the S3 endpoint
C.Configure Direct Connect to access the endpoint
D.Create a route in Transit Gateway pointing to the endpoint
AnswerA

Each VPC must have its own Gateway Endpoint for S3.

Why this answer

A VPC Gateway Endpoint is a regional service that uses route table entries to direct traffic to AWS services like S3 or DynamoDB without leaving the AWS network. Since Gateway Endpoints are not transitive across VPCs, each VPC that needs to access the shared S3 endpoint must have its own Gateway Endpoint created in that VPC, with the appropriate route table entries pointing to the endpoint. The Transit Gateway does not propagate Gateway Endpoint routes, so other VPCs cannot reach the endpoint through the Transit Gateway alone.

Exam trap

The trap here is that candidates assume Transit Gateway can route traffic to a Gateway Endpoint in another VPC, but Gateway Endpoints are not transitive and cannot be used as a target in Transit Gateway route tables, requiring each VPC to have its own endpoint.

How to eliminate wrong answers

Option B is wrong because AWS PrivateLink (powered by Network Load Balancers and interface endpoints) is used for accessing services via private IP addresses, but S3 does not support interface endpoints in all regions and Gateway Endpoints are the native, cost-free method for S3 access; PrivateLink would add unnecessary complexity and cost. Option C is wrong because Direct Connect is a dedicated network connection from on-premises to AWS, not a mechanism to share a VPC Gateway Endpoint between VPCs; it does not solve the transitive access problem across VPCs. Option D is wrong because Transit Gateway route tables cannot have a route pointing to a Gateway Endpoint—Gateway Endpoints are not a routable target in Transit Gateway route tables; they are only associated with VPC route tables via prefix lists.

49
Matchingmedium

Match each AWS Direct Connect term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Logical connection over a Direct Connect link to access AWS services

Bundle of multiple physical connections for higher bandwidth and redundancy

Document authorizing you to connect to an AWS Direct Connect location

Globally available resource to connect multiple VPCs across regions

Layer 2 encryption for Direct Connect connections

Why these pairings

These are key Direct Connect concepts.

50
MCQhard

A company has a multi-VPC architecture with VPCs in the same region. They need to ensure that traffic between VPCs never traverses the public internet and is encrypted in transit. Which solution meets these requirements with the lowest operational overhead?

A.Use AWS PrivateLink to connect VPCs via Network Load Balancers.
B.Use AWS Transit Gateway with IPsec VPN attachments between VPCs.
C.Use VPC peering connections between all VPCs.
D.Use AWS Transit Gateway with VPC attachments and enable multicast.
AnswerB

Transit Gateway VPN attachments provide encrypted IPsec tunnels with low operational overhead.

Why this answer

AWS Transit Gateway with IPsec VPN attachments encrypts traffic between VPCs using IPsec tunnels, ensuring data never traverses the public internet. This solution centralizes connectivity and reduces operational overhead compared to managing multiple VPN connections or VPC peering configurations.

Exam trap

The trap here is that candidates often assume VPC peering is sufficient for encrypted traffic, but it only provides private connectivity without encryption, while Transit Gateway with IPsec VPN attachments is the correct way to meet both requirements with minimal operational overhead.

How to eliminate wrong answers

Option A is wrong because AWS PrivateLink uses Network Load Balancers to expose services privately, but it does not encrypt traffic in transit between VPCs by default; encryption would require additional TLS configuration, increasing overhead. Option C is wrong because VPC peering does not provide encryption in transit; traffic between peered VPCs stays within the AWS network but is not encrypted unless you add a separate VPN layer, which adds complexity. Option D is wrong because enabling multicast on Transit Gateway does not provide encryption; multicast is for one-to-many communication, not for securing traffic, and it does not address the encryption requirement.

51
MCQmedium

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. The application requires that user sessions are maintained (sticky sessions) and that the ALB can offload SSL/TLS termination. Which configuration should they use?

A.Create a Network Load Balancer with a target group that has stickiness enabled and an SSL listener.
B.Launch EC2 instances as reverse proxy servers in front of the application servers, configure SSL on the reverse proxy, and use an Application Load Balancer to distribute traffic to the reverse proxies.
C.Create a Classic Load Balancer with sticky sessions and SSL termination.
D.Create an Application Load Balancer with a target group that has stickiness enabled and an HTTPS listener that terminates SSL.
AnswerD

ALB supports sticky sessions using duration-based cookies and SSL termination on the listener.

Why this answer

Option D is correct because an Application Load Balancer (ALB) natively supports both sticky sessions (via a generated cookie or application-based cookie) and SSL/TLS termination at the HTTPS listener. This allows the ALB to decrypt traffic before forwarding it to targets over HTTP, reducing backend processing overhead while maintaining session affinity across multiple Availability Zones for high availability.

Exam trap

The trap here is that candidates may confuse the capabilities of a Network Load Balancer (Layer 4) with those of an Application Load Balancer (Layer 7), assuming that NLB supports sticky sessions and SSL termination, or they may overcomplicate the solution by adding reverse proxies when the ALB already provides the required features natively.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer does not support sticky sessions (stickiness is not available for NLB target groups) and operates at Layer 4, not Layer 7, so it cannot offload SSL/TLS termination in the same way as an ALB. Option B is wrong because introducing EC2 reverse proxy servers adds unnecessary complexity, cost, and a single point of failure; the ALB can directly terminate SSL and handle sticky sessions without additional infrastructure. Option C is wrong because the Classic Load Balancer is a legacy offering that lacks native support for modern features like path-based routing and is not recommended for new architectures; while it can do SSL termination and sticky sessions, it is not the best practice for a highly available ALB-based design.

52
MCQmedium

A company is designing a multi-Region active-active application using Application Load Balancers (ALBs) behind AWS Global Accelerator. They require that traffic from a specific client IP address is always routed to the same AWS Region for session persistence. Which Global Accelerator feature should be used?

A.Configure health checks on the endpoints.
B.Enable client IP address affinity (sticky sessions).
C.Assign endpoint weights to each ALB.
D.Set traffic dials to 100% for both Regions.
AnswerB

Client IP address affinity ensures requests from a given client IP are consistently routed to the same endpoint.

Why this answer

Option B is correct because Global Accelerator's sticky sessions (client IP address affinity) ensure that traffic from a given client IP is routed to the same endpoint for a set duration. Option A is incorrect because health checks determine endpoint health but do not enforce stickiness. Option C is incorrect because traffic dials control traffic distribution percentages but cannot pin a client to one endpoint.

Option D is incorrect because endpoint weights distribute traffic proportionally but do not guarantee stickiness.

53
MCQhard

A company is designing a hybrid network using AWS Direct Connect and AWS Site-to-Site VPN as backup. They want to ensure that traffic from on-premises to AWS uses Direct Connect when available and fails over to VPN automatically. Which BGP configuration should be used?

A.Set a higher BGP local preference on the VPN connection.
B.Prepend AS path on the VPN connection to make it less preferred.
C.Use the same BGP attributes for both connections and let ECMP handle load balancing.
D.Set a higher Multi-Exit Discriminator (MED) on the Direct Connect connection.
AnswerB

Longer AS path is less preferred, so Direct Connect will be chosen.

Why this answer

Option B is correct because prepending the AS path on the VPN connection increases the AS path length, making the VPN route less preferred compared to the Direct Connect route. BGP selects the path with the shortest AS path length by default, so the Direct Connect path will be chosen as the primary path. When Direct Connect fails, the VPN route becomes the only available path and traffic automatically fails over.

Exam trap

AWS often tests the misconception that MED is used to influence inbound traffic preference from a single AS, but here the trap is that candidates confuse MED (which is compared only for paths from the same neighboring AS) with AS path prepending, which works across different AS paths and is the correct method for this failover design.

How to eliminate wrong answers

Option A is wrong because setting a higher BGP local preference on the VPN connection would make the VPN route more preferred, which is the opposite of the desired behavior (Direct Connect should be primary). Option C is wrong because using the same BGP attributes for both connections would cause ECMP load balancing, not the desired active/passive failover behavior, and ECMP is not typically used for hybrid network failover scenarios. Option D is wrong because setting a higher Multi-Exit Discriminator (MED) on the Direct Connect connection would make the Direct Connect route less preferred (higher MED is less preferred), which would incorrectly prefer the VPN path over Direct Connect.

54
MCQmedium

A company is designing a multi-region architecture for disaster recovery. They need to use Route 53 to route traffic to the nearest healthy endpoint. Which routing policy should they use?

A.Failover routing
B.Geolocation routing
C.Latency-based routing without health checks
D.Latency-based routing with health checks
AnswerD

Latency-based routing directs to the region with lowest latency, and health checks ensure only healthy endpoints receive traffic.

Why this answer

Latency-based routing with health checks is the correct choice because it directs traffic to the endpoint with the lowest latency for the user, while health checks ensure that traffic is only sent to healthy endpoints. This combination meets the requirement to route to the nearest healthy endpoint in a multi-region disaster recovery setup, as it dynamically adapts to both network conditions and endpoint availability.

Exam trap

AWS often tests the misconception that latency-based routing inherently considers endpoint health, but without explicit health checks, it will route to an unhealthy endpoint if it has the lowest latency, making health checks mandatory for the 'nearest healthy endpoint' requirement.

How to eliminate wrong answers

Option A is wrong because failover routing sends traffic to a primary endpoint and only switches to a secondary endpoint if the primary fails, which does not consider latency or proximity to the user. Option B is wrong because geolocation routing routes traffic based on the geographic location of the user, not the latency or health of endpoints, and it cannot automatically failover to a different region if the nearest endpoint is unhealthy unless combined with health checks and a failover record. Option C is wrong because latency-based routing without health checks would route to the lowest-latency endpoint even if it is unhealthy, violating the requirement to route only to healthy endpoints.

55
MCQmedium

A company is designing a Direct Connect solution with two connections to provide high availability. The company has two customer routers, each connected to a separate AWS Direct Connect location. The company uses BGP to advertise the same prefixes from both routers. What is the correct way to configure the BGP attributes to ensure that traffic uses both connections actively?

A.Advertise the same AS path length from both routers.
B.Use AS path prepending on both routers to make the paths equally long.
C.Set a higher local preference on the primary router and lower on the secondary.
D.Advertise a shorter AS path on the primary router and a longer AS path on the secondary router.
AnswerA

Equal AS path length results in equal preference, allowing active-active use.

Why this answer

Option A is correct because advertising the same AS path length from both routers ensures that AWS Direct Connect routers see both paths as equally preferred under the BGP path selection process (which considers AS path length before MED, local preference, and IGP metric). With equal AS path length, traffic will be load-balanced across both Direct Connect connections, actively using both links for inbound traffic from AWS to the customer network.

Exam trap

The trap here is that candidates often confuse AS path prepending as a method to achieve equal path preference, but prepending actually makes a path longer and less preferred, so using it on both routers would still result in equal but artificially inflated AS path lengths, which is unnecessary and not the standard approach for active/active use.

How to eliminate wrong answers

Option B is wrong because AS path prepending artificially lengthens the AS path, making the path less preferred; using it on both routers would still result in equal AS path lengths, but the question asks for active use of both connections, and prepending is typically used to make one path less preferred, not to achieve equal preference. Option C is wrong because setting a higher local preference on the primary router and lower on the secondary would make the primary path preferred, causing traffic to use only the primary connection actively, not both. Option D is wrong because advertising a shorter AS path on the primary router and a longer AS path on the secondary router would make the primary path preferred, again resulting in active use of only one connection, not both.

56
MCQmedium

A company is designing a hybrid network with AWS Direct Connect and a VPN backup. They have two on-premises sites connected via MPLS. They want to ensure that if the Direct Connect fails, traffic automatically fails over to the VPN without manual intervention. Which routing configuration should they use?

A.Configure static routes with equal cost pointing to Direct Connect and VPN
B.Use BGP and set a higher local preference for routes learned via Direct Connect, and enable BGP graceful shutdown on the Direct Connect router
C.Use BGP and advertise the same prefixes with a lower MED on the VPN connection
D.Create a VPC peering connection between the VPC and on-premises network
AnswerB

Higher local preference ensures Direct Connect is preferred; graceful shutdown triggers failover.

Why this answer

Option B is correct because using BGP with a higher local preference for routes learned via Direct Connect ensures that the Direct Connect path is preferred over the VPN backup. If the Direct Connect fails, the BGP session goes down, the routes are withdrawn, and traffic automatically fails over to the VPN without manual intervention. BGP graceful shutdown is not required for failover but can be used to gracefully drain traffic before maintenance.

Exam trap

The trap here is that candidates often confuse MED with local preference, thinking that a lower MED on the VPN would make it a backup, but MED is a metric for inbound traffic and is compared only when paths come from the same neighboring AS, whereas local preference is the correct attribute for outbound path selection within an AS.

How to eliminate wrong answers

Option A is wrong because static routes with equal cost would cause traffic to be load-balanced between Direct Connect and VPN, not provide a clear primary/backup failover; if Direct Connect fails, the static route remains active and may cause black-holing unless a more specific metric or tracking is used. Option C is wrong because advertising the same prefixes with a lower MED on the VPN connection would make the VPN path more preferred (lower MED is more preferred), which is the opposite of the desired primary/backup behavior. Option D is wrong because VPC peering does not support on-premises connectivity; it only connects VPCs within AWS and cannot be used to connect to on-premises networks.

57
Multi-Selecteasy

A company is planning to connect its on-premises data center to AWS using AWS Direct Connect. The company requires high availability and wants to ensure that if one Direct Connect connection fails, traffic automatically fails over to another. Which THREE design elements should be included?

Select 3 answers
A.Provision two Direct Connect connections at different AWS Direct Connect locations.
B.Use a single customer router with multiple connections to both Direct Connect locations.
C.Configure a VPN connection as a backup to Direct Connect.
D.Use BGP to exchange routes between the on-premises routers and AWS.
E.Advertise the same BGP prefixes from both on-premises routers.
AnswersA, D, E

Provides physical diversity.

Why this answer

Option A is correct because provisioning two Direct Connect connections at different AWS Direct Connect locations ensures physical diversity. If one location fails, the other connection remains available, providing high availability. This design eliminates a single point of failure at the network edge.

Exam trap

The trap here is that candidates may think a single router with multiple connections provides sufficient redundancy, but they overlook that the router itself is a single point of failure, which violates high availability principles.

58
MCQeasy

An application running on EC2 instances in a private subnet needs to download patches from the internet. The VPC has an internet gateway and public subnets. Which resource should be used to provide outbound internet access to the instances?

A.VPC gateway endpoint for S3
B.NAT gateway in a public subnet
C.AWS Site-to-Site VPN connection
D.Internet gateway in the private subnet
AnswerB

Provides outbound internet access for private instances.

Why this answer

A NAT gateway in a public subnet provides outbound-only internet access to instances in private subnets by translating their private IP addresses to the NAT gateway's Elastic IP address. This allows the EC2 instances to download patches from the internet while preventing any unsolicited inbound connections from the internet, which is the standard design for secure outbound internet access in a VPC.

Exam trap

AWS often tests the misconception that an internet gateway can be placed in a private subnet or that a VPC endpoint can provide general internet access, but the key trap here is confusing a VPC gateway endpoint (which only works for specific AWS services like S3 and DynamoDB) with a NAT gateway that provides full outbound internet connectivity.

How to eliminate wrong answers

Option A is wrong because a VPC gateway endpoint for S3 only provides private connectivity to Amazon S3, not general internet access for downloading patches from arbitrary internet hosts. Option C is wrong because an AWS Site-to-Site VPN connection connects your VPC to an on-premises network, not to the internet, and does not provide outbound internet access for instances. Option D is wrong because an internet gateway cannot be attached to a private subnet; it must be attached to a public subnet and requires a route table entry pointing to it, and instances in private subnets cannot directly use an internet gateway without a NAT device.

59
Multi-Selectmedium

A company is using AWS Direct Connect to connect its on-premises data center to a VPC. They want to ensure high availability and failover. Which TWO configurations should they implement? (Select TWO.)

Select 2 answers
A.Configure a Site-to-Site VPN connection as a backup.
B.Create a Direct Connect Gateway and attach multiple VPCs.
C.Use a single Direct Connect connection with two virtual interfaces.
D.Provision a second Direct Connect connection at a different location.
E.Use the same Direct Connect connection with multiple VLANs.
AnswersA, D

Correct: Provides failover over internet.

Why this answer

Options B and D are correct because multiple Direct Connect connections in different locations provide physical diversity, and a VPN backup ensures connectivity if Direct Connect fails. Option A is wrong because a single connection is a single point of failure. Option C is wrong because a second virtual interface on the same connection doesn't help if the connection fails.

Option E is wrong because Direct Connect Gateway is for multi-VPC, not high availability.

60
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. It has two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private). The company wants to use AWS Site-to-Site VPN to connect to an on-premises network with a CIDR of 192.168.0.0/16. The VPN connection uses a virtual private gateway (VGW) attached to the VPC. The on-premises network has a VPN appliance that supports BGP. The company also wants to use static routes for the VPN. Which configuration is required to enable communication between the VPC and on-premises network?

A.Add a route in the on-premises route table for 10.0.0.0/16 pointing to the VPN appliance.
B.Add a route in the VPC route table for 192.168.0.0/16 with target the virtual private gateway.
C.Create a NAT gateway in the public subnet and route traffic through it.
D.Add a route in the VPC route table for 192.168.0.0/16 with target the internet gateway.
AnswerB

This routes traffic from the VPC to the on-premises network via the VPN.

Why this answer

For a VPN using a virtual private gateway with static routes, you must add a route in the VPC route table for the on-premises CIDR (192.168.0.0/16) pointing to the virtual private gateway. Option A is correct. Option B is incorrect because the route must be to the VGW.

Option C is incorrect because you don't need to modify the on-premises route table. Option D is incorrect because NAT is not required.

61
MCQeasy

A company has multiple VPCs that need to communicate with each other and with an on-premises network. They want to minimize operational overhead and avoid peering mesh complexity. Which AWS service should be used?

A.AWS Transit Gateway.
B.AWS PrivateLink.
C.AWS VPN CloudHub.
D.VPC Peering.
AnswerA

Transit Gateway provides a hub-and-spoke model, simplifying connectivity.

Why this answer

AWS Transit Gateway acts as a central hub to interconnect multiple VPCs and on-premises networks using a single gateway, eliminating the need for a full mesh of VPC peering connections. It simplifies network management by providing transitive routing between all attached networks, which directly addresses the requirement to minimize operational overhead and avoid peering mesh complexity.

Exam trap

The trap here is that candidates often confuse AWS Transit Gateway with VPC Peering, mistakenly thinking that VPC Peering can scale to many VPCs without realizing it requires a full mesh of non-transitive connections, leading to exponential complexity.

How to eliminate wrong answers

Option B is wrong because AWS PrivateLink is designed for private connectivity between VPCs and services (e.g., exposing a service to multiple VPCs) without requiring VPC peering or a transit gateway, but it does not provide transitive routing between multiple VPCs or to on-premises networks. Option C is wrong because AWS VPN CloudHub is a hub-and-spoke VPN topology that connects multiple remote sites to a single VPC, but it does not interconnect multiple VPCs or provide transitive routing between them. Option D is wrong because VPC Peering creates a direct, non-transitive connection between exactly two VPCs, requiring a full mesh of peering connections for multiple VPCs, which increases operational overhead and complexity.

62
MCQhard

A large e-commerce company is designing a network for a new microservices architecture. They have hundreds of microservices running on Amazon ECS with Fargate launch type. The services need to communicate with each other and with external APIs. The company wants to minimize network latency and maximize security. They also need to ensure that traffic between services does not leave the VPC. The network engineer is considering using AWS PrivateLink to allow services to communicate via VPC endpoints. However, they are concerned about the cost of creating an endpoint for each service. Which design should the network engineer recommend?

A.Use a Transit Gateway to connect all services
B.Use AWS App Mesh to enable service-to-service communication within the VPC
C.Assign public IP addresses to the Fargate tasks and use security groups
D.Create a VPC endpoint for each microservice and use PrivateLink
AnswerB

Service Mesh provides secure and low-latency communication without VPC endpoints.

Why this answer

AWS App Mesh provides a service mesh that enables secure, low-latency communication between microservices within the same VPC using Envoy sidecar proxies. It handles service discovery, traffic routing, and encryption (mTLS) without requiring VPC endpoints or public IPs, keeping all traffic within the VPC and minimizing cost. This directly addresses the requirement for hundreds of services to communicate privately and efficiently.

Exam trap

The trap here is that candidates confuse PrivateLink (designed for external service access) with internal service mesh solutions, assuming VPC endpoints are the only way to keep traffic private, while overlooking App Mesh as a cost-effective, VPC-contained alternative for microservice communication.

How to eliminate wrong answers

Option A is wrong because Transit Gateway is designed for connecting multiple VPCs or on-premises networks, not for service-to-service communication within a single VPC, and it adds unnecessary complexity and cost without providing the granular traffic control needed for microservices. Option C is wrong because assigning public IP addresses to Fargate tasks would expose services to the internet, violating the security requirement to keep traffic within the VPC and increasing latency due to NAT traversal. Option D is wrong because creating a VPC endpoint for each microservice would be prohibitively expensive at scale (each endpoint incurs hourly charges and data processing fees), and PrivateLink is intended for accessing specific AWS services or third-party SaaS, not for internal service mesh communication.

63
MCQhard

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: Subnet A (10.0.1.0/24) and Subnet B (10.0.2.0/24). They launch an EC2 instance in Subnet A and assign it a primary private IP address of 10.0.1.50. They then attach a second elastic network interface (ENI) to the instance with a primary private IP of 10.0.2.100. The instance needs to send traffic from the second ENI. However, when the instance sends traffic from the second ENI, it fails. What is the MOST likely cause?

A.The two ENIs are in different subnets, which is not allowed.
B.The instance's operating system routing table does not have a route for the second ENI's subnet.
C.The security group for the second ENI does not allow outbound traffic.
D.The subnet route table does not have a route for the second ENI's IP address.
AnswerB

The OS routing table must have a route to send traffic from the second ENI through its own subnet.

Why this answer

Option C is correct. When an EC2 instance has multiple ENIs, each ENI must be in a different subnet. However, the operating system's routing table sends traffic based on the source IP.

If the default route is associated with the primary ENI, traffic sourced from the second ENI's IP will use the primary ENI's route, which may not allow it to leave through the correct subnet. The solution is to configure the OS to use the correct ENI for outbound traffic based on the source IP. Option A is incorrect because security groups are per-ENI and do not cause this issue.

Option B is incorrect because there is no requirement for the ENIs to be in the same subnet. Option D is incorrect because the routing table in the subnet does not determine which ENI the instance uses.

64
MCQmedium

A company is designing a hybrid network connecting on-premises data centers to AWS via AWS Direct Connect. The company requires high availability with multiple connections. Which design ensures that a failure of a single Direct Connect location does not impact connectivity?

A.Provision a single Direct Connect connection with a large bandwidth.
B.Provision two Direct Connect connections at two different Direct Connect locations.
C.Provision two Direct Connect connections at the same AWS Direct Connect location.
D.Provision one Direct Connect connection and one AWS Site-to-Site VPN as backup.
AnswerB

Connections at different locations provide redundancy against a location failure.

Why this answer

Option B is correct because deploying two Direct Connect connections at two different Direct Connect locations ensures that a single location failure (e.g., power outage, fiber cut, or facility issue) does not affect connectivity. This design provides geographic redundancy, meeting the high availability requirement by eliminating a single point of failure at the Direct Connect location level.

Exam trap

The trap here is that candidates often confuse 'multiple connections' with 'location diversity,' assuming two connections at the same location provide sufficient redundancy, but AWS explicitly requires connections at different Direct Connect locations to protect against a location-level failure.

How to eliminate wrong answers

Option A is wrong because a single Direct Connect connection, regardless of bandwidth, creates a single point of failure; if the connection or its location fails, all connectivity is lost. Option C is wrong because two connections at the same Direct Connect location share the same facility risk; a location-wide outage (e.g., power or fiber cut) would impact both connections simultaneously, failing the high availability requirement. Option D is wrong because while a Site-to-Site VPN can serve as a backup, it introduces a different failure domain (internet-based) and typically offers lower and less consistent performance; the question specifically requires that a failure of a single Direct Connect location does not impact connectivity, and a VPN backup does not provide redundant Direct Connect location diversity.

65
MCQmedium

A company uses AWS Direct Connect to connect its on-premises network to a VPC. They have a private VIF attached to a virtual private gateway. They want to use AWS Site-to-Site VPN as a backup connection. Which configuration ensures automatic failover?

A.Attach the VPN connection to a separate virtual private gateway and use a transit gateway to combine them.
B.Use static routes on the Direct Connect private VIF and BGP on the VPN connection.
C.Use BGP on both the Direct Connect private VIF and the VPN connection, and advertise the same prefixes with a longer AS path for the VPN.
D.Create a second Direct Connect connection and use equal-cost multipath (ECMP) between the two.
AnswerC

This provides automatic failover via BGP.

Why this answer

Option C is correct because using BGP on both the Direct Connect private VIF and the VPN connection allows you to manipulate route selection via AS path prepending. By advertising the same prefixes with a longer AS path on the VPN, the Direct Connect path is preferred, and if it fails, BGP withdraws the routes, causing traffic to automatically fail over to the VPN.

Exam trap

AWS often tests the misconception that static routes can provide automatic failover, but static routes lack dynamic withdrawal, so BGP must be used on both connections with AS path prepending to ensure automatic and predictable failover.

How to eliminate wrong answers

Option A is wrong because attaching the VPN to a separate virtual private gateway and using a transit gateway does not provide automatic failover; it introduces additional complexity and does not inherently prioritize one path over the other without BGP path manipulation. Option B is wrong because using static routes on the Direct Connect private VIF and BGP on the VPN prevents automatic failover; static routes do not dynamically withdraw when the Direct Connect link fails, so traffic may blackhole or require manual intervention. Option D is wrong because creating a second Direct Connect connection and using ECMP provides load balancing, not failover, and does not address the requirement for a VPN backup; it also does not ensure automatic failover to a different type of connection.

66
MCQhard

A global company is designing a multi-region architecture with an Active-Passive setup. They want to use Amazon Route 53 to route traffic to the active region and fail over to the passive region during an outage. They need to ensure that the failover is automatic based on health checks. Which routing policy should they use?

A.Weighted routing policy
B.Latency routing policy
C.Geolocation routing policy
D.Failover routing policy
AnswerD

Designed for active-passive failover using health checks.

Why this answer

The Failover routing policy in Amazon Route 53 is specifically designed for active-passive configurations. It allows you to designate one record as primary (active) and another as secondary (passive), and Route 53 automatically routes traffic to the secondary record only when the health check associated with the primary record fails. This meets the requirement for automatic failover based on health checks without manual intervention.

Exam trap

The trap here is that candidates often confuse the Failover routing policy with the Weighted or Latency policies, mistakenly thinking those can also provide automatic failover, but only the Failover policy is designed for active-passive setups with health check-driven automatic failover.

How to eliminate wrong answers

Option A is wrong because the Weighted routing policy distributes traffic across multiple resources based on assigned weights, not for active-passive failover; it does not automatically fail over based on health checks. Option B is wrong because the Latency routing policy routes traffic to the region with the lowest latency for the end user, not to provide failover between an active and passive region. Option C is wrong because the Geolocation routing policy routes traffic based on the geographic location of the user, not for failover; it can be combined with failover but alone does not provide automatic failover based on health checks.

67
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. The company needs to add a secondary CIDR block for additional subnets. Which CIDR block can be used?

A.10.1.0.0/16
B.172.16.0.0/16
C.192.168.0.0/16
D.10.0.0.0/16
AnswerA

Non-overlapping private IP range.

Why this answer

Option A (10.1.0.0/16) is correct because it is a valid RFC 1918 private IP address range that does not overlap with the existing VPC CIDR block (10.0.0.0/16). AWS allows adding a secondary CIDR block to a VPC as long as it does not conflict with the primary CIDR or any existing secondary CIDR blocks, and 10.1.0.0/16 is a non-overlapping /16 within the 10.0.0.0/8 private range.

Exam trap

AWS often tests the misconception that any RFC 1918 private IP range is acceptable as a secondary CIDR, but the trap here is that the question implicitly expects the secondary CIDR to be within the same /8 as the primary to avoid routing issues, and candidates may incorrectly choose 172.16.0.0/16 or 192.168.0.0/16 without considering the need for non-overlapping and contiguous addressing.

How to eliminate wrong answers

Option B (172.16.0.0/16) is wrong because although it is a valid RFC 1918 private range, it is not contiguous with the existing 10.0.0.0/16 CIDR; however, the primary reason it is incorrect is that the question does not specify any restriction on using a different RFC 1918 range, but in practice AWS does allow secondary CIDRs from any RFC 1918 range, so this option is actually technically valid—but the trap is that the question expects a /16 that is within the same /8 as the primary to avoid routing complexity, and 172.16.0.0/16 is not within 10.0.0.0/8. Option C (192.168.0.0/16) is wrong for the same reason: it is a valid RFC 1918 range but not within the 10.0.0.0/8 space, and the question implies the secondary CIDR should be from the same major network (10.0.0.0/8) to simplify routing and avoid potential peering conflicts. Option D (10.0.0.0/16) is wrong because it is identical to the existing primary CIDR block; AWS does not allow adding a secondary CIDR that overlaps or is identical to the primary CIDR.

68
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. They have three subnets: Subnet A (10.0.1.0/24) in us-east-1a, Subnet B (10.0.2.0/24) in us-east-1b, and Subnet C (10.0.3.0/24) in us-east-1c. The company has deployed a set of EC2 instances in Subnet A that need to access an Amazon S3 bucket. The company wants to ensure that traffic to S3 does not traverse the internet and remains within the AWS network. The VPC has a VPC endpoint for S3 (gateway type) created and associated with the route table for Subnet A. However, the instances are unable to access the S3 bucket. What is the MOST likely cause?

A.The VPC does not have an internet gateway attached.
B.The route table for Subnet A does not have a route for the S3 prefix list pointing to the VPC endpoint.
C.The S3 bucket policy does not allow access from the VPC endpoint.
D.The VPC endpoint is not associated with a security group that allows outbound traffic to S3.
AnswerB

Without this route, traffic from Subnet A to S3 does not use the endpoint.

Why this answer

Option B is correct. A gateway VPC endpoint for S3 is only accessible from the subnet whose route table has a route to the endpoint. The route table for Subnet A must have a route for the S3 prefix list pointing to the VPC endpoint.

If that route is missing, traffic will not use the endpoint. Option A is incorrect because a VPC endpoint does not require an internet gateway. Option C is incorrect because a gateway endpoint does not use security groups; it uses endpoint policies.

Option D is incorrect because the endpoint policy does not need to be explicitly attached to the bucket; the bucket policy must grant access to the VPC endpoint.

69
MCQeasy

A company wants to provide its employees with secure access to internal applications running on AWS without using a VPN. Which AWS service can be used?

A.AWS Site-to-Site VPN
B.AWS Transit Gateway
C.AWS Client VPN
D.AWS Direct Connect
AnswerC

Client VPN provides secure access for individual users.

Why this answer

AWS Client VPN is a managed, cloud-based VPN solution that allows employees to securely access AWS resources and internal applications from their devices using OpenVPN or IKEv2 protocols, without requiring a traditional site-to-site VPN or dedicated hardware. It provides per-user authentication via Active Directory, SAML, or mutual authentication, making it ideal for remote user access to internal applications without a VPN appliance on-premises.

Exam trap

The trap here is that candidates often confuse AWS Client VPN (a managed remote access VPN for individual users) with AWS Site-to-Site VPN (a site-to-site tunnel between networks), leading them to select Option A because they see 'VPN' in the question but miss the requirement for employee remote access without a VPN appliance.

How to eliminate wrong answers

Option A is wrong because AWS Site-to-Site VPN creates an encrypted tunnel between an on-premises network and AWS VPC, requiring a customer gateway device and static routing or BGP, which does not address individual employee remote access without a VPN. Option B is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not provide client-based VPN connectivity for individual users; it is a routing construct, not a remote access service. Option D is wrong because AWS Direct Connect provides a dedicated private network connection from on-premises to AWS, but it requires physical cabling, colocation, and a VPN overlay for encryption, and it does not offer per-user remote access without a VPN.

70
MCQhard

A company has a VPC with multiple subnets. They have an Amazon RDS for MySQL database in a private subnet. The application team needs to access the database for maintenance from a bastion host in a public subnet. The security group for the database allows inbound traffic from the security group of the bastion host on port 3306. However, the application team cannot connect. What is the most likely cause?

A.The network ACL on the private subnet is blocking inbound traffic on port 3306.
B.The database does not have a route to the internet.
C.The security group rule for the database is incorrectly configured.
D.The bastion host does not have a route to the database subnet.
AnswerA

Network ACLs are stateless and can block traffic even if security groups allow it.

Why this answer

The most likely cause is that the network ACL (NACL) on the private subnet is blocking inbound traffic on port 3306. Even though the security group on the RDS instance allows traffic from the bastion host's security group, NACLs are stateless and must explicitly allow both inbound and outbound traffic. By default, custom NACLs deny all inbound traffic, so unless an inbound rule for port 3306 (MySQL) is added, the connection will be dropped at the subnet boundary.

Exam trap

AWS often tests the distinction between stateful security groups and stateless network ACLs, trapping candidates who assume that a security group rule alone is sufficient for connectivity.

How to eliminate wrong answers

Option B is wrong because the database does not need a route to the internet; it only needs a route back to the bastion host within the VPC, which is provided by the VPC's main route table or subnet route table. Option C is wrong because the security group rule is explicitly described as correctly allowing inbound traffic from the bastion host's security group on port 3306, so it is not the cause. Option D is wrong because the bastion host does not need a route to the database subnet; it only needs a route to the VPC's CIDR, which is typically a local route already present in the route table.

71
MCQmedium

A company is migrating its on-premises data center to AWS. The migration requires connectivity between the on-premises network and a VPC. The company needs a connection that supports multiple VLANs for separate environments (development, test, production) and provides consistent performance. The company also wants to avoid using the public internet. Which AWS service should be used?

A.AWS Transit Gateway
B.AWS Direct Connect
C.AWS Site-to-Site VPN
D.AWS Client VPN
AnswerB

Direct Connect provides a private connection supporting multiple VLANs for environment isolation.

Why this answer

Option B is correct. AWS Direct Connect provides a private, dedicated connection from on-premises to AWS, supporting multiple VLANs via Virtual Local Area Networks (VLANs) on a single physical connection. This meets the requirements for isolation and consistent performance.

Option A is incorrect because Site-to-Site VPN uses the public internet and does not support VLANs natively. Option C is incorrect because Client VPN is for individual user connections, not site-to-site. Option D is incorrect because Transit Gateway is a network transit hub, not a connectivity service; it can be used with Direct Connect or VPN but is not the connection itself.

72
MCQeasy

A company has a VPC with a CIDR of 10.0.0.0/16. They need to create a subnet for a new application that requires at least 2000 usable IP addresses. Which subnet size should they choose?

A./24 (256 IPs)
B./22 (1024 IPs)
C./19 (8192 IPs)
D./20 (4096 IPs)
AnswerD

4091 usable, sufficient.

Why this answer

Option C is correct. A /20 subnet provides 4096 total IPs, with 4091 usable (AWS reserves 5). For 2000 usable, /20 is sufficient.

Option A (/24) provides 251 usable. Option B (/22) provides 1023 usable. Option D (/19) provides 8191 usable, which is more than needed but acceptable, though /20 is the smallest sufficient.

73
MCQhard

A company has a VPC with a CIDR block of 172.16.0.0/20. They need to create subnets for three tiers: web, application, and database. The web tier must be public and support at least 1000 hosts. The application and database tiers must be private. Which subnet design meets the requirements?

A.Web: 172.16.0.0/22, App: 172.16.4.0/24, DB: 172.16.5.0/24
B.Web: 172.16.0.0/23, App: 172.16.2.0/23, DB: 172.16.4.0/23
C.Web: 172.16.0.0/20, App: 172.16.0.0/20, DB: 172.16.0.0/20
D.Web: 172.16.0.0/24, App: 172.16.1.0/24, DB: 172.16.2.0/24
AnswerA

/22 provides 1022 hosts, meeting 1000 requirement.

Why this answer

Option A is correct because the web tier subnet 172.16.0.0/22 provides 2^(32-22) - 5 = 1024 - 5 = 1019 usable host addresses (AWS reserves 5 IPs per subnet), which meets the requirement of at least 1000 hosts. The application and database subnets use /24 masks, each offering 251 usable hosts, and are private. All subnets fall within the VPC CIDR 172.16.0.0/20 without overlap.

Exam trap

The trap here is that candidates often forget to subtract the 5 reserved AWS IPs from the total subnet size, leading them to incorrectly believe a /23 (512 IPs) can support 1000 hosts, or they overlook the non-overlapping subnet requirement in AWS.

How to eliminate wrong answers

Option B is wrong because the web subnet /23 provides only 512 - 5 = 507 usable addresses, which is insufficient for 1000 hosts. Option C is wrong because it assigns the entire VPC CIDR /20 to all three tiers, causing overlapping subnets, which is invalid in AWS (subnets cannot overlap). Option D is wrong because the web subnet /24 provides only 256 - 5 = 251 usable addresses, far below the 1000-host requirement.

74
MCQmedium

A company is designing a hybrid network architecture that connects its on-premises data center to AWS via AWS Direct Connect. The on-premises network uses BGP to advertise routes to AWS. The company wants to ensure that if the Direct Connect connection fails, traffic automatically fails over to a VPN connection. Which configuration ensures this failover behavior?

A.Advertise the on-premises prefixes over Direct Connect with a higher AS path prepend than over the VPN.
B.Advertise the on-premises prefixes over Direct Connect with a specific BGP community to influence path selection.
C.Advertise the on-premises prefixes over Direct Connect with a lower MED value than over the VPN.
D.Advertise the on-premises prefixes over Direct Connect with a higher local preference than over the VPN.
AnswerC

Lower MED makes Direct Connect preferred.

Why this answer

Option A is correct because using a lower MED value on the Direct Connect advertisement makes it preferred over the VPN route. Option B is incorrect because AS path prepending would make the Direct Connect route less preferred. Option C is incorrect because the local preference is only relevant within the same AS.

Option D is incorrect because the multi-exit discriminator (MED) is used for BGP path selection, not community tags.

75
MCQhard

A company wants to connect multiple VPCs in different AWS accounts to on-premises networks using AWS Transit Gateway. Each VPC must be able to communicate with on-premises resources over AWS Direct Connect. What is the MINIMUM number of Transit Gateway attachments required if the company has 5 VPCs and 2 Direct Connect connections from different locations?

A.6
B.7
C.5
D.8
AnswerB

5 VPC attachments + 2 Direct Connect attachments = 7.

Why this answer

Option D is correct. Each VPC requires one attachment to the Transit Gateway. For Direct Connect, a single Transit Virtual Interface (VIF) attachment per Direct Connect connection is sufficient, but the question asks for the minimum number of attachments.

With two Direct Connect connections, you need at least one attachment per connection, but typically you would have one attachment per Direct Connect gateway. However, the minimum is 5 VPC attachments plus 2 Direct Connect attachments = 7. Option A is wrong because it misses the Direct Connect attachments.

Option B is wrong because it assumes only one Direct Connect attachment. Option C is wrong because it underestimates the VPC attachments.

Page 1 of 7 · 504 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Design questions.