CCNA Network Design Questions

75 of 504 questions · Page 3/7 · Network Design topic · Answers revealed

151
Multi-Selectmedium

A company has a VPC with an internet gateway and a NAT Gateway. The private subnet route table has a default route to the NAT Gateway. The company wants to enable instances in the private subnet to access an S3 bucket in the same region without traversing the internet. Which TWO actions should the company take?

Select 2 answers
A.Remove the default route to the NAT Gateway from the private subnet route table.
B.Add a route to the S3 prefix list via the gateway endpoint in the private subnet route table.
C.Create a gateway VPC endpoint for S3.
D.Add a route to the S3 prefix list via the NAT Gateway in the private subnet route table.
E.Create an interface VPC endpoint for S3.
AnswersB, C

This enables private access.

Why this answer

Option B is correct because adding a route to the S3 prefix list via the gateway endpoint directs traffic destined for S3 through the VPC endpoint, keeping it within the AWS network. Option C is correct because a gateway VPC endpoint for S3 provides a private, scalable connection to S3 without requiring internet access or a NAT Gateway. Together, these actions allow private subnet instances to access S3 privately and efficiently.

Exam trap

The trap here is that candidates often confuse gateway endpoints with interface endpoints, incorrectly assuming S3 requires an interface endpoint, or they think the NAT Gateway must be removed entirely, when in fact the NAT Gateway should remain for other outbound traffic and only the S3-specific route needs to be added via the gateway endpoint.

152
MCQeasy

A company wants to securely connect two VPCs in the same region. The VPCs must be able to communicate using private IP addresses, and connectivity should be highly available. Which solution meets these requirements?

A.Set up a VPN connection between the two VPCs using virtual private gateways.
B.Create an inter-region VPC peering connection.
C.Create a VPC peering connection between the two VPCs.
D.Use an AWS Transit Gateway to connect the two VPCs.
AnswerC

VPC peering provides low-latency, private connectivity between VPCs in the same region.

Why this answer

Option C is correct because a VPC peering connection allows two VPCs in the same region to communicate using private IPv4 or IPv6 addresses as if they were on the same network, with no single point of failure. It is highly available by design since traffic flows directly between the VPCs using the AWS global network infrastructure, without any intermediate devices or bandwidth limits.

Exam trap

AWS often tests the misconception that a VPN connection is required for private IP communication between VPCs, but VPC peering provides direct, private, and highly available connectivity without the overhead of VPN tunnels.

How to eliminate wrong answers

Option A is wrong because a VPN connection between two VPCs using virtual private gateways introduces a single point of failure (the VPN tunnel endpoints) unless multiple tunnels are configured, and it adds complexity and latency compared to a native VPC peering solution. Option B is wrong because an inter-region VPC peering connection is used for VPCs in different AWS regions, not for VPCs in the same region, and the question specifies same-region connectivity. Option D is wrong because while an AWS Transit Gateway can connect two VPCs, it introduces an additional cost and a central hub that, although highly available, is unnecessary for a simple two-VPC scenario and adds complexity beyond the requirements.

153
Multi-Selectmedium

A company wants to design a multi-region active-active architecture with Amazon Route 53 latency-based routing and failover using health checks. Which TWO configurations are necessary? (Choose two.)

Select 2 answers
A.Use geolocation routing to direct users to the nearest region
B.Assign a weight to each record for traffic distribution
C.Configure a latency alias record for each region's resource
D.Create a health check for each resource and associate it with the record
E.Set the failover record type to 'Active-Active'
AnswersC, D

Latency-based routing uses latency alias records.

Why this answer

Option C is correct because latency-based routing in Route 53 uses alias records to route traffic based on the lowest latency for the end user. Configuring a latency alias record for each regional resource (e.g., an Application Load Balancer) allows Route 53 to respond with the IP of the resource that provides the best latency. Option D is correct because health checks must be associated with each latency record to enable failover; if a resource fails its health check, Route 53 removes it from the pool of healthy endpoints, ensuring traffic is only routed to healthy regions.

Exam trap

The trap here is that candidates often confuse latency-based routing with geolocation routing, or incorrectly assume that a failover record type must be explicitly set to 'Active-Active', when in fact the active-active behavior is achieved by combining latency-based routing with health checks, not by a specific record type.

154
MCQmedium

A company is designing a hybrid network architecture using AWS Direct Connect. They have a single Direct Connect connection with a private virtual interface (VIF) to a VPC in us-east-1. The on-premises network uses BGP to advertise a prefix (10.0.0.0/8) to AWS. The VPC has a CIDR of 10.1.0.0/16. The company wants to add a second VPC (10.2.0.0/16) in the same region and allow on-premises to communicate with both VPCs. They plan to use a Transit Gateway to connect the VPCs and the Direct Connect gateway. The Direct Connect gateway is associated with the Transit Gateway. The on-premises router is advertising 10.0.0.0/8. After configuration, the on-premises network can communicate with 10.1.0.0/16 but not with 10.2.0.0/16. The network engineer verifies that the Transit Gateway route table has routes for both VPC attachments and that the Direct Connect gateway is associated with the Transit Gateway. What is the MOST likely issue?

A.The Direct Connect gateway is not associated with the Transit Gateway route table that contains the 10.2.0.0/16 route
B.The Transit Gateway route table does not have a route for 10.2.0.0/16
C.The private virtual interface is not configured to support multiple VPCs
D.The on-premises router is not advertising the 10.2.0.0/16 prefix
AnswerA

If the Direct Connect gateway attachment is in a different route table, it won't propagate the VPC CIDR to on-premises.

Why this answer

When using a Direct Connect gateway with a Transit Gateway, the Direct Connect gateway propagates routes to the Transit Gateway. The Transit Gateway route table must have a route for the on-premises prefix (10.0.0.0/8) pointing to the Direct Connect gateway attachment. Also, the Transit Gateway must propagate the VPC CIDRs to the Direct Connect gateway so that on-premises can learn them.

The issue is likely that the 10.2.0.0/16 route is not being propagated to the Direct Connect gateway. This can happen if the Transit Gateway route table does not have the VPC attachment associated or if the route propagation is disabled for that VPC attachment. The engineer verified routes in the Transit Gateway route table, so the issue might be that the Direct Connect gateway is not receiving the route for 10.2.0.0/16.

Typically, the Transit Gateway automatically propagates routes from attachments to the Direct Connect gateway if the route table is associated. However, if the VPC attachment is not associated with the same route table as the Direct Connect gateway attachment, propagation may not happen. The most likely fix is to ensure that both VPC attachments and the Direct Connect gateway attachment are in the same Transit Gateway route table.

155
Multi-Selectmedium

A company is designing a network for a multi-account AWS environment using AWS Organizations. They need to centralize network management and enable VPC connectivity across accounts. Which THREE services should they consider? (Choose THREE.)

Select 3 answers
A.AWS Resource Access Manager
B.AWS CloudFormation StackSets
C.VPC Peering
D.AWS Direct Connect
E.AWS Transit Gateway
AnswersA, B, E

Shares Transit Gateway and other resources across accounts.

Why this answer

AWS Resource Access Manager (RAM) is correct because it enables you to share centrally managed resources, such as Transit Gateways and VPC subnets, across multiple AWS accounts within an AWS Organization. This eliminates the need to create duplicate resources in each account and allows for centralized network management without requiring cross-account IAM roles or complex peering configurations.

Exam trap

The trap here is that candidates often select VPC Peering because it is a familiar, simple connectivity option, but they overlook that it lacks transitive routing and centralized management, making it unsuitable for a multi-account architecture where AWS Transit Gateway is the correct scalable solution.

156
MCQmedium

A company is designing a hybrid network with AWS Direct Connect and AWS Site-to-Site VPN as backup. The primary Direct Connect connection uses a private VIF to a VPC. If the Direct Connect fails, traffic should automatically fail over to the VPN connection. What is the MOST reliable way to achieve this failover?

A.Use BGP on Direct Connect and static routes on the VPN connection, with a higher metric for the VPN static route.
B.Configure static routes on the customer gateway device with a lower metric for the Direct Connect interface.
C.Use BGP on both connections and prepend AS paths on the Direct Connect routes to make them less preferred.
D.Use BGP on both connections and set a lower local preference on the Direct Connect routes.
AnswerC

AS path prepending makes Direct Connect routes less preferred, so VPN routes are used when Direct Connect is up. When Direct Connect fails, BGP sessions drop, and VPN routes become available automatically.

Why this answer

Option C is correct because using BGP on both connections allows you to influence route selection via AS path prepending. By prepending the AS path on the Direct Connect routes, you make them appear less preferred compared to the VPN routes, ensuring that under normal conditions traffic uses Direct Connect. When Direct Connect fails, the BGP session drops, the routes are withdrawn, and traffic automatically fails over to the VPN without any manual intervention or reliance on static metrics.

Exam trap

The trap here is that candidates often confuse local preference (which influences inbound traffic from BGP peers) with AS path prepending (which influences outbound route selection from the perspective of the BGP router), or they assume static metrics provide reliable failover without considering that static routes do not dynamically withdraw on link failure.

How to eliminate wrong answers

Option A is wrong because mixing BGP on Direct Connect with static routes on the VPN creates an asymmetric routing control plane; static routes cannot dynamically react to Direct Connect failure, and a higher metric on the static route would actually make the VPN less preferred, not a backup. Option B is wrong because configuring static routes on the customer gateway device with a lower metric for Direct Connect does not provide dynamic failover; if the Direct Connect link fails, the static route remains in the routing table until manually removed or a connectivity check fails, leading to blackholing. Option D is wrong because setting a lower local preference on Direct Connect routes would make them less preferred than VPN routes, causing traffic to use the VPN as the primary path, which is the opposite of the desired design where Direct Connect is primary.

157
MCQeasy

A company wants to connect an Amazon RDS for SQL Server database instance in a VPC to an on-premises application. The connection must be encrypted in transit and should traverse the AWS backbone network. Which solution meets these requirements?

A.Set up an AWS Client VPN endpoint and connect the on-premises application
B.Create a VPC endpoint for RDS and connect on-premises to the endpoint
C.Establish an AWS Site-to-Site VPN connection over AWS Direct Connect
D.Configure ClassicLink to connect the on-premises network to the VPC
AnswerC

A VPN over Direct Connect provides encrypted IPsec tunnels over the private AWS backbone.

Why this answer

Option C is correct because an AWS Site-to-Site VPN over Direct Connect provides encrypted connectivity over the AWS backbone. Option A is wrong because RDS does not support VPC endpoints. Option B is wrong because Client VPN is for individual devices, not site-to-site.

Option D is wrong because ClassicLink is legacy and does not encrypt traffic.

158
MCQeasy

A company needs to resolve DNS names within a VPC using a custom domain. Which AWS service should be used?

A.Elastic Load Balancing
B.Amazon CloudFront
C.Amazon Route 53 Resolver
D.AWS WAF
AnswerC

DNS resolution for VPC.

Why this answer

Amazon Route 53 Resolver provides recursive DNS resolution for VPCs and supports custom domain names via inbound and outbound endpoints. It integrates with on-premises DNS through conditional forwarding, enabling resolution of custom private domains within the VPC without exposing them to the internet.

Exam trap

AWS often tests the misconception that Route 53 public hosted zones or CloudFront can resolve custom VPC DNS names, but only Route 53 Resolver with private hosted zones or forwarding rules handles custom domain resolution within a VPC.

How to eliminate wrong answers

Option A is wrong because Elastic Load Balancing is a traffic distribution service for load balancing incoming requests, not a DNS resolution service; it does not resolve custom domain names within a VPC. Option B is wrong because Amazon CloudFront is a content delivery network (CDN) that caches and delivers content at edge locations, not a DNS resolver for VPC internal name resolution. Option D is wrong because AWS WAF is a web application firewall that protects against common web exploits, not a DNS service; it cannot resolve custom domain names.

159
MCQhard

A company has a VPC with public and private subnets in two Availability Zones. The private subnets host EC2 instances that need to access the internet for software updates but must not be accessible from the internet. Which combination of resources meets these requirements with the least operational overhead?

A.A VPC endpoint for Amazon S3 in each private subnet
B.A NAT Gateway in each public subnet, with a route in the private route tables pointing to the NAT Gateway
C.A NAT instance in each public subnet, with a route in the private route tables pointing to the NAT instance
D.An Internet Gateway attached to the VPC with a route in the private route tables pointing to the Internet Gateway
AnswerB

NAT Gateway is managed and provides outbound internet access.

Why this answer

A NAT Gateway in a public subnet provides outbound internet access for private instances while preventing inbound access. Option A is correct. Option B (NAT instance) requires management.

Option C (VPC endpoint) is for specific AWS services, not general internet. Option D (Internet Gateway directly) would make instances publicly accessible.

160
MCQeasy

A company needs to connect its on-premises data center to AWS using a dedicated, low-latency connection. Which AWS service should be used?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.VPC Peering
AnswerA

Direct Connect provides a dedicated, low-latency connection from on-premises to AWS.

Why this answer

AWS Direct Connect is the correct choice because it provides a dedicated, private, low-latency network connection from an on-premises data center directly to AWS, bypassing the public internet. This service uses industry-standard 802.1Q VLANs to create virtual interfaces, ensuring consistent performance and reduced latency for mission-critical workloads.

Exam trap

The trap here is that candidates often confuse AWS Site-to-Site VPN as a dedicated connection, but it is encrypted over the public internet and does not guarantee low latency or dedicated bandwidth, unlike Direct Connect.

How to eliminate wrong answers

Option B is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not itself provide a dedicated physical connection; it relies on underlying connectivity like Direct Connect or VPN. Option C is wrong because AWS Site-to-Site VPN uses the public internet with IPSec tunnels, introducing variable latency and potential bandwidth constraints, which does not meet the requirement for a dedicated, low-latency connection. Option D is wrong because VPC Peering connects only VPCs within AWS and cannot extend to an on-premises data center; it is not designed for hybrid connectivity.

161
MCQeasy

A company has a VPC with a public subnet and a private subnet. The private subnet instances need to access an S3 bucket. Which configuration provides the most secure and efficient access without traversing the internet?

A.Establish a VPN connection to on-premises and route to S3 from there.
B.Use a NAT Gateway in the public subnet to route traffic to S3.
C.Create a VPC Gateway Endpoint for Amazon S3 and associate it with the private subnet route table.
D.Configure a proxy server in the public subnet.
AnswerC

Gateway Endpoint provides private, secure access to S3 without internet.

Why this answer

Option C is correct because a VPC Gateway Endpoint for Amazon S3 allows instances in a private subnet to access S3 directly over the AWS network without traversing the internet, using a route table entry that targets the endpoint's prefix list. This provides the most secure and efficient access by keeping traffic within the AWS backbone, avoiding NAT Gateway costs and internet exposure.

Exam trap

AWS often tests the misconception that a NAT Gateway is required for private subnet internet access, but the trap here is that S3 can be accessed privately via a Gateway Endpoint without any internet gateway or NAT, making options like B and D seem plausible but incorrect.

How to eliminate wrong answers

Option A is wrong because routing traffic to S3 via a VPN connection to on-premises adds unnecessary latency, complexity, and cost, and still requires internet traversal from on-premises to S3 unless the on-premises network also has a direct connection like Direct Connect. Option B is wrong because a NAT Gateway in the public subnet forces traffic to traverse the internet to reach S3, which is less secure (exposes traffic to internet routing) and less efficient (adds NAT processing and potential bandwidth costs) compared to a Gateway Endpoint. Option D is wrong because a proxy server in the public subnet introduces a single point of failure, additional management overhead, and still requires traffic to go through the internet or NAT, defeating the purpose of secure and efficient private access.

162
MCQeasy

A company has an application that requires fixed IP addresses for whitelisting by third-party partners. The application is hosted on an Application Load Balancer (ALB) in a VPC. Which solution provides static IP addresses for the ALB?

A.Place an AWS Global Accelerator in front of the ALB.
B.Use Amazon CloudFront with the ALB as origin.
C.Assign an Elastic IP to the ALB.
D.Replace the ALB with a Network Load Balancer (NLB).
AnswerA

Global Accelerator provides static IPs for ALB.

Why this answer

AWS Global Accelerator provides two static IP addresses that act as fixed entry points for traffic. By placing it in front of an Application Load Balancer (ALB), you can whitelist these static IPs with third-party partners while the ALB itself remains dynamic. Global Accelerator uses the AWS global network to route traffic to the ALB, preserving the ALB's native HTTP/HTTPS features.

Exam trap

The trap here is that candidates assume CloudFront provides static IPs (it does not — it uses a shared, dynamic IP range) or that an ALB can be assigned an Elastic IP (only NLBs support Elastic IP assignment), leading them to choose B or C instead of Global Accelerator.

How to eliminate wrong answers

Option B is wrong because Amazon CloudFront does not guarantee static IP addresses; its IP ranges change over time and are published as a list, not fixed for whitelisting. Option C is wrong because an Application Load Balancer (ALB) does not support Elastic IP assignment — Elastic IPs are only available for Network Load Balancers (NLBs) or EC2 instances. Option D is wrong because replacing the ALB with an NLB would lose HTTP/HTTPS-specific features (e.g., path-based routing, host-based routing, and WebSocket support) that the application likely requires.

163
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16. It has six subnets: three public (10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24) and three private (10.0.4.0/24, 10.0.5.0/24, 10.0.6.0/24). The company wants to launch an RDS instance in a private subnet. Which subnet should the RDS instance be placed in to maximize high availability and follow best practices?

A.Place the RDS instance in a public subnet and use security groups to restrict access.
B.Place the RDS instance in all three private subnets to maximize availability.
C.Place the RDS instance in two private subnets that are in different Availability Zones.
D.Place the RDS instance in a single private subnet with a large CIDR for future scaling.
AnswerC

This allows Multi-AZ deployment for high availability.

Why this answer

RDS requires two subnets in different AZs for Multi-AZ deployments. The private subnets 10.0.4.0/24, 10.0.5.0/24, and 10.0.6.0/24 are in three different AZs (assuming each subnet is in a different AZ). Option A is correct because it indicates using two private subnets in different AZs.

Option B is incorrect because public subnets expose the database. Option C is incorrect because a single subnet does not provide high availability. Option D is incorrect because RDS does not require all six subnets.

164
MCQhard

A company is migrating a legacy on-premises application to AWS. The application uses a large number of short-lived TCP connections and requires low latency. The network team is considering using either a Network Load Balancer (NLB) or a Gateway Load Balancer (GWLB). Which of the following is a key advantage of using NLB over GWLB for this use case?

A.NLB can forward traffic to third-party virtual appliances.
B.NLB can handle higher throughput than GWLB.
C.NLB preserves the client source IP, while GWLB does not by default.
D.NLB supports TLS termination, while GWLB does not.
AnswerC

NLB preserves source IP; GWLB uses GENEVE encapsulation and hides original source IP.

Why this answer

For an application using a large number of short-lived TCP connections requiring low latency, NLB is the optimal choice because it operates at Layer 4 and preserves the client source IP address by default, which is critical for applications that need to log or process the original client IP. GWLB, by design, uses GENEVE encapsulation (UDP port 6081) to tunnel traffic to backend appliances, which replaces the client source IP with the NLB's private IP unless explicit configuration (e.g., proxy protocol) is used. This makes NLB the better fit for preserving source IP without additional overhead.

Exam trap

The trap here is that candidates often confuse GWLB's transparent inline appliance support with NLB's source IP preservation, assuming that GWLB also preserves source IP by default, when in fact it uses GENEVE encapsulation that obscures the original client IP unless additional configuration is applied.

How to eliminate wrong answers

Option A is wrong because forwarding traffic to third-party virtual appliances is a key feature of Gateway Load Balancer (GWLB), not NLB; NLB targets EC2 instances, IP addresses, or Lambda functions, not transparent inline appliances. Option B is wrong because both NLB and GWLB can handle extremely high throughput (up to millions of packets per second), and neither has a documented throughput advantage over the other in AWS documentation; throughput is limited by the underlying instance types and scaling policies, not the load balancer type. Option D is wrong because NLB does not support TLS termination natively; it can offload TLS to targets using TLS listeners, but it does not terminate TLS itself—that is a feature of Application Load Balancer (ALB), not NLB.

165
Multi-Selecthard

Which THREE of the following are valid considerations when designing a multi-Region active-active application using AWS Global Accelerator?

Select 3 answers
A.Global Accelerator supports sticky sessions (session affinity) based on client IP.
B.You can assign different weights to endpoints in different Regions to control traffic distribution.
C.Global Accelerator performs health checks on endpoints and routes traffic only to healthy endpoints.
D.Global Accelerator can preserve the client IP address when using Network Load Balancer as an endpoint.
E.Global Accelerator provides a set of static IP addresses that are unique to each Region.
AnswersB, C, D

Weights allow traffic splitting across endpoints.

Why this answer

Option B is correct because AWS Global Accelerator allows you to assign different weights to endpoints in different Regions, enabling granular control over traffic distribution for active-active architectures. This is achieved through endpoint group weights, where you can adjust the proportion of traffic sent to each Regional endpoint group, supporting scenarios like gradual rollouts or load balancing across Regions.

Exam trap

AWS often tests the misconception that Global Accelerator provides per-Region unique static IPs, but the trap here is that the static IPs are global anycast addresses, not Regional, and candidates may confuse sticky sessions with Global Accelerator's lack of session affinity.

166
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). They launch an EC2 instance in the private subnet that needs to download software updates from the internet. The company configures a NAT gateway in the public subnet and adds a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. The NAT gateway is assigned an Elastic IP address. However, the EC2 instance cannot reach the internet. The security group for the EC2 instance allows all outbound traffic. What is the MOST likely cause?

A.The NAT gateway is not associated with a security group that allows outbound traffic.
B.The NAT gateway's Elastic IP address is not properly allocated.
C.The public subnet's route table does not have a route to an internet gateway.
D.The private subnet's route table does not have a route to the NAT gateway.
AnswerC

Without a route to an internet gateway, the NAT gateway cannot send traffic to the internet.

Why this answer

Option B is correct. The public subnet must have a route to an internet gateway for the NAT gateway to work. The NAT gateway resides in the public subnet, but if that subnet's route table does not have a route to an internet gateway, the NAT gateway cannot forward traffic to the internet.

Option A is incorrect because the NAT gateway does not need a security group. Option C is incorrect because the private subnet's route table has a route to the NAT gateway. Option D is incorrect because the Elastic IP is needed for the NAT gateway, and if it is attached, it is not the cause.

167
MCQeasy

A company has a VPC with public and private subnets. The private subnets need internet access for updates, but must not be directly reachable from the internet. Which AWS service should be used?

B.Internet gateway
C.VPN connection
D.VPC endpoint
AnswerA

A NAT gateway enables outbound internet access for private subnets.

Why this answer

A NAT gateway enables instances in a private subnet to initiate outbound IPv4 traffic to the internet (e.g., for software updates) while preventing unsolicited inbound connections from the internet. It resides in a public subnet with an Elastic IP and uses the internet gateway for outbound traffic, but it does not allow inbound traffic to reach the private instances directly.

Exam trap

AWS often tests the misconception that an internet gateway can be used for private subnets by adding a default route to it, but the trap here is that an internet gateway alone does not provide outbound-only access—it allows inbound traffic unless explicitly blocked by a network ACL, which still exposes the subnet to direct inbound connections.

How to eliminate wrong answers

Option B is wrong because an internet gateway allows bidirectional traffic between the VPC and the internet, which would make private subnets directly reachable from the internet if attached to their route table. Option C is wrong because a VPN connection provides encrypted connectivity to an on-premises network, not direct internet access for updates. Option D is wrong because a VPC endpoint provides private connectivity to AWS services (e.g., S3, DynamoDB) without traversing the internet, but it does not provide general internet access for updates.

168
Multi-Selecthard

A company is designing a network architecture for a multi-account AWS environment using AWS Transit Gateway. They need to meet the following requirements: (1) Centralized inspection of traffic between VPCs using a firewall appliance. (2) Isolated development environments that cannot communicate with each other but can access the internet via a centralized NAT gateway. (3) Compliance with PCI DSS for production workloads, requiring encryption in transit between VPCs. Which TWO actions should they take?

Select 2 answers
A.Use VPC Peering for all inter-VPC communication
B.Create a dedicated inspection VPC with a firewall appliance and attach it to the Transit Gateway. Use Transit Gateway route tables to route traffic from all VPCs through the inspection VPC.
C.Use AWS Site-to-Site VPN between each VPC and a central VPN hub
D.Create separate Transit Gateway route tables for production and development environments. For development VPCs, add a static route for 0.0.0.0/0 pointing to a NAT Gateway in a shared services VPC.
E.Use AWS Client VPN to connect development VPCs to the production VPC
AnswersB, D

Provides centralized inspection.

Why this answer

Option B is correct because it enables centralized traffic inspection by attaching a dedicated inspection VPC with a firewall appliance to the Transit Gateway and using separate route tables to force all inter-VPC traffic through that inspection VPC. This design meets the requirement for centralized inspection without requiring complex peering or VPN configurations.

Exam trap

The trap here is that candidates often assume VPC Peering or VPNs are simpler solutions for multi-VPC connectivity, but they fail to recognize that Transit Gateway is specifically designed for transitive routing and centralized inspection at scale, and that separate route tables are essential for isolating development environments while sharing a common NAT gateway.

169
MCQeasy

A company has a VPC with two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). An EC2 instance in subnet A needs to communicate with an EC2 instance in subnet B. The instances are in the same VPC. What is the default behavior?

A.Communication is not allowed by default; a VPC peering connection is required
B.Communication is allowed only if they are in the same subnet
C.Communication is allowed only if a transit gateway is attached
D.Communication is allowed by default because they are in the same VPC
AnswerD

Instances in the same VPC can communicate by default.

Why this answer

By default, instances within the same VPC can communicate with each other regardless of subnet, as long as security groups and network ACLs allow traffic. No additional configuration is needed.

170
Multi-Selecthard

A company has a VPC with CIDR 10.0.0.0/16 and two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private). The company wants to add a new subnet for a third tier. Which of the following are valid subnet CIDRs that can be added? (Select TWO.)

Select 2 answers
A.10.0.1.128/25
B.10.0.3.0/24
C.10.0.0.0/24
D.10.1.0.0/16
E.10.0.2.64/26
AnswersB, C

This is within the VPC CIDR and does not overlap with existing subnets.

Why this answer

Option B (10.0.3.0/24) is correct because it falls within the VPC CIDR 10.0.0.0/16 and does not overlap with the existing subnets (10.0.1.0/24 and 10.0.2.0/24). The /24 prefix length matches the existing subnet structure, and the third octet (3) is outside the range of the first two subnets, ensuring no IP address conflict.

Exam trap

AWS often tests the misconception that a subnet can be a subset of an existing subnet (e.g., 10.0.1.128/25 within 10.0.1.0/24), but AWS explicitly prohibits overlapping CIDR blocks within a VPC.

171
MCQmedium

A company has a VPC with public and private subnets in two Availability Zones. The private subnets host EC2 instances that need to access the internet for software updates. The company must ensure that traffic from the private instances uses a single, predictable public IP address. What is the MOST cost-effective solution?

A.Attach an Internet Gateway to the VPC and update the private subnet route table with a default route to the Internet Gateway.
B.Create a Transit Gateway with a VPC attachment and route traffic through a central egress VPC.
C.Deploy a NAT Gateway in a public subnet in one Availability Zone, and route private subnet traffic to it.
D.Launch a NAT instance in a public subnet and configure source/destination check.
AnswerC

Correct: A single NAT Gateway provides outbound internet with a predictable IP, and is cost-effective.

Why this answer

Option C is correct because a NAT Gateway in a public subnet provides outbound-only internet access for private instances, and it uses a single Elastic IP address, ensuring a predictable public IP. This is the most cost-effective managed solution, as NAT Gateways are highly available within an Availability Zone and require no manual instance management.

Exam trap

The trap here is that candidates may choose Option D (NAT instance) thinking it is cheaper, but they overlook the operational overhead and the fact that a NAT Gateway is fully managed and more cost-effective when factoring in maintenance and availability.

How to eliminate wrong answers

Option A is wrong because attaching an Internet Gateway to the VPC and adding a default route to it in private subnets would allow direct outbound traffic, but private instances lack public IPs, so traffic would be dropped; this configuration also bypasses NAT, exposing private instances to inbound traffic. Option B is wrong because a Transit Gateway with a central egress VPC introduces unnecessary complexity and cost (Transit Gateway hourly charges and cross-AZ data transfer) for a simple outbound-only requirement that can be met with a single NAT Gateway. Option D is wrong because a NAT instance requires manual management (e.g., patching, scaling, failover) and source/destination check must be disabled for it to forward traffic, but it is less cost-effective than a NAT Gateway when considering operational overhead and potential downtime.

172
MCQhard

A company is migrating its on-premises data center to AWS. As part of the migration, they need to establish connectivity between their on-premises network (10.0.0.0/8) and multiple VPCs in a single region. They are using AWS Transit Gateway with a Direct Connect gateway. They have two Direct Connect connections, each with a private virtual interface (VIF) to the Direct Connect gateway. The on-premises routers are configured with BGP and are advertising 10.0.0.0/8. The Transit Gateway has three VPC attachments: VPC1 (10.1.0.0/16), VPC2 (10.2.0.0/16), and VPC3 (10.3.0.0/16). All VPC attachments are in the same Transit Gateway route table, which also includes the Direct Connect gateway attachment. Initially, all VPCs can communicate with on-premises. After a maintenance window, the network team adds a new on-premises subnet (10.4.0.0/16) and updates the BGP advertisement to include 10.4.0.0/16. However, after the change, instances in VPC3 can no longer reach on-premises resources in any subnet, while VPC1 and VPC2 can still communicate with all on-premises subnets including the new one. The network engineer checks the Transit Gateway route table and sees that the route for 10.0.0.0/8 is present, pointing to the Direct Connect gateway attachment. What is the MOST likely cause of the issue?

A.The VPC3 subnet route tables have a static route for 10.0.0.0/8 that points to a non-existent or unavailable target
B.The BGP advertisement for 10.4.0.0/16 exceeded the allowed prefix limit on the Direct Connect gateway
C.The Direct Connect gateway is not propagating routes to the Transit Gateway for VPC3
D.The Transit Gateway route table has a route for 10.4.0.0/16 that is blackholed
AnswerA

A more specific static route in the VPC route table can override the Transit Gateway route, causing blackhole.

Why this answer

The issue is specific to VPC3. Since the route table has a route for 10.0.0.0/8, all VPCs should be able to reach on-premises. However, if VPC3 has a more specific route that conflicts, it might cause issues.

But the most common cause is that the VPC3 route table (in the VPC itself) might have a local route or a VPN route that is more specific and overriding the Transit Gateway route. Alternatively, the Transit Gateway route table might have a specific route for VPC3 that is misconfigured. However, the description says the Transit Gateway route table has the correct route.

The issue could be that VPC3's subnet route tables have a route for the on-premises CIDR pointing to a different target (like a VPN connection) that is now inactive or incorrect. But the question says after adding the new subnet, VPC3 lost connectivity entirely. Perhaps the BGP update caused a route flap or a prefix limit was exceeded on the Direct Connect gateway, but that would affect all VPCs.

Since only VPC3 is affected, it's likely a VPC-specific issue. The most plausible is that the VPC3's route tables have a static route for the on-premises CIDR that was manually added and is now incorrect or conflicting. However, the best answer among the options is that the Transit Gateway route table has a blackhole route for 10.4.0.0/16, but that wouldn't affect all on-premises subnets.

Let's think: The Direct Connect gateway might have a prefix limit that was exceeded when adding 10.4.0.0/16, causing the BGP session to drop, but that would affect all VPCs. The most likely single-VPC issue is that VPC3's route tables have a route for the on-premises CIDR pointing to an incorrect attachment, like a peering connection or VPN that is not working. But the options given might include such a scenario.

I'll go with: The VPC3 route tables have a static route for 10.0.0.0/8 pointing to a network interface that no longer exists.

173
MCQeasy

A company wants to allow their employees to securely access resources in a VPC from their home offices. Which AWS service should they use?

A.AWS Client VPN
B.AWS Direct Connect
C.AWS Site-to-Site VPN
D.Amazon CloudFront
AnswerA

Client VPN provides secure remote access for individual users.

Why this answer

AWS Client VPN is a managed, cloud-based VPN service that allows individual users to securely access AWS resources from remote locations, such as home offices, using a VPN client installed on their device. It supports OpenVPN-based connections and integrates with Active Directory for user authentication, making it ideal for remote employee access to a VPC without requiring dedicated hardware or complex site-to-site configurations.

Exam trap

AWS often tests the distinction between user-based VPN (Client VPN) and network-based VPN (Site-to-Site VPN), where candidates mistakenly choose Site-to-Site VPN for remote employees because they overlook the requirement for individual client software and user authentication.

How to eliminate wrong answers

Option B (AWS Direct Connect) is wrong because it provides a dedicated, private network connection from an on-premises data center to AWS, which is designed for high-bandwidth, consistent throughput and is not suitable for individual home office users due to high cost and physical installation requirements. Option C (AWS Site-to-Site VPN) is wrong because it creates a persistent VPN tunnel between an on-premises network (e.g., a corporate office with a router) and a VPC, requiring a customer gateway device and static routing, which is impractical for individual remote employees without a fixed network infrastructure. Option D (Amazon CloudFront) is wrong because it is a content delivery network (CDN) that caches and delivers static and dynamic content at edge locations, not a VPN service for secure network access to VPC resources.

174
MCQhard

A company has a VPC with multiple subnets. The security team requires that all outbound traffic from the VPC to the internet must traverse a centralized inspection appliance for traffic inspection. Which architecture should be used?

A.Use VPC Peering between all VPCs
B.Configure a NAT Gateway in each Availability Zone
C.Use Transit Gateway with VPC attached and route traffic through a shared services VPC containing the inspection appliance
D.Use AWS Direct Connect to route traffic on-premises
AnswerC

Transit Gateway enables routing traffic through an inspection VPC.

Why this answer

Option C is correct because a Transit Gateway with a shared services VPC architecture allows centralized inspection of all outbound internet traffic. By attaching the VPCs to a Transit Gateway and routing traffic through a shared services VPC that hosts the inspection appliance (e.g., a firewall or proxy), you can enforce security policies. The Transit Gateway acts as a hub, enabling transitive routing between VPCs while directing internet-bound traffic to the inspection appliance before it reaches an internet gateway or NAT gateway.

Exam trap

AWS often tests the misconception that VPC Peering or NAT Gateway can provide centralized inspection, but they lack the transitive routing and traffic forwarding capabilities required for a hub-and-spoke inspection model.

How to eliminate wrong answers

Option A is wrong because VPC Peering does not support transitive routing; traffic between peered VPCs cannot be routed through a centralized inspection appliance in another VPC without complex and unscalable full-mesh peering. Option B is wrong because a NAT Gateway only provides outbound internet connectivity with source NAT and does not support traffic inspection; it cannot forward traffic to an inspection appliance for deep packet inspection. Option D is wrong because AWS Direct Connect is used for private connectivity to on-premises networks, not for routing outbound internet traffic through an inspection appliance; it does not inherently provide internet access or traffic inspection capabilities.

175
MCQeasy

A company wants to connect two VPCs in the same AWS region using a hub-and-spoke model. Which AWS service should be used to route traffic between the VPCs through a central inspection VPC?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS VPN CloudHub
D.VPC Peering
AnswerB

Transit Gateway enables hub-and-spoke connectivity with centralized routing and inspection.

Why this answer

Option C is correct because AWS Transit Gateway provides a hub-and-spoke model for connecting multiple VPCs, with centralized routing and inspection capabilities. Option A is wrong because VPC Peering does not allow transitive routing; each peering connection is a one-to-one relationship. Option B is wrong because AWS Direct Connect is for on-premises connectivity, not VPC-to-VPC.

Option D is wrong because AWS VPN CloudHub is for connecting multiple VPN connections.

176
Multi-Selecthard

A company is designing a global network with multiple VPCs connected via AWS Transit Gateway. The company wants to route traffic between VPCs through a centralized inspection VPC that hosts firewalls. Which configurations are required? (Choose THREE.)

Select 3 answers
A.Configure a default route (0.0.0.0/0) in the Transit Gateway route table pointing to the inspection VPC attachment.
B.Create VPC endpoints for the inspection services.
C.Add static routes in the Transit Gateway route tables for VPC attachments.
D.Propagate VPC attachment routes to a dedicated route table.
E.Establish VPC peering connections between each VPC and the inspection VPC.
AnswersA, C, D

Directs all inter-VPC traffic to inspection VPC.

Why this answer

Option A is correct because configuring a default route (0.0.0.0/0) in the Transit Gateway route table pointing to the inspection VPC attachment forces all inter-VPC traffic that does not match a more specific route to be sent to the inspection VPC for firewall inspection. This is a common pattern for centralized inspection, where the inspection VPC acts as a next hop for all traffic between VPCs.

Exam trap

AWS often tests the misconception that VPC peering can be used for transitive routing or that VPC endpoints can replace Transit Gateway for inter-VPC traffic inspection, but neither supports the required centralized inspection pattern.

177
MCQhard

Refer to the exhibit. An EC2 instance launched in subnet-1a is unable to access the internet. Which is the most likely cause?

A.The route table rtb-main does not have a default route to the internet gateway.
B.The VPC does not have DNS hostnames enabled.
C.Subnet-1a does not assign public IP addresses automatically.
D.Subnet-1a is not associated with any route table.
AnswerC

MapPublicIpOnLaunch is false, so instances lack public IPs.

Why this answer

Option C is correct. Subnet-1a is associated with route table rtb-main which has a default route to an internet gateway, but the subnet does not have MapPublicIpOnLaunch set to true (it is false). For a subnet to have internet access via an internet gateway, instances must have public IP addresses.

Option A is wrong because the route table has a default route to the internet gateway. Option B is wrong because the route table is associated with the subnet. Option D is wrong because the VPC has DNS hostnames enabled, but that does not affect internet access.

178
MCQeasy

A company has a VPC with a CIDR block of 10.0.0.0/16. The company needs to peer with another VPC that has a CIDR block of 10.0.0.0/16. What should the network engineer do to enable connectivity between the two VPCs?

A.Use an AWS Transit Gateway with Network Address Translation (NAT) to resolve overlapping CIDRs.
B.Use an internet gateway to route traffic between the VPCs.
C.Create a VPC peering connection and add routes in both route tables.
D.Create a VPC peering connection and use a network address translation (NAT) device.
AnswerA

Transit Gateway can support overlapping CIDRs with NAT.

Why this answer

Option A is correct because when two VPCs have overlapping CIDR blocks (both 10.0.0.0/16), a standard VPC peering connection cannot be established due to route table conflicts. An AWS Transit Gateway can be used with Network Address Translation (NAT) to translate the overlapping IP addresses, enabling connectivity between the VPCs by allowing traffic to be routed through the Transit Gateway with NAT applied to resolve the address conflict.

Exam trap

The trap here is that candidates assume VPC peering can always be established and then fixed with NAT, but AWS VPC peering explicitly requires non-overlapping CIDR blocks at the time of creation, making peering impossible regardless of later NAT configuration.

How to eliminate wrong answers

Option B is wrong because an internet gateway is designed to enable communication between a VPC and the internet, not between two VPCs; it cannot route traffic directly between VPCs. Option C is wrong because VPC peering requires non-overlapping CIDR blocks to add routes in both route tables; with identical 10.0.0.0/16 CIDRs, the routes would conflict, making peering impossible. Option D is wrong because a VPC peering connection cannot be created with overlapping CIDRs in the first place, so adding a NAT device after peering is not feasible; the peering request itself would fail due to the CIDR conflict.

179
Multi-Selectmedium

A company is designing a hybrid network using AWS Direct Connect. They have a VPC with a CIDR of 10.0.0.0/16 and an on-premises network with CIDR 10.0.0.0/8. The company needs to ensure that traffic from the VPC to the on-premises network uses the Direct Connect connection and that traffic does not traverse the internet. Which TWO actions are required? (Choose TWO.)

Select 2 answers
A.Attach the VPC to an AWS Transit Gateway
B.Create a private virtual interface (VIF) on the Direct Connect connection
C.Configure static routes or BGP to advertise the on-premises CIDR to the VPC
D.Create a public virtual interface (VIF) on the Direct Connect connection
E.Create a Direct Connect Gateway to connect the VPC to the on-premises network
AnswersB, C

Private VIF allows connectivity to the VPC via the Virtual Private Gateway.

Why this answer

Options B and D are correct. Option B is correct because a Private VIF is required for private IP communication. Option D is correct because static routes or BGP advertise the on-premises CIDR over the VIF.

Option A is wrong because a Public VIF is for internet-routable IPs. Option C is wrong because a Direct Connect Gateway is not required for a single VPC. Option E is wrong because Transit Gateway is not required.

180
MCQhard

A company has a Direct Connect connection with two private virtual interfaces (VIFs) to two different VPCs in the same AWS Region. The company wants to use AWS Transit Gateway to simplify connectivity between these VPCs and their on-premises network. Which steps are required to integrate the existing Direct Connect connection with Transit Gateway?

A.Set up a VPN connection over the Direct Connect link and attach the VPN to the Transit Gateway.
B.Attach the existing private VIFs directly to the Transit Gateway.
C.Create a new private VIF on the Direct Connect connection and attach it to the Transit Gateway.
D.Create a Direct Connect gateway, associate the existing VIFs, and attach the Direct Connect gateway to the Transit Gateway.
AnswerD

This is the correct integration path.

Why this answer

Option D is correct because AWS Direct Connect private VIFs cannot be attached directly to a Transit Gateway. Instead, you must create a Direct Connect Gateway, associate the existing private VIFs with it, and then attach the Direct Connect Gateway to the Transit Gateway. This architecture allows the Transit Gateway to route traffic between the on-premises network (via the Direct Connect connection) and the attached VPCs, while also enabling inter-VPC routing through the Transit Gateway.

Exam trap

The trap here is that candidates assume private VIFs can be attached directly to a Transit Gateway, similar to how they attach to VPCs, but AWS requires the intermediate Direct Connect Gateway to mediate between the Layer 2 VIF and the Layer 3 Transit Gateway routing domain.

How to eliminate wrong answers

Option A is wrong because setting up a VPN over Direct Connect adds unnecessary complexity and overhead; Transit Gateway natively supports Direct Connect Gateway integration without requiring a VPN. Option B is wrong because private VIFs cannot be attached directly to a Transit Gateway; they must be associated with a Direct Connect Gateway first. Option C is wrong because creating a new private VIF is unnecessary; the existing VIFs can be reused by associating them with a Direct Connect Gateway, and a single Direct Connect Gateway can handle multiple VIFs for the same Transit Gateway.

181
MCQmedium

A company is designing a hybrid network architecture that connects an on-premises data center to AWS via AWS Direct Connect. The on-premises network uses BGP to advertise routes to AWS. The company wants to ensure that the on-premises network can reach all VPCs in the AWS account using a single Direct Connect virtual interface. Which solution should the architect use?

A.Create a Direct Connect gateway and associate all VPCs directly.
B.Create a transit gateway and a Direct Connect gateway. Attach the VPCs to the transit gateway and associate the transit gateway with the Direct Connect gateway.
C.Create VPC peering connections between all VPCs and the on-premises network.
D.Create a virtual private gateway and attach all VPCs to it.
AnswerB

This setup allows multiple VPCs to communicate over a single Direct Connect virtual interface.

Why this answer

Option B is correct because a transit gateway acts as a central hub for VPC-to-VPC and on-premises connectivity, and when associated with a Direct Connect gateway via a transit virtual interface, it allows a single Direct Connect connection to reach multiple VPCs. The Direct Connect gateway terminates the BGP session from on-premises and forwards traffic to the transit gateway, which then routes to the attached VPCs. This design scales to many VPCs without requiring multiple virtual interfaces or complex peering.

Exam trap

The trap here is that candidates often assume a Direct Connect gateway can directly connect to multiple VPCs, but it requires a transit gateway to enable multi-VPC connectivity, as the Direct Connect gateway alone only supports a single VPC via a virtual private gateway.

How to eliminate wrong answers

Option A is wrong because a Direct Connect gateway can only be associated with a single virtual private gateway or transit gateway per association, not directly with multiple VPCs; it requires an intermediate gateway to route traffic to multiple VPCs. Option C is wrong because VPC peering does not support transitive routing and requires a full mesh of peering connections between all VPCs and the on-premises network, which is not feasible for a single Direct Connect virtual interface. Option D is wrong because a virtual private gateway can only be attached to a single VPC, so it cannot provide connectivity to all VPCs in the account via one Direct Connect virtual interface.

182
Multi-Selecteasy

A company is designing a VPC architecture for a web application that must be highly available across multiple Availability Zones. Which TWO components should be deployed in at least two Availability Zones to meet this requirement?

Select 2 answers
A.Transit Gateway
B.Internet Gateway
D.Application Load Balancer (with subnets in multiple AZs)
E.VPN connection
AnswersC, D

NAT Gateway is deployed in a specific AZ; multiple AZs needed for HA.

Why this answer

Options B and D are correct. NAT Gateways are AZ-specific, so deploying in multiple AZs ensures availability if one AZ fails. Application Load Balancers are regional services but can be configured with subnets in multiple AZs.

Option A is wrong because an Internet Gateway is a horizontally scaled, redundant service per VPC, not per AZ. Option C is wrong because a VPN connection is per VPC, not per AZ. Option E is wrong because a Transit Gateway is a regional service.

183
Multi-Selecthard

Which TWO actions can be taken to reduce the attack surface of a VPC's public subnets? (Choose 2.)

Select 2 answers
A.Allow all inbound traffic from the internet to the public subnets
B.Place web servers in private subnets and use a load balancer in a public subnet
C.Use a single subnet for all application tiers
D.Use security groups to restrict inbound traffic to only necessary ports and IPs
E.Disable ICMP traffic on the network ACL
AnswersB, D

Reduces direct exposure of web servers.

Why this answer

Option B is correct because placing web servers in private subnets and using a load balancer in a public subnet reduces the attack surface by ensuring that the web servers have no direct internet-facing IP addresses. The load balancer acts as a single point of ingress, allowing security groups to tightly control traffic from the load balancer to the web servers, while the public subnet only exposes the load balancer's endpoints. This architecture follows AWS best practices for a multi-tier application, minimizing the number of resources directly accessible from the internet.

Exam trap

AWS often tests the misconception that disabling ICMP or using network ACLs alone is sufficient to reduce attack surface, when in fact the primary reduction comes from architectural changes like moving instances to private subnets and using a load balancer, combined with security group restrictions.

184
MCQmedium

A company is deploying a web application in a VPC with public and private subnets. The web servers in public subnets must be protected from direct internet access, but they need to receive traffic from an Application Load Balancer (ALB). Which architecture should be used?

A.Internet-facing ALB in public subnets with web servers also in public subnets
B.Internal Network Load Balancer in private subnets with web servers
C.Internet-facing ALB in public subnets, and internal ALB in private subnets pointing to web servers
D.Amazon CloudFront with origin pointing to web servers in public subnets
AnswerC

This allows traffic to flow through the internet-facing ALB to the internal ALB, keeping web servers private.

Why this answer

Option C is correct because it uses an internet-facing ALB in public subnets to receive traffic from the internet, then forwards it to an internal ALB in private subnets, which distributes traffic to web servers in private subnets. This ensures the web servers are not directly accessible from the internet, meeting the security requirement while still allowing traffic from the ALB. The internal ALB uses private IP addresses, keeping the web servers isolated from direct internet access.

Exam trap

The trap here is that candidates often assume an internet-facing ALB alone can protect servers in public subnets, but the key requirement is that servers must not be directly accessible from the internet, which necessitates placing them in private subnets and using an internal ALB for internal routing.

How to eliminate wrong answers

Option A is wrong because placing web servers in public subnets with an internet-facing ALB still allows direct internet access to the servers if security groups are misconfigured, and the requirement explicitly states servers must be protected from direct internet access. Option B is wrong because an internal Network Load Balancer cannot receive traffic from the internet; it only routes traffic within the VPC, so it cannot serve as the entry point for external users. Option D is wrong because Amazon CloudFront with an origin pointing to web servers in public subnets still exposes the servers directly to the internet (via the origin), and CloudFront does not inherently protect the servers from direct access unless additional measures like VPC origins or WAF are used, which are not specified.

185
MCQmedium

A company wants to monitor network traffic in their VPC for troubleshooting and security analysis. They need to capture IP traffic information, including source/destination IPs, ports, and protocol, but not the packet payload. Which AWS service should be used?

A.Amazon CloudWatch Logs.
B.AWS Network Firewall.
C.VPC Flow Logs.
D.AWS Traffic Mirroring.
AnswerC

VPC Flow Logs capture metadata without payload.

Why this answer

VPC Flow Logs capture metadata about IP traffic in a VPC, including source/destination IPs, ports, protocol, and packet counts, but never the payload. This meets the requirement for troubleshooting and security analysis without the overhead or privacy concerns of full packet capture.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (metadata only) with AWS Traffic Mirroring (full packet capture), assuming both provide payload data, but the question explicitly excludes payload capture.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Logs is a service for storing, monitoring, and accessing log files from AWS resources, not for capturing network traffic metadata directly from the VPC. Option B is wrong because AWS Network Firewall is a managed firewall service that filters traffic based on rules, but it does not natively log flow-level metadata like source/destination IPs and ports without additional configuration. Option D is wrong because AWS Traffic Mirroring copies entire packets (including payload) from network interfaces for deep packet inspection, which exceeds the requirement to capture only metadata and not payload.

186
MCQmedium

A company has a VPC with an application load balancer (ALB) in public subnets and web servers in private subnets. The web servers must be accessible only from the ALB. What is the most secure and efficient configuration?

A.Configure the web server security group to allow inbound HTTP from 0.0.0.0/0.
B.Configure the web server security group to allow inbound HTTP from the ALB's security group.
C.Configure the web server security group to allow inbound HTTP from the ALB's private IP addresses.
D.Configure the web server security group to allow inbound HTTP from the VPC CIDR.
AnswerB

Correct: Only ALB traffic is allowed.

Why this answer

Option B is correct because ALB uses a security group source, and using the ALB's security group ID as the source restricts traffic to only the ALB. Option A is wrong because it allows all traffic from the VPC. Option C is wrong because it allows traffic from any source on port 80.

Option D is wrong because it restricts to a specific IP range which may not represent the ALB.

187
MCQeasy

A company has a VPC with public and private subnets. They launch an Amazon RDS for MySQL DB instance in a private subnet. The DB instance needs to be accessible from an on-premises application that connects via an AWS Site-to-Site VPN. What is the MOST secure way to allow the on-premises application to connect to the DB instance?

A.Assign a public IP address to the DB instance and restrict access using a security group.
B.Place the DB instance in a private subnet and use a NAT gateway to allow inbound traffic.
C.Place the DB instance in a public subnet and configure a network ACL to allow traffic from the on-premises CIDR.
D.Place the DB instance in a private subnet and configure a security group to allow inbound traffic from the on-premises CIDR.
AnswerD

Private subnet with security group provides granular, stateful firewall control without internet exposure.

Why this answer

Option C is correct. The most secure approach is to place the RDS instance in a private subnet with a security group that only allows inbound traffic from the on-premises network's CIDR range. Since the connection comes over the VPN (private network), it is not necessary to expose the database to the internet.

Option A is incorrect because making the DB instance publicly accessible is a security risk. Option B is incorrect because a network ACL is stateless and less granular than a security group; also, allowing all traffic to the DB subnet is overly permissive. Option D is incorrect because a NAT gateway is for outbound traffic, not inbound.

188
MCQhard

A company is designing a global application that will use Amazon CloudFront to serve content from an Application Load Balancer (ALB) in us-east-1. They want to restrict access to the ALB so that it only accepts traffic from CloudFront. Additionally, they want to ensure that if someone bypasses CloudFront and directly accesses the ALB, the request is denied. Which solution should they implement?

A.Use CloudFront Origin Access Control (OAC) to restrict access to the ALB.
B.Configure the ALB security group to allow inbound traffic only from the CloudFront IP address ranges published in the AWS IP address ranges JSON file.
C.Use AWS WAF on the ALB with a rule that allows traffic only from CloudFront IP ranges.
D.Configure CloudFront to add a custom HTTP header (e.g., X-Origin-Verify) to requests forwarded to the ALB. Configure the ALB to only forward requests that contain that specific header to the target group.
AnswerD

This ensures that only requests from CloudFront with the correct header are accepted, preventing direct access.

Why this answer

Option D is correct because it uses a custom HTTP header (e.g., X-Origin-Verify) that CloudFront adds to requests forwarded to the ALB, and the ALB is configured to only forward requests containing that specific header to the target group. This ensures that any request not originating from CloudFront (i.e., direct access to the ALB) lacks the header and is denied, providing a secure and scalable method to restrict access without relying on static IP lists.

Exam trap

AWS often tests the misconception that CloudFront Origin Access Control (OAC) or IP-based restrictions (security groups or WAF) are sufficient for ALB origins, but the trap is that OAC only works with S3 and IP lists are dynamic and spoofable, making the custom header method the only reliable solution for non-S3 origins.

How to eliminate wrong answers

Option A is wrong because CloudFront Origin Access Control (OAC) is designed to restrict access to Amazon S3 origins, not Application Load Balancers; it uses signed requests with AWS Signature Version 4, which ALBs do not support. Option B is wrong because the CloudFront IP address ranges published in the AWS IP address ranges JSON file are not static and can change frequently, requiring constant updates to the ALB security group, and this approach does not prevent bypass if an attacker spoofs a CloudFront IP. Option C is wrong because using AWS WAF on the ALB with a rule that allows traffic only from CloudFront IP ranges suffers from the same IP volatility and spoofing risks as Option B, and WAF rules based on IP sets are not a reliable or recommended method for origin access restriction in this scenario.

189
MCQhard

A company has a global application deployed across multiple AWS Regions. They use an Amazon Route 53 latency-based routing policy to direct users to the closest region. Recently, users in Asia are experiencing high latency even though traffic is being directed to the nearest region. The network team reviews the latency measurements and notices that the Route 53 latency values are based on the region where the resources are hosted, but the actual application performance is poor. What is the most likely cause?

A.The Route 53 health checks are failing, causing traffic to be routed to a different region.
B.The company has not enabled DNSSEC, causing additional DNS resolution time.
C.The application in the Asian region is overloaded, causing increased response times.
D.The Route 53 latency routing policy is not using anycast, causing suboptimal routing.
AnswerC

Latency routing only optimizes network path; application slowdown still causes high latency.

Why this answer

Option B is correct. Route 53 latency routing measures latency between the user and the region, not the actual application response time. If the application itself is slow, users still experience high latency.

Option A is incorrect because Route 53 health checks can fail over but don't improve latency. Option C is incorrect because anycast routes to the nearest edge but doesn't affect application performance. Option D is incorrect because DNSSEC does not affect latency.

190
MCQmedium

A network engineer is troubleshooting connectivity between a VPC (10.0.0.0/16) and a peered VPC (10.1.0.0/16). The route table shown is associated with subnet-aaa. An EC2 instance in subnet-aaa cannot reach an instance in the peered VPC. What is the issue?

A.The route to the peered VPC's CIDR is missing
B.The route table does not have a route to an Internet Gateway
C.The route table is not associated with the correct subnet
D.The VPC peering connection is not in the 'active' state
AnswerD

If the peering connection is pending or rejected, traffic will not flow even though the route exists.

Why this answer

Option D is correct because a VPC peering connection must be in the 'active' state for traffic to flow between the VPCs. If the peering connection is in any other state (e.g., 'pending-acceptance', 'expired', 'failed', or 'deleted'), the route to the peered VPC's CIDR will be considered a black hole, and the EC2 instance in subnet-aaa will be unable to reach the instance in the peered VPC. The route table shown includes a route for 10.1.0.0/16 pointing to the peering connection, but the connection's state must be verified as 'active' for the route to be effective.

Exam trap

AWS often tests the misconception that simply adding a route to the peered VPC's CIDR in the route table is sufficient for connectivity, but the trap here is that the VPC peering connection must be in the 'active' state; otherwise, the route is a black hole and traffic will not flow.

How to eliminate wrong answers

Option A is wrong because the route table shown includes a route for 10.1.0.0/16 with the peering connection as the target, so the route to the peered VPC's CIDR is present, not missing. Option B is wrong because an Internet Gateway route is irrelevant for VPC peering traffic; the EC2 instance is trying to reach a private IP in the peered VPC, not the internet, and the route table does not need an IGW route for this communication. Option C is wrong because the question states the route table is associated with subnet-aaa, and the EC2 instance is in subnet-aaa, so the association is correct; the issue lies elsewhere.

191
Multi-Selecthard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The company wants to centralize internet egress for all VPCs through a single VPC that has a NAT Gateway and an internet gateway. Which TWO configurations are required to achieve this?

Select 2 answers
A.In the egress VPC, add a route for 0.0.0.0/0 to the Transit Gateway.
B.Create a VPN connection between each VPC and the Transit Gateway.
C.In the egress VPC, add a route for 0.0.0.0/0 to the internet gateway in the route table of the subnet containing the NAT Gateway.
D.In each non-egress VPC, add a route for 0.0.0.0/0 to the Transit Gateway.
E.In each non-egress VPC, delete the local route.
AnswersC, D

This allows the NAT Gateway to reach the internet via the internet gateway.

Why this answer

To centralize internet egress, the NAT Gateway must be in the egress VPC. Other VPCs must route 0.0.0.0/0 to the Transit Gateway, which then forwards to the egress VPC. The egress VPC's route table must point 0.0.0.0/0 to the internet gateway.

Option A is correct because the egress VPC needs a default route to the internet gateway. Option C is correct because other VPCs need a default route to the Transit Gateway. Option B is incorrect because the egress VPC should not route to the Transit Gateway for internet traffic.

Option D is incorrect because you do not need a separate VPN. Option E is incorrect because you cannot delete the local route.

192
Multi-Selecthard

A company has a VPC with a public subnet and a private subnet. The private subnet hosts Amazon RDS instances. The security team wants to ensure that the RDS instances are not accessible from the internet. Which TWO actions should be taken?

Select 2 answers
A.Disable the 'Publicly accessible' option for the RDS instances.
B.Create a network ACL that denies all inbound traffic from 0.0.0.0/0.
C.Remove the route to an internet gateway from the private subnet's route table.
D.Ensure that the RDS instances are launched in a private subnet without a public IP address.
E.Configure the security group for the RDS instances to deny all inbound traffic.
AnswersC, D

Without a route to an internet gateway, traffic cannot reach the internet.

Why this answer

Options A and D are correct because removing internet gateway routes and not assigning public IPs prevent internet access. Option B is wrong because restricting security group inbound rules is important, but alone it may not prevent internet access if there is a public IP. Option C is wrong because network ACLs are stateless and can be used, but they are not as precise as security groups for this purpose.

Option E is wrong because RDS can have public accessibility disabled, but that is not a VPC-level action.

193
Multi-Selectmedium

A company is designing a network for a three-tier web application that must be highly available across multiple Availability Zones. The application uses an Application Load Balancer (ALB) for the web tier, EC2 instances for the application tier, and an Amazon RDS Multi-AZ database for the database tier. Which TWO design choices improve availability and fault tolerance?

Select 2 answers
A.Launch all EC2 instances in a single Availability Zone to reduce network latency.
B.Configure Amazon RDS Multi-AZ with a standby instance in a different Availability Zone.
C.Use a single NAT gateway in one Availability Zone for all outbound traffic.
D.Deploy the ALB across at least two Availability Zones.
E.Use VPC Gateway Endpoints for S3 to avoid NAT gateway costs.
AnswersB, D

Provides automatic failover.

Why this answer

Option B is correct because Amazon RDS Multi-AZ automatically provisions and maintains a synchronous standby replica in a different Availability Zone, providing automatic failover in the event of an AZ failure or database instance failure. This ensures the database tier remains available without manual intervention, directly improving fault tolerance for the three-tier application.

Exam trap

AWS often tests the misconception that a single NAT gateway is sufficient for high availability, but the trap here is that a single NAT gateway is a single point of failure unless paired with a second NAT gateway in another AZ and route tables that direct traffic to the healthy gateway.

194
Multi-Selecthard

A company has a VPC with CIDR 10.0.0.0/16. They have two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). An EC2 instance in subnet A needs to communicate with an RDS database in subnet B. Both subnets have network ACLs that allow all inbound and outbound traffic. However, the instance cannot connect to the database. Which TWO configuration changes could solve this issue? (Choose TWO.)

Select 2 answers
A.Attach an Internet Gateway to the VPC.
B.Ensure that the route tables associated with both subnets have a local route for the VPC CIDR.
C.Create a VPC peering connection between the subnets.
D.Modify the security group for the RDS database to allow inbound traffic from the EC2 instance's security group on port 3306.
E.Add a NAT Gateway in a public subnet and route traffic through it.
AnswersB, D

Local route is needed for intra-VPC communication.

Why this answer

Option B is correct because the local route for the VPC CIDR (10.0.0.0/16) is automatically added to the main route table, but if custom route tables are associated with subnets A and B, they must explicitly include this local route to enable routing between subnets within the same VPC. Without it, traffic from the EC2 instance in subnet A cannot reach the RDS database in subnet B, even if network ACLs allow all traffic.

Exam trap

AWS often tests the misconception that network ACLs alone control all traffic flow, but candidates forget that security groups must also allow inbound traffic, and that route tables must have a local route for intra-VPC communication.

195
MCQhard

A network engineer is troubleshooting a VPN connection between an on-premises network (172.16.0.0/16) and an AWS VPC (10.0.0.0/16). The VPN status is 'available' but traffic is not passing. The engineer runs the command shown in the exhibit. What is the most likely cause of the issue?

A.The VPN tunnels are not in 'UP' state.
B.The VPC route table does not have a route for 172.16.0.0/16 pointing to the virtual private gateway.
C.The tunnel inside CIDRs overlap with the VPC CIDR.
D.The BGP session is not established.
AnswerB

Without this route, VPC traffic to on-premises is dropped.

Why this answer

The VPN status is 'available', which indicates that the VPN tunnels are established and the BGP sessions (if configured) are up. However, traffic still fails because the VPC route table lacks a route for the on-premises CIDR (172.16.0.0/16) pointing to the virtual private gateway (VGW). Without this route, the VPC does not know to send traffic destined for the on-premises network through the VPN connection, even though the tunnels themselves are operational.

Exam trap

The trap here is that candidates see 'available' status and assume all components are working, but they overlook the critical requirement of a route in the VPC route table pointing to the virtual private gateway for the on-premises CIDR.

How to eliminate wrong answers

Option A is wrong because the VPN status 'available' means the tunnels are in 'UP' state; if they were not, the status would be 'down' or 'degraded'. Option C is wrong because tunnel inside CIDRs (typically link-local addresses like 169.254.x.x) are used for BGP peering and do not overlap with the VPC CIDR (10.0.0.0/16); overlapping inside CIDRs would cause a different error, such as BGP session failure, not a traffic pass issue with 'available' status. Option D is wrong because the VPN status 'available' indicates that the BGP session is established; if BGP were not established, the status would show 'down' or 'negotiation'.

196
MCQeasy

A company needs to connect its on-premises data center to a VPC in AWS using a dedicated, private, and high-bandwidth connection. Which AWS service should be used?

A.AWS Client VPN
B.VPC Peering
C.AWS Site-to-Site VPN
D.AWS Direct Connect
AnswerD

Dedicated private connection.

Why this answer

AWS Direct Connect is the correct choice because it provides a dedicated, private, high-bandwidth network connection from an on-premises data center directly to AWS, bypassing the public internet. This meets the requirements for a private, low-latency, and consistent network path, unlike VPN-based solutions that traverse the internet.

Exam trap

The trap here is that candidates often confuse AWS Site-to-Site VPN with a dedicated connection, overlooking that it still relies on the public internet and lacks the private, consistent bandwidth guarantees of Direct Connect.

How to eliminate wrong answers

Option A is wrong because AWS Client VPN is a managed remote access VPN service for individual clients (e.g., laptops) to connect to AWS or on-premises networks, not a dedicated high-bandwidth connection between a data center and a VPC. Option B is wrong because VPC Peering connects two VPCs within AWS, not an on-premises data center to a VPC, and it does not provide a dedicated physical connection. Option C is wrong because AWS Site-to-Site VPN creates an encrypted tunnel over the public internet, which does not offer the dedicated, private, or consistent high-bandwidth characteristics required; it is subject to internet variability and latency.

197
MCQhard

An IAM policy attached to a user allows creating and deleting VPCs and subnets only in us-east-1. The user attempts to create a VPC in eu-west-1. What will happen?

A.The API call will be denied with an authorization error.
B.The VPC will be created but the user will receive a warning.
C.The user can create the VPC because the condition is not applicable to VPC creation.
D.The VPC will be created successfully because the policy allows ec2:CreateVpc.
AnswerA

The condition fails, so IAM denies the action.

Why this answer

Option C is correct. The condition restricts actions to us-east-1 only, so the API call in eu-west-1 will be denied. Option A is wrong because the policy explicitly allows with a region condition.

Option B is wrong because the condition is evaluated. Option D is wrong because no override exists.

198
MCQmedium

A company is designing a network for a multi-tier application. The web tier must be accessible from the internet, the application tier must be accessible only from the web tier, and the database tier must be accessible only from the application tier. Which architecture meets these requirements?

A.Place each tier in a separate subnet and use network ACLs to allow traffic between tiers
B.Place each tier in a separate subnet and use security groups to allow traffic between tiers
C.Place all tiers in the same subnet and use security groups to control traffic
D.Place all tiers in a public subnet and use a NAT gateway for the application and database tiers
AnswerB

This provides isolation and granular control using security groups.

Why this answer

Placing each tier in separate subnets and using security groups to control inbound traffic between tiers is the standard approach. Using network ACLs is less granular and not stateful. VPC endpoints are for AWS services, not for tier-to-tier communication.

A single subnet with NAT would not isolate tiers.

199
MCQhard

A company is deploying a VPC with a public and private subnet in each of three Availability Zones. They need to provide internet access to instances in the private subnets while ensuring that all outbound traffic is logged and that traffic to a particular on-premises CIDR (10.0.0.0/8) is routed via an AWS Direct Connect Virtual Private Gateway. The company has a VPN connection as a backup. Which design should they use?

A.Create a centralized egress VPC with NAT Gateways in each AZ. Peer the application VPCs to the egress VPC. Configure route tables in the application VPCs to send 0.0.0.0/0 to the egress VPC and 10.0.0.0/8 to the Direct Connect Virtual Private Gateway.
B.Place a NAT Gateway in each AZ in the application VPC. Configure route tables to send 0.0.0.0/0 to the NAT Gateway. Use a VPN connection for on-premises traffic.
C.Use a Transit Gateway to connect all VPCs and on-premises. Attach a NAT Gateway in one AZ to the Transit Gateway. Configure route tables to send 0.0.0.0/0 to the NAT Gateway and 10.0.0.0/8 to the Direct Connect Virtual Private Gateway.
D.Create a NAT instance in each private subnet and configure each instance's route table to send 0.0.0.0/0 to the NAT instance. For on-premises traffic, use a VPC peering connection to an on-premises network.
AnswerA

This design centralizes egress traffic, uses managed NAT Gateways, and allows logging. Route tables direct on-premises traffic through DX.

Why this answer

Option A is correct because it uses a centralized egress VPC with NAT Gateways in each AZ to provide internet access to private subnets while logging all outbound traffic. By peering the application VPCs to the egress VPC, the route tables can direct 0.0.0.0/0 traffic to the egress VPC for NAT, and 10.0.0.0/8 traffic to the Direct Connect Virtual Private Gateway, ensuring on-premises traffic uses the dedicated connection with VPN backup. This design meets all requirements: internet access, logging, and specific routing for on-premises CIDR.

Exam trap

The trap here is that candidates often assume NAT Gateways must be placed in the same VPC as the private subnets, overlooking the centralized egress VPC pattern that enables logging and centralized control, and they may incorrectly think a Transit Gateway can directly attach a NAT Gateway.

How to eliminate wrong answers

Option B is wrong because it places NAT Gateways in the application VPC, which does not provide centralized logging of all outbound traffic, and it uses a VPN connection for on-premises traffic instead of routing 10.0.0.0/8 via Direct Connect as required. Option C is wrong because attaching a NAT Gateway to a Transit Gateway is not a supported configuration; NAT Gateways cannot be attached to Transit Gateways, and this design would not log all outbound traffic. Option D is wrong because it uses NAT instances instead of NAT Gateways, which are less reliable and do not provide the same level of logging, and it uses VPC peering for on-premises traffic, which is not a valid connection method for on-premises networks (Direct Connect or VPN are required).

200
MCQhard

A company has created a VPC Interface Endpoint for Amazon ECR (Docker registry API) as shown in the exhibit. However, an EC2 instance in the same VPC is unable to authenticate with the ECR registry using the private DNS name. What is the most likely cause?

A.Private DNS is not enabled for the endpoint
B.The endpoint service name is incorrect; it should be com.amazonaws.us-east-1.ecr.api
C.The endpoint is not in the 'available' state
D.The endpoint type should be Gateway, not Interface
AnswerA

When PrivateDnsEnabled is false, the private DNS name for the service is not automatically resolved to the endpoint's IPs, causing authentication failures.

Why this answer

The most likely cause is that Private DNS is not enabled for the VPC Interface Endpoint. When Private DNS is enabled, the endpoint automatically associates a Route 53 private hosted zone with the VPC, allowing the default private DNS name (e.g., *.dkr.ecr.us-east-1.amazonaws.com) to resolve to the endpoint's elastic network interface IP addresses. Without this, the EC2 instance will resolve the private DNS name to the public IP of the ECR service, bypassing the endpoint and failing authentication due to network path issues.

Exam trap

The trap here is that candidates often confuse the endpoint service name for ECR (dkr vs. api) or assume a Gateway endpoint can be used for ECR, but the core issue is the Private DNS toggle, which is a subtle but critical setting for Interface endpoints.

How to eliminate wrong answers

Option B is wrong because the endpoint service name for ECR Docker registry API is com.amazonaws.us-east-1.ecr.dkr, not com.amazonaws.us-east-1.ecr.api (the latter is for the ECR API, not the registry). Option C is wrong because if the endpoint were not in the 'available' state, it would not be functional at all, but the question states the endpoint is created as shown, implying it is available; the issue is DNS resolution, not endpoint state. Option D is wrong because ECR requires an Interface endpoint (powered by AWS PrivateLink) for private connectivity to the Docker registry API; a Gateway endpoint is only used for services like S3 and DynamoDB, not for ECR.

201
MCQmedium

A company is designing a network architecture for a two-tier web application. The web tier runs on EC2 instances behind an Application Load Balancer (ALB) in public subnets. The application tier runs on EC2 instances in private subnets. The application tier needs to access an Amazon RDS for PostgreSQL database in the same private subnets. The company requires that all traffic between the ALB and web tier, as well as between web tier and application tier, remain within the AWS network and not traverse the internet. The current design uses an Internet Gateway (IGW) for public subnet internet access and a NAT Gateway for private subnet outbound internet access. The web tier instances have a default route to the IGW, and the application tier instances have a default route to the NAT Gateway. The security groups are configured correctly. However, the application tier cannot connect to the RDS database. What is the MOST likely cause?

A.The application tier instances are using the RDS public DNS name instead of the private DNS name
B.The RDS database is in a different VPC
C.The ALB is not configured to forward traffic to the web tier
D.The NAT Gateway is not configured with the correct route to the RDS subnet
AnswerA

Using the public endpoint causes traffic to go to the NAT Gateway, which cannot connect to RDS's public endpoint from private subnet without proper routing.

Why this answer

The RDS database is in private subnets. The application tier instances are also in private subnets. They should be able to communicate within the same VPC via private IP addresses.

The issue is not about internet access. The most likely cause is that the application tier instances are trying to connect to the RDS endpoint using the public DNS name, which resolves to a public IP, and the traffic is being routed to the NAT Gateway, which blocks inbound traffic from the internet (the RDS public endpoint). The application tier should use the private DNS name or the private IP address of the RDS instance.

Alternatively, the security group might be misconfigured, but the question says security groups are correct. The most common mistake is using the public endpoint.

202
MCQeasy

A solutions architect needs to design a VPC with both IPv4 and IPv6 support. The VPC will have public and private subnets. Resources in private subnets need outbound IPv6 access to the internet. Which combination of resources should be used?

A.Internet gateway for public subnets and VPC gateway endpoints for private subnets
B.Internet gateway for public subnets and NAT gateway for private subnets
C.Internet gateway for both public and private subnets using route tables
D.Internet gateway for public subnets and egress-only internet gateway for private subnets
AnswerD

Egress-only internet gateway provides IPv6 outbound access for private subnets.

Why this answer

Option D is correct because an egress-only internet gateway (EIGW) is the AWS-managed service designed specifically to provide outbound-only IPv6 access from private subnets to the internet, while an internet gateway (IGW) handles both inbound and outbound IPv4/IPv6 traffic for public subnets. Unlike a NAT gateway, which only supports IPv4, the EIGW works with IPv6 and prevents any inbound IPv6 connections from the internet, meeting the requirement for outbound-only IPv6 access.

Exam trap

AWS often tests the misconception that a NAT gateway can handle IPv6 traffic, but NAT gateways are IPv4-only; the trap here is confusing the IPv4 outbound solution (NAT gateway) with the IPv6 outbound solution (egress-only internet gateway), or assuming an internet gateway can be used in private subnets with route restrictions.

How to eliminate wrong answers

Option A is wrong because VPC gateway endpoints (e.g., S3, DynamoDB) provide private connectivity to AWS services, not general outbound internet access, and they do not support IPv6 traffic. Option B is wrong because a NAT gateway only supports IPv4 traffic and cannot provide outbound IPv6 access; it is used for IPv4 private subnet internet access. Option C is wrong because placing an internet gateway in private subnet route tables would allow inbound internet traffic (both IPv4 and IPv6) to those subnets, violating the requirement for private subnets that must not be directly reachable from the internet.

203
Drag & Dropmedium

Arrange the steps to configure an AWS Transit Gateway with attachments to multiple VPCs:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the transit gateway, then create attachments, associate them with a route table, update VPC routes, and test connectivity.

204
MCQeasy

A company has a VPC with a CIDR of 10.0.0.0/16. They want to connect this VPC to a second VPC with CIDR 10.1.0.0/16 using VPC Peering. The VPCs are in the same account and Region. What is the minimum number of route table entries needed in each VPC to enable full bidirectional communication?

A.Two routes in each VPC's route table: one for the local CIDR and one for the peer CIDR
B.No routes are needed because VPC Peering automatically enables communication
C.One route in each VPC's route table
D.One route in only one VPC's route table
AnswerC

Each VPC needs a route to the peer VPC's CIDR via the peering connection.

Why this answer

Option A is correct because each VPC needs one route pointing to the peering connection for the other VPC's CIDR. Option B is wrong because each VPC does not need a route for its own CIDR. Option C is wrong because there is only one peering connection.

Option D is wrong because explicit routes are required.

205
MCQeasy

A company is designing a VPC with public and private subnets. The private subnets need to access the internet for software updates but must not be directly accessible from the internet. Which AWS service should be used to provide internet access to instances in the private subnets?

A.Internet gateway
C.VPC endpoint
D.Transit gateway
AnswerB

NAT gateway provides outbound-only internet access for private subnets.

Why this answer

Option B is correct because a NAT gateway allows instances in private subnets to initiate outbound traffic to the internet but prevents inbound traffic from the internet. Option A is wrong because an internet gateway is for public subnets and allows inbound connections. Option C is wrong because a transit gateway connects VPCs but does not provide internet access.

Option D is wrong because a VPC endpoint is for accessing AWS services privately, not the internet.

206
MCQmedium

A company is deploying a multi-tier web application in a VPC. The architecture includes an internet-facing Application Load Balancer (ALB) in public subnets, a fleet of EC2 instances in private subnets, and an Amazon RDS database in a separate private subnet. The security team requires that the web application logs be stored in an Amazon S3 bucket for compliance. The EC2 instances have an instance profile that grants write access to the S3 bucket. The EC2 instances are in a private subnet that does not have a route to the internet. The company wants to ensure that the EC2 instances can upload logs to the S3 bucket without traversing the internet. Which solution should they implement?

A.Create a VPC Gateway Endpoint for S3 and add a route in the private subnet's route table pointing to the endpoint
B.Create a VPC Interface Endpoint for S3
C.Deploy a forward proxy server in a public subnet and configure the EC2 instances to use it
D.Attach a NAT Gateway to the private subnet and configure a route to the NAT Gateway
AnswerA

Gateway Endpoint provides private access to S3 without internet.

Why this answer

A VPC Gateway Endpoint for S3 allows EC2 instances in private subnets to access S3 over the AWS network without traversing the internet. Since the instances have an instance profile granting write access, adding a route in the private subnet's route table pointing to the gateway endpoint enables direct, private connectivity to S3. This meets the security requirement of keeping traffic within the AWS backbone.

Exam trap

The trap here is that candidates often confuse VPC Gateway Endpoints with Interface Endpoints, assuming Interface Endpoints are always required for private access, but Gateway Endpoints are the correct, cost-effective choice for S3 and DynamoDB from private subnets without internet.

How to eliminate wrong answers

Option B is wrong because a VPC Interface Endpoint for S3 is not the optimal choice; it uses private IPs and requires additional costs and complexity, while a Gateway Endpoint is simpler, free, and designed specifically for S3 and DynamoDB access from private subnets. Option C is wrong because deploying a forward proxy server in a public subnet would force traffic through an internet gateway, violating the requirement to avoid traversing the internet, and adds unnecessary latency and management overhead. Option D is wrong because attaching a NAT Gateway to the private subnet would route traffic to the internet, which contradicts the requirement to keep traffic off the internet, and NAT Gateways are not designed for private S3 access without internet egress.

207
Multi-Selectmedium

Which TWO statements about AWS Transit Gateway are correct? (Choose two.)

Select 2 answers
A.It provides internet access for attached VPCs
B.It supports transitive routing between attached VPCs
C.It can be shared across AWS accounts using AWS Resource Access Manager
D.It can replace AWS Direct Connect for on-premises connectivity
E.It only supports VPN attachments
AnswersB, C

Transit Gateway allows VPCs to communicate through it.

Why this answer

Options B and C are correct. Transit Gateway supports transitive routing between attachments. It can be shared across accounts using AWS Resource Access Manager (RAM).

Option A is wrong because it does not replace Direct Connect. Option D is wrong because it does not provide internet access. Option E is wrong because it supports both IPsec VPN and Direct Connect attachments.

208
MCQeasy

A company needs to provide internet access to instances in a private subnet while preventing inbound connections from the internet. Which AWS service should be used?

B.Internet Gateway
C.AWS Direct Connect
D.VPC Endpoint
AnswerA

Provides outbound only.

Why this answer

A NAT Gateway enables instances in a private subnet to initiate outbound IPv4 traffic to the internet (e.g., for software updates) while preventing any unsolicited inbound connections from the internet. It achieves this by translating the private source IP addresses of the instances to the NAT Gateway's Elastic IP address, and by default it does not allow inbound traffic unless an explicit inbound rule is added to the associated route table, which is not recommended for this use case.

Exam trap

AWS often tests the misconception that an Internet Gateway can be used in a private subnet with restrictive security groups or network ACLs, but the trap is that an Internet Gateway inherently allows bidirectional traffic and cannot prevent unsolicited inbound connections at the gateway level, whereas a NAT Gateway is specifically designed for outbound-only internet access.

How to eliminate wrong answers

Option B (Internet Gateway) is wrong because an Internet Gateway allows both outbound and inbound traffic from the internet; attaching it to a private subnet would expose instances to unsolicited inbound connections, violating the requirement. Option C (AWS Direct Connect) is wrong because it establishes a dedicated private network connection from on-premises to AWS, not internet access, and does not inherently provide internet connectivity or block inbound internet traffic. Option D (VPC Endpoint) is wrong because it provides private connectivity to AWS services (e.g., S3, DynamoDB) over the AWS network without traversing the internet, but it does not provide general internet access for instances.

209
Multi-Selectmedium

A company is designing a network for a multi-tier application that must meet compliance requirements. The architecture includes a VPC with public, private, and database subnets. Which TWO actions should be taken to ensure the database subnets are not directly accessible from the internet? (Select TWO.)

Select 2 answers
A.Attach an Internet Gateway to the database subnets.
B.Create a NAT Gateway in the database subnets.
C.Associate a security group that denies inbound traffic from 0.0.0.0/0.
D.Configure a network ACL on the database subnets to deny inbound traffic from 0.0.0.0/0.
E.Place the database subnets in private subnets.
AnswersD, E

Correct: Network ACLs can deny inbound traffic.

Why this answer

Options A and D are correct because a public subnet must not be used for databases, and a proper network ACL on the database subnet can deny inbound from 0.0.0.0/0. Option B is wrong because a NAT Gateway in the database subnet would still allow outbound but not inbound; however, placing NAT in database subnet is not best practice. Option C is wrong because security groups are stateful and allow return traffic, but a deny rule in network ACL is needed.

Option E is wrong because IGW in database subnet would expose it.

210
MCQeasy

A company is planning to connect multiple VPCs in different AWS accounts using AWS Transit Gateway. The VPCs must be able to communicate with each other, but the company wants to centralize egress traffic to the internet through a single VPC that has a NAT gateway. Which configuration meets these requirements?

A.Attach all VPCs to a Transit Gateway, create a central egress VPC with a NAT gateway, and configure Transit Gateway route tables to send default traffic to the central VPC.
B.Use AWS Site-to-Site VPN to connect the VPCs and route traffic through a central VPN endpoint.
C.Use VPC peering to connect all VPCs and configure a NAT gateway in one VPC.
D.Attach each VPC to a Transit Gateway and configure a NAT gateway in each VPC.
AnswerA

Centralizes internet egress while allowing VPC-to-VPC communication.

Why this answer

Option A is correct because AWS Transit Gateway allows you to attach multiple VPCs from different accounts and centrally manage routing. By configuring the Transit Gateway route tables to send default traffic (0.0.0.0/0) to a central egress VPC that contains a NAT gateway, all other VPCs can route internet-bound traffic through that single NAT gateway, centralizing egress while maintaining inter-VPC communication.

Exam trap

The trap here is that candidates often confuse VPC peering with Transit Gateway, assuming VPC peering supports transitive routing (which it does not), or they think placing a NAT gateway in each VPC is acceptable, missing the explicit requirement for centralized egress.

How to eliminate wrong answers

Option B is wrong because AWS Site-to-Site VPN is designed for connecting on-premises networks to AWS, not for inter-VPC connectivity, and it would introduce unnecessary complexity, latency, and bandwidth limitations. Option C is wrong because VPC peering does not support transitive routing; to connect all VPCs in a mesh, you would need a full mesh of peering connections, which does not scale and still requires manual route table entries in each VPC to direct traffic to the central NAT gateway. Option D is wrong because configuring a NAT gateway in each VPC defeats the requirement to centralize egress traffic; each VPC would have its own independent internet egress, not a single centralized point.

211
MCQeasy

A company wants to use AWS Direct Connect to connect their on-premises network to a VPC. They have two Direct Connect locations and want high availability. What is the minimum number of Direct Connect virtual interfaces needed?

A.One public VIF and one private VIF
B.Four private VIFs
C.Two private VIFs
D.One private VIF
AnswerC

Two VIFs, each on a separate Direct Connect connection, provide high availability.

Why this answer

Option B is correct because for high availability, you need at least two connections, each with a virtual interface (VIF). Option A is wrong because a single VIF is a single point of failure. Option C is wrong because you need at least two VIFs, one for each connection.

Option D is wrong because four is more than necessary.

212
MCQmedium

A network engineer is troubleshooting a Direct Connect private VIF. The VIF is in 'available' state but traffic is not flowing to the VPC. The VGW is attached to the VPC. What is the most likely cause?

A.The VPC route table lacks a route to the on-premises network pointing to the VGW.
B.The route filter prefix for the VPC CIDR is misconfigured.
C.BGP is not established between the on-premises router and the VGW.
D.The VIF state is not 'available'.
AnswerA

Without this route, traffic cannot be forwarded.

Why this answer

When a Direct Connect private VIF is in the 'available' state, the physical and logical layer 2 connectivity is established, and BGP sessions are typically up. However, traffic still cannot flow to the VPC unless the VPC route table contains a route that directs traffic destined for the on-premises network to the Virtual Private Gateway (VGW). Without this route, the VPC has no path to send traffic over the Direct Connect connection, even though the VIF and BGP are operational.

Exam trap

The trap here is that candidates assume an 'available' VIF and established BGP automatically mean traffic flows, but they overlook the critical requirement of a VPC route table entry pointing to the VGW as the next hop.

How to eliminate wrong answers

Option B is wrong because route filter prefixes control which BGP routes are advertised or accepted, but they do not prevent traffic flow if the VPC route table already has a static route pointing to the VGW; the question states the VIF is available and BGP is likely established, so a misconfigured route filter would affect route propagation, not the immediate lack of a route in the VPC. Option C is wrong because if BGP were not established, the VIF would typically show a 'down' or 'pending' BGP status, but the VIF is 'available' and the issue is traffic not flowing, implying BGP is up. Option D is wrong because the VIF state is explicitly stated as 'available', which means the physical and logical layer 2 connectivity is functioning correctly.

213
MCQhard

Refer to the exhibit. A network engineer has this IAM policy attached to their user. They attempt to create a VPC peering connection between VPC A (in account 123456789012) and VPC B (in account 210987654321). The request fails. Which additional permission is required?

A.The ec2:CreateVpcPeeringConnection action is not allowed on the accepter VPC.
B.The policy must include a condition that the accepter VPC owner is the target account.
C.The user needs ec2:ModifyVpcPeeringConnectionOptions permission.
D.The user needs ec2:CreateVpcEndpoint permission.
AnswerB

Without a condition, the peering request may be denied if the accepter account is not specified.

Why this answer

Option B is correct because when creating a VPC peering connection across AWS accounts, the requester's IAM policy must include a condition that explicitly allows the action only when the accepter VPC owner is the target account. Without this condition, the ec2:CreateVpcPeeringConnection action will fail because the policy lacks the necessary cross-account authorization context. The condition key aws:SourceAccount or ec2:AccepterVpcOwnerId must be used to restrict the action to the specific accepter account.

Exam trap

Cisco often tests the misconception that the ec2:CreateVpcPeeringConnection action alone is sufficient for cross-account peering, but the trap is that the IAM policy must include a condition to specify the accepter account ID, otherwise the request fails due to missing authorization context.

How to eliminate wrong answers

Option A is wrong because the ec2:CreateVpcPeeringConnection action is allowed on the requester VPC, not the accepter VPC; the accepter VPC is specified as a parameter, and the action itself is performed on the requester side. Option C is wrong because ec2:ModifyVpcPeeringConnectionOptions is used to update DNS resolution or other peering options after the connection is established, not to create the peering connection itself. Option D is wrong because ec2:CreateVpcEndpoint is unrelated to VPC peering; it is used to create VPC endpoints for AWS services like S3 or DynamoDB.

214
MCQhard

Refer to the exhibit. An AWS administrator is troubleshooting an issue where an EC2 instance cannot access an S3 bucket using an instance profile. The instance profile is associated with an IAM role that has the above trust policy. The S3 bucket policy allows s3:GetObject only for the role's ARN. What is the most likely cause of the access failure?

A.The VPC does not have an S3 VPC endpoint
B.The instance profile is not attached to the EC2 instance
C.The S3 bucket policy does not allow s3:ListBucket
D.The trust policy does not allow the S3 service to assume the role
AnswerB

Without the instance profile, the EC2 instance cannot assume the role.

Why this answer

The instance profile must be attached to the EC2 instance for the IAM role's credentials to be available to the instance. Without this attachment, the EC2 instance cannot assume the role or use its permissions to access the S3 bucket, even if the trust policy and bucket policy are correctly configured.

Exam trap

The trap here is that candidates often overlook the instance profile attachment step and instead focus on policy misconfigurations, assuming the trust policy or bucket policy is the issue when the real problem is the missing link between the instance and the role.

How to eliminate wrong answers

Option A is wrong because an S3 VPC endpoint is not required for EC2 instances to access S3 via an instance profile; it is only needed for private connectivity without traversing the internet. Option C is wrong because the s3:GetObject permission is sufficient to read an object; s3:ListBucket is only required for listing objects, not for a direct GetObject request. Option D is wrong because the trust policy in the exhibit allows the EC2 service (not S3) to assume the role, which is correct for an instance profile; the S3 service does not need to assume the role.

215
MCQmedium

A company is setting up a new AWS Direct Connect connection. They have provisioned a 1 Gbps dedicated connection. They need to create a private virtual interface (VIF) to connect to their VPC. The VIF has been created and is in the 'available' state, but the BGP session is not coming up. What is the most likely cause?

A.The BGP hold timer is set too high on the customer router.
B.The VLAN ID assigned to the VIF is already in use on another VIF.
C.The BGP authentication key does not match between the customer router and AWS.
D.The Direct Connect interface is in the 'down' state.
AnswerC

If BGP MD5 authentication is configured, both sides must have the same key, or the session will not establish.

Why this answer

Option B is correct because BGP authentication must match on both sides. Option A is wrong because VLAN ID must be unique per VIF but does not prevent BGP from coming up. Option C is wrong because the BGP timer can be adjusted but does not prevent session establishment.

Option D is wrong because the interface state is already available.

216
MCQmedium

A company has an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The ALB is configured with a target group that has a health check path of /health. Some instances are failing health checks and being marked unhealthy, but the application logs show the instances are healthy. What is the most likely cause?

A.The health check path is incorrect
B.The target group's slow start duration is too long
C.The security group for the instances does not allow inbound traffic from the ALB's security group on the health check port
D.The ALB's stickiness is preventing health checks
AnswerC

The ALB's health checks must be allowed by the instance security group.

Why this answer

The health check is failing because the security group for the instances is not allowing traffic from the ALB. Option A is correct. Option B (health check path) is working as configured.

Option C (slow start) does not cause health check failures. Option D (stickiness) does not affect health checks.

217
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. It needs to create a secondary CIDR block for additional subnets that must not overlap with the existing CIDR. Which CIDR block should be used?

A.172.16.0.0/16
B.10.0.0.0/16
C.10.0.0.0/8
D.10.1.0.0/16
AnswerD

This does not overlap and is a valid private CIDR.

Why this answer

VPC secondary CIDR blocks must not overlap with the primary CIDR. Option C (10.1.0.0/16) is in the 10.0.0.0/8 range but does not overlap with 10.0.0.0/16. Option A overlaps (10.0.0.0/8 includes 10.0.0.0/16).

Option B overlaps (10.0.0.0/16 same). Option D (172.16.0.0/16) is valid but not in the 10.0.0.0/8 range; however, VPC can have any private CIDR, but the question implies a secondary CIDR that is not overlapping; Option C is correct because it is a common practice to use a different /16 within the 10.0.0.0/8.

218
MCQmedium

Refer to the exhibit. A VPN connection has two tunnels. Which statement is correct about this VPN configuration?

A.The VPN uses BGP dynamic routing
B.The VPN provides high availability with two tunnels
C.The tunnel inside CIDRs are /24 networks
D.Both tunnels use the same inside CIDR
AnswerB

Two tunnels provide redundancy.

Why this answer

The exhibit shows a VPN connection with two tunnels, which is the standard design for AWS Site-to-Site VPN to provide high availability. Each tunnel is on a separate device and path, so if one tunnel fails, traffic automatically fails over to the other tunnel. This ensures that the VPN connection remains operational even during maintenance or failure of a single tunnel.

Exam trap

AWS often tests the misconception that two tunnels in a VPN connection are for load balancing, but in AWS Site-to-Site VPN, they are strictly for high availability (active/standby or active/active with BGP), not for aggregating bandwidth.

How to eliminate wrong answers

Option A is wrong because the VPN configuration shown does not indicate BGP dynamic routing; the tunnels could be using static routing or BGP, but the exhibit alone does not confirm BGP. Option C is wrong because the tunnel inside CIDRs are not necessarily /24 networks; AWS VPN tunnels use /30 or /31 networks for the inside IP addresses. Option D is wrong because both tunnels use different inside CIDRs (e.g., 169.254.10.0/30 and 169.254.11.0/30) to avoid IP overlap and allow independent routing.

219
MCQeasy

Based on the output, which of the following is true?

A.The Direct Connect Gateway uses ASN 64512
B.The Direct Connect Gateway is in a 'deleted' state
C.The Direct Connect Gateway is a virtual private gateway
D.The Direct Connect Gateway is owned by a different account
AnswerA

The amazonSideAsn is set to 64512.

Why this answer

Option A is correct because the output shows a Direct Connect Gateway with an Amazon-side ASN of 64512. Option B is wrong because the state is 'available'. Option C is wrong because the ID starts with 'dxgw'.

Option D is wrong because ownerAccount is present.

220
Multi-Selecthard

A company is setting up a Site-to-Site VPN connection between their on-premises network and AWS. Which THREE components are required for a VPN connection?

Select 3 answers
A.VPN Tunnel
B.Transit Gateway
C.Internet Gateway
D.Virtual Private Gateway
E.Customer Gateway
AnswersA, D, E

Encrypted connection.

Why this answer

A VPN tunnel is a required component for an AWS Site-to-Site VPN connection because it provides the encrypted, secure communication channel between the on-premises customer gateway and the AWS virtual private gateway. Each VPN connection consists of two tunnels for high availability, each using IPsec (IKEv1 or IKEv2) to encrypt traffic. Without at least one VPN tunnel, no encrypted data can traverse the VPN connection.

Exam trap

AWS often tests the misconception that a Transit Gateway is a required component for a Site-to-Site VPN, but the correct required components are only the VPN Tunnel, Virtual Private Gateway, and Customer Gateway.

221
MCQeasy

A company has an on-premises data center connected to AWS via a Site-to-Site VPN. The VPN connection uses BGP for dynamic routing. The company wants to add an additional VPN tunnel for redundancy. What must be configured?

A.Create a second virtual private gateway and attach it to the VPC.
B.Add a transit gateway to replace the virtual private gateway.
C.Create a second VPN connection to a second customer gateway device.
D.Configure static routes instead of BGP.
AnswerC

Provides redundant tunnels.

Why this answer

Option C is correct because to add an additional VPN tunnel for redundancy, you must create a second VPN connection that uses a second customer gateway device. This provides a second BGP session and a separate tunnel, ensuring failover if the primary tunnel or customer gateway fails. The existing virtual private gateway can support multiple VPN connections, so no replacement or additional VGW is needed.

Exam trap

The trap here is that candidates assume you need a second virtual private gateway for redundancy, but AWS allows multiple VPN connections to the same VGW, so the correct approach is to add a second VPN connection with a separate customer gateway device.

How to eliminate wrong answers

Option A is wrong because a single VPC can only have one virtual private gateway attached at a time; you cannot attach a second VGW to the same VPC. Option B is wrong because replacing the VGW with a transit gateway is unnecessary for simply adding a redundant VPN tunnel; a transit gateway is used for complex multi-VPC or hybrid network topologies, not for basic VPN redundancy. Option D is wrong because switching from BGP to static routes would eliminate the dynamic failover and route propagation benefits that BGP provides, which is counterproductive for redundancy.

222
MCQeasy

A company has a VPC peering connection between VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). They have added routes in both route tables. However, instances in VPC A cannot ping instances in VPC B. The security groups and network ACLs allow ICMP. What is the most likely cause?

A.The security groups in VPC B do not allow inbound ICMP from VPC A CIDR
B.The route tables in VPC A do not have a route to VPC B CIDR pointing to the peering connection
C.The VPC peering connection is not in the 'active' state
D.The instances are in different Availability Zones
AnswerB

Without a specific route to the peered VPC CIDR, traffic will not be sent over the peering connection.

Why this answer

VPC peering does not support transitive routing. If VPC A tries to reach VPC B via a CIDR that is not directly peered, traffic will not be forwarded. The route tables must have specific routes for the peered VPC CIDR.

The issue likely is that the route tables are missing the route to the peer, or the route is pointing to an incorrect target.

223
Multi-Selecthard

A company is designing a hybrid network using AWS Direct Connect. They have a VPC with CIDR 10.0.0.0/16 and an on-premises network with CIDR 192.168.0.0/16. They want to establish a Direct Connect private virtual interface with a virtual private gateway. Which THREE steps are required to complete the connectivity? (Choose three.)

Select 3 answers
A.Create a Transit Gateway and attach the VPC to it.
B.Create a virtual private gateway and attach it to the VPC.
C.Update the VPC route table to add a route for the on-premises CIDR pointing to the virtual private gateway.
D.Configure a private virtual interface on the Direct Connect connection, associating it with the virtual private gateway.
E.Create a customer gateway object in the AWS account.
AnswersB, C, D

The virtual private gateway is the AWS side endpoint for the Direct Connect private virtual interface.

Why this answer

Option B is correct because a virtual private gateway (VGW) is the required AWS-side endpoint for a Direct Connect private virtual interface (VIF) to terminate on a single VPC. The VGW must be created and attached to the VPC before the private VIF can be associated with it, enabling private connectivity between the on-premises network and the VPC.

Exam trap

The trap here is that candidates confuse the customer gateway object (used for VPN) with the virtual private gateway (used for Direct Connect), leading them to incorrectly select Option E as a required step.

224
MCQeasy

A company is designing a VPC with a public subnet for a web server and a private subnet for a database. The web server needs to download patches from the internet. The database should not have direct internet access. Which architecture meets these requirements?

A.Place the web server in the public subnet with an Internet Gateway, and the database in the private subnet without any internet access.
B.Place both instances in the public subnet and use security groups to restrict inbound access to the database.
C.Place the web server in the public subnet with an Internet Gateway, and the database in the private subnet with a route to a NAT Gateway in the public subnet for outbound access only.
D.Place the web server in the private subnet with a NAT Gateway, and the database in the public subnet with an Internet Gateway.
AnswerC

Web server gets internet via IGW; database can initiate outbound traffic via NAT Gateway without being directly reachable.

Why this answer

Option B is correct. A NAT Gateway in the public subnet allows the web server (in the same public subnet) to access the internet via its public IP or via the NAT Gateway if it's actually in a private subnet. However, the web server is in a public subnet, so it can have a public IP and access the internet directly.

The database in the private subnet can use the NAT Gateway for outbound access if needed, but the question says database should not have direct internet access, so it should not have a public IP. Option A is wrong because an Internet Gateway alone does not provide outbound access for private instances. Option C is wrong because a VPN is not needed.

Option D is wrong because a NAT Instance is not recommended; NAT Gateway is managed.

225
MCQeasy

A company wants to ensure that traffic between EC2 instances in the same VPC but different subnets is encrypted. Which solution should be used?

A.Use security groups to allow traffic.
B.Use VPC Peering.
C.Use network ACLs to allow traffic.
D.Use IPsec VPN between the instances.
AnswerD

IPsec provides encryption for traffic between instances.

Why this answer

Option C is correct because IPsec VPN between instances provides encryption. Option A is wrong because security groups do not encrypt traffic. Option B is wrong because NACLs do not encrypt.

Option D is wrong because VPC Peering does not encrypt traffic.

← PreviousPage 3 of 7 · 504 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Design questions.