CCNA Network Design Questions

75 of 504 questions · Page 4/7 · Network Design topic · Answers revealed

226
MCQhard

A company is designing a network for a real-time trading application that requires extremely low latency (sub-millisecond) between two EC2 instances located in the same AWS region. The instances are in different Availability Zones. The trading application uses a proprietary protocol over TCP. The company wants to minimize latency as much as possible. They are considering using a placement group. Which type of placement group should they use, and what network optimization should they apply?

A.Use a spread placement group and enable dedicated tenancy
B.Use a partition placement group and enable EBS-optimized instances
C.Use a cluster placement group for both instances and enable enhanced networking (SR-IOV)
D.Use a cluster placement group but launch instances in different Availability Zones
AnswerC

Cluster placement group provides low latency; enhanced networking reduces overhead.

Why this answer

A cluster placement group is the only placement group type that provides low-latency, high-bandwidth network performance by placing instances in a single Availability Zone within the same rack. Enhanced networking using SR-IOV (Single Root I/O Virtualization) bypasses the hypervisor's network stack, reducing per-packet processing latency and jitter, which is critical for sub-millisecond trading traffic over TCP.

Exam trap

AWS often tests the misconception that a cluster placement group can span multiple Availability Zones, but in reality, it is confined to a single AZ to guarantee low-latency physical proximity.

How to eliminate wrong answers

Option A is wrong because spread placement groups spread instances across distinct hardware to reduce failure risk, which increases network distance and latency, and dedicated tenancy does not improve network performance. Option B is wrong because partition placement groups isolate instances across logical partitions for large distributed workloads, not for low latency, and EBS-optimized instances improve storage throughput, not network latency. Option D is wrong because a cluster placement group requires all instances to be in the same Availability Zone to achieve low latency; placing instances in different Availability Zones negates the benefit and introduces cross-AZ latency.

227
MCQeasy

A company wants to connect its VPC to an on-premises data center using AWS Direct Connect. The company has two Direct Connect locations in the same AWS region. For high availability, they plan to establish two separate connections. Which configuration ensures that if one connection fails, traffic automatically fails over to the other?

A.Establish one Direct Connect connection and one AWS Site-to-Site VPN connection as backup.
B.Establish two Direct Connect connections from the same Direct Connect location to the same VPC.
C.Establish two Direct Connect connections from different Direct Connect locations to the same VPC, each with a private VIF attached to the same virtual private gateway.
D.Establish a single Direct Connect connection with two virtual interfaces (VIFs) to the same VPC.
AnswerC

Different locations provide physical diversity; BGP routing handles failover automatically.

Why this answer

Option C is correct. Two Direct Connect connections from different locations to the same VPC, each with a private VIF attached to the same virtual private gateway, and using BGP with ASN prepending on one path to make it less preferred, provides automatic failover. Option A is wrong because a single connection cannot provide failover.

Option B is wrong because two connections to the same DX location are not fully diverse. Option D is wrong because VPN backup is not required; two DX connections can provide HA.

228
MCQeasy

A company is designing a network for a new VPC. They want to ensure that the VPC can connect to an on-premises data center via a site-to-site VPN. The on-premises network uses a CIDR block of 10.0.0.0/8. The VPC will use a CIDR block of 10.0.0.0/16. The network engineer is concerned about overlapping IP addresses. What is the best way to avoid IP address overlap?

A.Use the same CIDR block and rely on NAT
B.Use a different RFC 1918 CIDR block for the VPC
C.Use a smaller subnet within the same 10.0.0.0/8 range
D.Use a public IP range for the VPC
AnswerB

Avoids overlap.

Why this answer

Option B is correct because using a different RFC 1918 CIDR block (e.g., 172.16.0.0/12 or 192.168.0.0/16) for the VPC completely avoids IP address overlap with the on-premises 10.0.0.0/8 network. Overlapping CIDR blocks (both using 10.0.0.0/8) would prevent successful route propagation and cause asymmetric routing or connectivity failures in the site-to-site VPN. NAT can mitigate overlap but adds complexity and is not the 'best' design choice when a non-overlapping private range is available.

Exam trap

AWS often tests the misconception that NAT can always solve IP overlap issues, but the best practice is to design non-overlapping private IP spaces from the start to avoid complexity and routing failures.

How to eliminate wrong answers

Option A is wrong because using the same CIDR block (10.0.0.0/16 within 10.0.0.0/8) creates an overlap that NAT alone cannot fully resolve for bidirectional traffic without complex rules and potential performance issues; it is not the best architectural practice. Option C is wrong because using a smaller subnet within the same 10.0.0.0/8 range still overlaps with the on-premises network, as the on-premises CIDR encompasses the entire 10.0.0.0/8 space, leading to routing conflicts. Option D is wrong because using a public IP range for the VPC violates RFC 1918 private addressing best practices, is not routable over a VPN without additional NAT or BGP complexities, and can cause conflicts with internet-bound traffic.

229
Multi-Selecthard

Which THREE factors should be considered when designing a VPC for a multi-tier application that requires high availability and security? (Choose three.)

Select 3 answers
A.Provision subnets in at least two Availability Zones
B.Assign public IP addresses to all instances for direct access
C.Use separate subnets for web, application, and database tiers
D.Use a single Availability Zone to reduce latency
E.Use NAT Gateways in public subnets for outbound internet access from private subnets
AnswersA, C, E

Provides high availability in case of AZ failure.

Why this answer

Option A is correct because deploying subnets across at least two Availability Zones (AZs) ensures high availability by eliminating a single point of failure. If one AZ experiences an outage, the application can continue serving traffic from the other AZ. This is a foundational principle for building fault-tolerant architectures in AWS.

Exam trap

AWS often tests the misconception that high availability can be achieved within a single Availability Zone by using redundant components, but the correct approach requires at least two AZs to survive an AZ-level failure.

230
Multi-Selecthard

A company has a VPC with a public subnet and a private subnet. The private subnet needs to access an S3 bucket for backups. Which TWO actions are required to provide private connectivity to S3 without using a NAT Gateway?

Select 2 answers
A.Create a NAT Gateway in the public subnet.
B.Create a VPC Gateway Endpoint for S3.
C.Add a route for the S3 prefix list in the private subnet route table pointing to the gateway endpoint.
D.Create a VPC Interface Endpoint for S3.
E.Create a VPC Peering connection to an S3 VPC.
AnswersB, C

Gateway Endpoint provides private S3 access.

Why this answer

Options B and D are correct. A VPC Gateway Endpoint (B) provides private access to S3. The route table for the private subnet must have a route to the gateway endpoint (D) to direct S3 traffic through it.

Option A is wrong because a NAT Gateway is not used. Option C is wrong because a VPC Interface Endpoint is for other services, not S3. Option E is wrong because a VPC Peering connection is not needed.

231
MCQhard

A company has a VPC with public and private subnets in three Availability Zones. They have an Application Load Balancer (ALB) in the public subnets and a fleet of EC2 instances in the private subnets. The ALB needs to send traffic to the instances on port 443. What is the most secure way to configure the security groups?

A.ALB SG: inbound from 0.0.0.0/0 on all ports. Instance SG: inbound from ALB SG on all ports.
B.ALB SG: inbound from 0.0.0.0/0 on port 443. Instance SG: inbound from 0.0.0.0/0 on port 443.
C.ALB SG: inbound from 0.0.0.0/0 on port 443. Instance SG: inbound from ALB SG on port 443.
D.ALB SG: inbound from 0.0.0.0/0 on port 443. Instance SG: inbound from ALB SG on all ports.
AnswerC

Only allows HTTPS from ALB SG to instances.

Why this answer

Option C is correct because it follows the principle of least privilege by restricting the ALB security group to only allow inbound traffic on port 443 from the internet (0.0.0.0/0) and the instance security group to only allow inbound traffic on port 443 from the ALB security group. This ensures that only the ALB can communicate with the instances on the required port, preventing direct access from other sources and reducing the attack surface.

Exam trap

The trap here is that candidates often assume that allowing traffic from 0.0.0.0/0 to the instances is acceptable because the instances are in private subnets, but security groups are stateful and do not consider subnet routing; they evaluate traffic based on the source IP, so a rule allowing 0.0.0.0/0 would permit direct internet traffic if the instances had a route to an internet gateway.

How to eliminate wrong answers

Option A is wrong because it allows inbound traffic to the ALB on all ports from the internet, which is overly permissive and violates security best practices. Option B is wrong because it allows inbound traffic to the instances directly from 0.0.0.0/0 on port 443, bypassing the ALB and exposing the instances to the internet, which is insecure. Option D is wrong because it allows inbound traffic to the instances from the ALB security group on all ports, which is unnecessary and violates the principle of least privilege since only port 443 is required.

232
Multi-Selectmedium

A company is deploying a containerized application on Amazon ECS using the Fargate launch type. The application requires outbound internet access to download updates, but the company does not want to assign public IP addresses to the tasks. Which TWO actions should the company take to provide internet access to the tasks? (Choose two.)

Select 2 answers
A.Configure a security group that allows outbound traffic to 0.0.0.0/0
B.Launch the tasks in private subnets that do not have a route to an Internet Gateway
C.Create a NAT gateway in a public subnet and update the route tables for the task subnets to route 0.0.0.0/0 traffic to the NAT gateway
D.Launch the tasks in public subnets with auto-assign public IP enabled
E.Create a VPC Gateway Endpoint for Amazon ECR
AnswersB, C

Private subnets ensure no public IPs are assigned; outbound traffic goes through the NAT gateway.

Why this answer

Option B is correct because tasks in private subnets without a route to an Internet Gateway cannot directly access the internet, which is the desired behavior to avoid public IP addresses. Option C is correct because a NAT gateway in a public subnet provides outbound internet access for tasks in private subnets by translating their private IP addresses to the NAT gateway's public IP, allowing them to reach the internet without assigning public IPs to the tasks.

Exam trap

AWS often tests the misconception that a security group rule allowing outbound traffic to 0.0.0.0/0 alone is sufficient for internet access, when in fact the subnet's route table must direct traffic to a NAT gateway or Internet Gateway.

233
MCQhard

A company is designing a VPC with a CIDR block of 10.0.0.0/16. The VPC will host multiple environments (dev, test, prod) and requires subnets in three Availability Zones. The network engineer must allocate subnets efficiently while reserving at least 25% of the address space for future growth. What is the minimum subnet size that should be used for each environment?

A./20
B./18
C./22
D./21
AnswerA

Provides 4094 addresses per subnet, fits within the reserved space and allows growth.

Why this answer

Option B is correct. The total /16 has 65536 addresses. Reserving 25% leaves 49152 addresses for use.

With 3 environments × 3 AZs = 9 subnets, each subnet gets 5461 addresses on average. A /19 subnet provides 8191 addresses per subnet, totaling 9×8191=73719, which exceeds the available 49152. A /20 provides 4095 addresses per subnet (9×4095=36855), which is within the available 49152 and allows efficient use.

The smallest subnet that fits the requirement is /20. Option A (/18) is too large, C (/21) provides too few addresses per subnet, D (/22) also insufficient.

234
Multi-Selecthard

Which THREE of the following are benefits of using AWS Global Accelerator over Amazon CloudFront for a global application that uses TCP traffic? (Select THREE.)

Select 3 answers
A.Provides content caching at edge locations.
B.Provides static IP addresses that act as a fixed entry point.
C.Supports TCP and UDP traffic.
D.Can be used with Application Load Balancers as endpoints.
E.Automatically integrates with AWS WAF and AWS Shield Advanced.
AnswersB, C, D

Global Accelerator provides anycast IPs.

Why this answer

AWS Global Accelerator provides static IP addresses that act as a fixed entry point for your application, which is a key benefit over Amazon CloudFront. CloudFront uses dynamic, regional edge IP addresses that can change, whereas Global Accelerator offers two static anycast IP addresses that remain constant, simplifying DNS management and firewall whitelisting for TCP-based global applications.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator with CloudFront, assuming both provide caching and similar features, but Global Accelerator focuses on network performance optimization for TCP/UDP traffic without caching, while CloudFront is a CDN that caches content and primarily supports HTTP/HTTPS.

235
MCQhard

A company is deploying a multi-tier application in a VPC. The web tier is in public subnets, and the application tier is in private subnets. The application tier needs to communicate with an on-premises database via an AWS Direct Connect connection. The company wants to minimize latency and maximize throughput. Which design should they use?

A.Place the application tier instances in a private subnet in the same VPC as the web tier. Attach a virtual private gateway to the VPC and connect it to the on-premises network via a Direct Connect private virtual interface.
B.Place the application tier in a private subnet and use a NAT Gateway to route traffic to the on-premises network.
C.Place the application tier in a separate VPC and peer it to the web tier VPC. Use a Direct Connect connection attached to the web tier VPC.
D.Place the application tier in a separate VPC and use a VPN connection over the internet to connect to on-premises.
AnswerA

This provides low-latency, high-throughput connectivity directly between the application tier and on-premises.

Why this answer

Option A is correct because a Direct Connect private virtual interface (VIF) connected to a virtual private gateway (VGW) provides a dedicated, low-latency, high-throughput connection from the VPC to on-premises. The application tier in the private subnet can route traffic directly to the on-premises database via the VGW without traversing the internet or a NAT device, minimizing latency and maximizing throughput.

Exam trap

AWS often tests the misconception that a NAT Gateway or VPN can provide equivalent performance to Direct Connect, but the trap here is that NAT Gateways are for internet egress only and VPNs introduce internet-based latency, whereas a private VIF offers dedicated, consistent performance.

How to eliminate wrong answers

Option B is wrong because a NAT Gateway is used for outbound internet traffic from private subnets, not for routing to on-premises networks over Direct Connect; it would add unnecessary latency and does not leverage the private VIF. Option C is wrong because placing the application tier in a separate VPC and peering it to the web tier VPC introduces an extra hop (VPC peering) and requires the Direct Connect to be attached to the web tier VPC, which forces traffic to traverse the peering connection, increasing latency and complexity. Option D is wrong because a VPN connection over the internet introduces variable latency, potential throughput bottlenecks, and security risks compared to a dedicated Direct Connect private VIF, failing to minimize latency and maximize throughput.

236
MCQeasy

A company needs to connect two VPCs in the same AWS account and region. They want to use private IP addresses and avoid any single point of failure. Which solution should they use?

A.AWS Transit Gateway
B.VPC peering connection
C.Internet Gateway and public IPs
D.AWS Site-to-Site VPN between the VPCs
AnswerB

VPC peering is simple, uses private IPs, and has no single point of failure as it is a direct connection.

Why this answer

VPC peering allows direct connectivity between two VPCs using private IPs and has no single point of failure. Transit Gateway also works but adds cost and complexity. VPN is not needed within the same region.

Internet Gateway would expose traffic to the internet.

237
MCQhard

A company is designing a network for a multi-account AWS environment using AWS Organizations. They need to establish a central inspection VPC for traffic inspection using a Gateway Load Balancer (GWLB). Traffic from all other VPCs should be routed through the inspection VPC before reaching the internet or on-premises. Which architecture should be used?

A.Use VPC Peering to connect all VPCs to the inspection VPC and configure routes to the GWLB.
B.Use AWS Direct Connect Gateway to connect all VPCs and route traffic through the inspection VPC.
C.Use AWS Transit Gateway with a centralized inspection VPC that hosts a GWLB. Configure route tables on the Transit Gateway to send traffic to the GWLB endpoint.
D.Use AWS Network Firewall in each VPC and route traffic to it.
AnswerC

Transit Gateway allows transitive routing and can force traffic through the inspection VPC.

Why this answer

Option C is correct because AWS Transit Gateway enables centralized routing between multiple VPCs, and when combined with a Gateway Load Balancer (GWLB) in an inspection VPC, it allows traffic from all other VPCs to be forwarded to the GWLB for inspection before reaching the internet or on-premises. Transit Gateway route tables can be configured with static routes pointing to the GWLB endpoint (using Gateway Load Balancer Endpoint service), ensuring all inter-VPC and egress traffic is steered through the inspection VPC. This architecture scales efficiently across many VPCs in an AWS Organizations multi-account setup without requiring complex peering or direct connections.

Exam trap

The trap here is that candidates often confuse VPC Peering's lack of transitive routing with the ability to create a hub-and-spoke model, leading them to select Option A, but AWS explicitly states that VPC Peering does not support transitive routing, making Transit Gateway the only viable option for centralized inspection across multiple VPCs.

How to eliminate wrong answers

Option A is wrong because VPC Peering does not support transitive routing; each peering connection is a one-to-one relationship, so traffic from one VPC cannot be routed through a central inspection VPC to another VPC or to the internet without explicit peering between every pair, making it unscalable and unable to enforce centralized inspection. Option B is wrong because AWS Direct Connect Gateway is used to connect on-premises networks to multiple VPCs via Direct Connect, but it does not provide routing between VPCs themselves or support forwarding traffic through a central inspection VPC; it lacks the transitive routing capability needed for this multi-VPC inspection pattern. Option D is wrong because AWS Network Firewall in each VPC would require deploying and managing separate firewall instances per VPC, which defeats the requirement for a central inspection VPC and does not provide a single point of traffic inspection across all VPCs; it also adds operational overhead and does not leverage the GWLB for centralized traffic steering.

238
Multi-Selecteasy

A company is designing a VPC with public and private subnets. The company needs to provide internet access to instances in the private subnets. Which TWO components are required? (Choose TWO.)

Select 2 answers
A.Internet Gateway attached to the VPC
B.Transit Gateway
C.NAT Gateway in a public subnet
D.VPC Gateway Endpoint for S3
E.Virtual Private Gateway
AnswersA, C

IGW is needed for public subnet and NAT.

Why this answer

An Internet Gateway (IGW) is required to provide a target in the VPC route tables for internet-bound traffic. For instances in private subnets, a NAT Gateway placed in a public subnet translates their private IP addresses to the public IP of the NAT Gateway, allowing outbound internet access while preventing unsolicited inbound connections. The private subnet's route table must point 0.0.0.0/0 to the NAT Gateway, and the public subnet's route table must point 0.0.0.0/0 to the IGW.

Exam trap

The trap here is that candidates often think a NAT Gateway alone is sufficient, forgetting that an Internet Gateway must be attached to the VPC and the public subnet's route table must point to it for the NAT Gateway to reach the internet.

239
Multi-Selecthard

A company wants to connect its on-premises data center to AWS using AWS Direct Connect and wants to use the same connection to access multiple VPCs in the same AWS region. The company also needs to maintain private IP connectivity between the VPCs. Which THREE components should the company use to meet these requirements? (Choose three.)

Select 3 answers
A.Transit Gateway VPC attachments
B.VPC peering connections between each VPC
C.AWS Site-to-Site VPN connection
D.AWS Direct Connect gateway
E.AWS Transit Gateway
AnswersA, D, E

Each VPC must be attached to the Transit Gateway to enable connectivity through the Transit Gateway.

Why this answer

Transit Gateway VPC attachments allow multiple VPCs to connect to a central transit gateway, enabling private IP connectivity between them. When combined with an AWS Direct Connect gateway, the on-premises data center can use a single Direct Connect connection to reach all attached VPCs via the transit gateway, meeting both requirements efficiently.

Exam trap

The trap here is that candidates often confuse VPC peering with transit gateway, assuming peering can provide transitive routing or work with a single Direct Connect connection, but AWS explicitly requires a transit gateway for hub-and-spoke connectivity with Direct Connect.

240
MCQmedium

A company is designing a network for a three-tier web application in AWS. The web tier must be accessible from the internet, but the application and database tiers must be private. The company wants to use a single AWS Region and ensure high availability across multiple Availability Zones. What is the MOST cost-effective network design that meets these requirements?

A.Place web servers in public subnets across three AZs. Place application and database servers in private subnets across three AZs. Use a NAT Gateway in each AZ for outbound traffic.
B.Place web servers in public subnets across three AZs. Place application and database servers in private subnets across three AZs. Use NAT instances in each AZ behind an Auto Scaling group.
C.Place web servers in public subnets and application/database servers in private subnets in one AZ. Use a single NAT Gateway in the public subnet for outbound traffic.
D.Place all tiers in public subnets and use security groups to restrict inbound traffic to the web tier only.
AnswerA

Highly available and cost-effective managed service.

Why this answer

Option A is correct because it places web servers in public subnets across three Availability Zones (AZs) for internet-facing access and high availability, while application and database servers reside in private subnets across three AZs for isolation. A NAT Gateway in each AZ provides cost-effective outbound internet connectivity for private instances without exposing them to inbound traffic, and using one NAT Gateway per AZ avoids cross-AZ data transfer charges, which would increase costs if a single NAT Gateway were shared across AZs.

Exam trap

AWS often tests the misconception that a single NAT Gateway is more cost-effective than multiple, but the trap is that cross-AZ data transfer costs from using a single NAT Gateway in a multi-AZ setup can exceed the cost of deploying one NAT Gateway per AZ, making the per-AZ design more cost-effective overall.

How to eliminate wrong answers

Option B is wrong because NAT instances behind an Auto Scaling group introduce management overhead, potential single points of failure during scaling events, and higher operational cost compared to managed NAT Gateways, making it less cost-effective. Option C is wrong because deploying all tiers in a single AZ violates the high availability requirement across multiple Availability Zones, as a single AZ failure would take down the entire application. Option D is wrong because placing all tiers in public subnets exposes application and database servers to the internet, violating the requirement that they remain private, even with security group restrictions, as security groups do not prevent all potential attack vectors like direct IP spoofing or misconfigurations.

241
MCQmedium

A company has multiple VPCs in the same AWS region that need to communicate with each other. The network team wants to minimize the number of connections and simplify management. The solution must support transitive routing between all VPCs. Which AWS service should be used?

A.VPC Peering
B.AWS Direct Connect Gateway
C.AWS Transit Gateway
D.VPC Endpoints
AnswerC

Correct; Transit Gateway provides transitive routing and simplifies connections.

Why this answer

AWS Transit Gateway (TGW) is a network transit hub that enables transitive routing between multiple VPCs and on-premises networks through a single gateway. It uses a hub-and-spoke architecture, which inherently supports transitive routing (e.g., VPC A can reach VPC C via the TGW without requiring direct peering between A and C). This minimizes the number of connections (N VPCs require only N attachments instead of N*(N-1)/2 VPC peering connections) and simplifies management with a central routing table.

Exam trap

The trap here is that candidates often confuse VPC Peering's lack of transitive routing with the ability to route through a central VPC (e.g., using a third-party appliance), but AWS explicitly prohibits transitive routing through VPC peering, making Transit Gateway the only native service that supports transitive routing between multiple VPCs.

How to eliminate wrong answers

Option A is wrong because VPC Peering does not support transitive routing; traffic cannot flow from VPC A to VPC C through a peering connection with VPC B, as peering is a one-to-one, non-transitive relationship. Option B is wrong because AWS Direct Connect Gateway is designed to connect on-premises networks to multiple VPCs via Direct Connect, but it does not provide transitive routing between VPCs themselves; it only facilitates connectivity between on-premises and VPCs. Option D is wrong because VPC Endpoints (Gateway or Interface endpoints) provide private connectivity to AWS services (e.g., S3, DynamoDB) from within a VPC, not inter-VPC routing or transitive connectivity between VPCs.

242
Multi-Selecteasy

A company is deploying a web application in a VPC. They need to ensure that the web servers can be accessed from the internet and that traffic is encrypted. Which TWO services should they use?

Select 2 answers
A.AWS WAF
B.Application Load Balancer (ALB)
D.AWS Certificate Manager (ACM)
E.Amazon CloudFront
AnswersB, D

ALB can terminate SSL/TLS and route traffic to targets.

Why this answer

Options A and D are correct. An Application Load Balancer (ALB) can handle HTTPS termination and distribute traffic to web servers. AWS Certificate Manager (ACM) provides SSL/TLS certificates.

Option B is wrong because AWS WAF is for web application firewall, not encryption. Option C is wrong because CloudFront can be used but the question specifies two services; ALB+ACM is a standard combination. Option E is wrong because NAT Gateway is for outbound traffic.

243
MCQmedium

A company is designing a network for a three-tier web application. The web tier must be able to scale out and in automatically based on CPU utilization. The database tier must be highly available and use Multi-AZ deployment. Which combination of AWS services should the architect use?

A.Network Load Balancer, Auto Scaling group, Amazon RDS Multi-AZ
B.Application Load Balancer, Auto Scaling group, Amazon DynamoDB
C.Application Load Balancer, Auto Scaling group, Amazon RDS Multi-AZ
D.Classic Load Balancer, Auto Scaling group, Amazon RDS Single-AZ
AnswerC

ALB handles HTTP/HTTPS traffic, Auto Scaling adjusts capacity, and RDS Multi-AZ provides HA.

Why this answer

Option C is correct because an Application Load Balancer (ALB) operates at Layer 7, which is ideal for distributing HTTP/HTTPS traffic to a web tier that scales out and in automatically via an Auto Scaling group based on CPU utilization. Amazon RDS Multi-AZ provides synchronous standby replication across Availability Zones, ensuring high availability for the database tier by automatically failing over to the standby in case of an outage.

Exam trap

AWS often tests the misconception that a Network Load Balancer is suitable for all web applications, but the trap here is that the web tier requires Layer 7 features (like HTTP header inspection) for proper scaling and routing, which only the Application Load Balancer provides.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer (NLB) operates at Layer 4 and is not optimized for HTTP/HTTPS traffic inspection or path-based routing, which is typically required for a three-tier web application; it also lacks native integration with Auto Scaling group health checks for web tier scaling. Option B is wrong because Amazon DynamoDB is a NoSQL database, not a relational database, and does not support Multi-AZ deployment in the same way as RDS; it also does not meet the requirement for a highly available database tier using Multi-AZ deployment. Option D is wrong because Amazon RDS Single-AZ does not provide high availability, as it lacks automatic failover to a standby instance in a different Availability Zone, and the Classic Load Balancer is a legacy option that does not support advanced Layer 7 features like host-based or path-based routing.

244
Multi-Selecteasy

A company is designing a high-availability architecture for an application that will be deployed across multiple Availability Zones. Which THREE components are recommended for this design? (Choose three.)

Select 3 answers
A.One EC2 instance in each AZ
B.Application Load Balancer across multiple AZs
C.NAT Gateway in each AZ
D.Auto Scaling group with instances in multiple AZs
E.Single NAT Gateway in one AZ
AnswersB, C, D

Distributes traffic across AZs.

Why this answer

An Application Load Balancer (ALB) distributes incoming traffic across multiple targets in different Availability Zones (AZs). By enabling cross-zone load balancing, the ALB can route requests to healthy instances in any AZ, ensuring that if one AZ fails, traffic is automatically redirected to instances in the remaining AZs. This is a foundational component for high availability because it eliminates a single point of failure at the traffic distribution layer.

Exam trap

AWS often tests the misconception that a single NAT Gateway is sufficient for high availability, but in a multi-AZ architecture, you must deploy a NAT Gateway in each AZ to maintain outbound connectivity during an AZ failure.

245
MCQeasy

A company wants to connect its on-premises data center to AWS using AWS Direct Connect with a public VIF to access Amazon S3. The on-premises network team reports that they can ping the Direct Connect public VIF IP but cannot access S3. The VPC has a private subnet with an S3 VPC endpoint. What is the most likely reason for the failure?

A.Direct Connect does not support access to Amazon S3; you must use VPN.
B.The S3 endpoint is configured in the VPC, but the on-premises traffic is not using the endpoint.
C.The on-premises network is not routing traffic to S3 through the Direct Connect public VIF; instead, it is attempting to use the internet.
D.A security group is blocking traffic from the on-premises network to S3.
AnswerC

Public VIF requires proper routing; if not configured, traffic goes over internet.

Why this answer

Option A is correct. To access S3 via public VIF, traffic must go through the internet route; the VPC endpoint is only for instances within the VPC. Option B is incorrect because public VIF uses public IPs, not private IPs.

Option C is incorrect because Direct Connect can access public services. Option D is incorrect because security groups don't apply to on-premises traffic via Direct Connect.

246
MCQeasy

A company is designing a hybrid network where an Amazon VPC is connected to an on-premises data center via AWS Direct Connect and a VPN backup. They have a VPC with CIDR 10.0.0.0/16 and on-premises CIDR 192.168.0.0/16. They want to ensure that all traffic between the VPC and on-premises uses the Direct Connect connection when it is available, and automatically fails over to the VPN if Direct Connect fails. What should they do?

A.Create a virtual private gateway with a Direct Connect private virtual interface. Additionally, create a separate VPN connection directly to the VPC. Set longer AS path for the Direct Connect routes.
B.Create a virtual private gateway and establish both a Direct Connect private virtual interface and a VPN connection. Use BGP with equal AS path lengths to enable ECMP.
C.Create a virtual private gateway and attach a Direct Connect private virtual interface. For failover, add a static route in the VPC route table pointing to the VPN connection.
D.Create a virtual private gateway attached to the VPC. Establish a Direct Connect private virtual interface and a VPN connection to the virtual private gateway. Configure BGP on both connections and use a shorter AS path for the Direct Connect routes.
AnswerD

The shorter AS path makes Direct Connect preferred, and BGP provides automatic failover.

Why this answer

Option D is correct because it uses a virtual private gateway (VGW) for both the Direct Connect private virtual interface and the VPN connection, and configures BGP on both. By advertising a shorter AS path (e.g., prepending fewer AS numbers) for the Direct Connect routes, the VPC and on-premises routers prefer the Direct Connect path when available. If Direct Connect fails, the BGP session drops, and the VPN routes (with a longer AS path) become active, providing automatic failover.

Exam trap

AWS often tests the misconception that you can simply attach a Direct Connect private virtual interface to a VGW and then add a static route for failover, but this ignores the need for BGP-based dynamic failover and the risk of route conflicts or black-holing when both paths are active.

How to eliminate wrong answers

Option A is wrong because setting a longer AS path for Direct Connect routes would make them less preferred, causing traffic to use the VPN instead of Direct Connect when both are available. Option B is wrong because using equal AS path lengths with ECMP would load-balance traffic across both connections, not prioritize Direct Connect as the primary path. Option C is wrong because adding a static route in the VPC route table for failover does not provide automatic failover; the static route would be active simultaneously, potentially causing asymmetric routing or black-holing, and it lacks BGP-based dynamic failover detection.

247
MCQeasy

A company is designing a multi-VPC architecture in the same region. The VPCs need to communicate with each other using private IP addresses. The company must minimize cost and operational overhead. Which solution should the company use?

A.Set up AWS Site-to-Site VPN connections between each VPC.
B.Use ClassicLink to connect the VPCs.
C.Create VPC peering connections between each pair of VPCs.
D.Create a Transit Gateway and attach all VPCs.
AnswerC

VPC peering is simple, low-cost, and uses private IPs.

Why this answer

Option C is correct because VPC peering connections provide direct, private IP connectivity between VPCs using the AWS global network, with no bandwidth bottlenecks or single points of failure. It is the most cost-effective solution for a small number of VPCs (e.g., fewer than 10) as there are no hourly charges for the peering connection itself—only data transfer costs. This minimizes operational overhead compared to managing VPN tunnels or a Transit Gateway, as peering is a simple, one-to-one relationship that does not require additional appliances or complex routing policies.

Exam trap

The trap here is that candidates often choose Transit Gateway (Option D) because it is a modern, centralized solution, but they overlook the specific constraint of minimizing cost and operational overhead for a small number of VPCs, where VPC peering is simpler and cheaper.

How to eliminate wrong answers

Option A is wrong because AWS Site-to-Site VPN connections require a virtual private gateway on each VPC and incur hourly charges per VPN connection, plus data transfer costs, making it more expensive and operationally complex than VPC peering for intra-region VPC communication. Option B is wrong because ClassicLink is a legacy feature that only allows EC2 instances in the EC2-Classic platform to communicate with VPCs using private IPs; it does not support connecting multiple VPCs together and has been deprecated for most use cases. Option D is wrong because while a Transit Gateway simplifies routing for many VPCs, it incurs an hourly attachment fee per VPC and data transfer costs, which is unnecessary overhead for a small number of VPCs that can be directly peered at lower cost.

248
MCQhard

A company is deploying a critical application that requires low latency between EC2 instances in the same AWS region but across multiple Availability Zones. The instances are part of an Auto Scaling group behind a Network Load Balancer. Which network design provides the lowest latency while maintaining high availability?

A.Use a cluster placement group across two Availability Zones.
B.Do not use a placement group; enable Enhanced Networking (ENA) on all instances.
C.Use a spread placement group across two Availability Zones.
D.Use a partition placement group across two Availability Zones.
AnswerB

Placement groups are limited to single AZ for low latency; Enhanced Networking provides low latency across AZs without placement group constraints.

Why this answer

Option C is correct. A placement group with a partition strategy spreads instances across logical partitions but within a single AZ, which does not provide multi-AZ HA. For low latency across AZs, a cluster placement group is not possible because it is limited to a single AZ.

Therefore, the best practice is to place instances in the same VPC and subnet in the same AZ for lowest latency, but that sacrifices AZ-level HA. Actually, the question asks for low latency across multiple AZs, so the best option is to use a cluster placement group in a single AZ (which is not across AZs). The correct answer is to use a cluster placement group in a single AZ, but the option that mentions that is D? Let me review: Option D says 'Cluster placement group across two AZs' which is not possible.

Option C says 'Partition placement group across two AZs' which provides low latency? Actually, partition placement groups are not designed for low latency; they are for large distributed workloads. The correct answer is that cluster placement groups are limited to one AZ, so for low latency across AZs, you cannot use placement groups. The question might be tricky.

The best answer is B: 'Use a spread placement group across two AZs' but spread placement groups increase latency. I think the intended answer is D: 'Cluster placement group across two AZs' is not possible, so that's wrong. Option A: 'No placement group, use Enhanced Networking' is the correct approach because placement groups cannot be used across AZs for low latency.

Actually, Enhanced Networking (ENA) provides low latency regardless. So correct answer is A.

249
MCQhard

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The company has a single hosted virtual interface (VIF) with a private VIF to a VPC. The network team notices that traffic from on-premises to AWS is asymmetric—some packets go through the Direct Connect while others use a VPN backup. The team wants all traffic to use Direct Connect when available. What should they do?

A.Disable AS_PATH prepending on the Direct Connect BGP session.
B.Convert the private VIF to a public VIF.
C.Remove the VPN connection to force all traffic through Direct Connect.
D.Advertise more specific prefixes (e.g., /24) over Direct Connect and less specific (e.g., /16) over VPN.
AnswerD

Correct: More specific BGP routes are preferred, so Direct Connect will be used when available.

Why this answer

Option D is correct because BGP route selection prefers more specific prefixes (longest prefix match) over less specific ones. By advertising a more specific prefix (e.g., /24) over Direct Connect and a less specific prefix (e.g., /16) over the VPN, the on-premises router will prefer the Direct Connect path for the more specific route, ensuring all traffic uses Direct Connect when available. This leverages BGP's prefix-length-based path selection without requiring removal of the VPN backup.

Exam trap

The trap here is that candidates often assume AS_PATH prepending or removing the VPN is the solution, but the key is understanding that BGP's longest prefix match overrides all other path selection attributes, making prefix specificity the most reliable way to enforce traffic flow.

How to eliminate wrong answers

Option A is wrong because disabling AS_PATH prepending on the Direct Connect BGP session would make the Direct Connect path appear shorter (lower AS_PATH length), but it does not address the root cause of asymmetric routing if the VPN is advertising a more specific prefix or if the on-premises router is using a different metric. Option B is wrong because converting a private VIF to a public VIF would change the connectivity type from private (VPC access) to public (AWS public services), which is unrelated to fixing asymmetric routing between on-premises and a VPC. Option C is wrong because removing the VPN connection eliminates the backup path entirely, which violates the requirement to have a backup available and does not solve the routing preference issue—it forces traffic through Direct Connect but removes redundancy.

250
Multi-Selecteasy

A company has an AWS Transit Gateway with multiple VPC attachments. They need to inspect traffic between VPCs using a third-party firewall appliance. Which THREE steps are necessary?

Select 3 answers
A.Create a VPC peering connection between the VPCs to allow traffic flow
B.Deploy a Gateway Load Balancer (GWLB) in the firewall VPC and register the firewall instances as targets
C.Configure Transit Gateway route tables to route traffic between VPCs through the firewall VPC
D.Configure a NAT Gateway in each VPC to route traffic through the firewall
E.Attach a VPC containing the firewall appliance to the Transit Gateway
AnswersB, C, E

GWLB integrates with Transit Gateway and transparently routes traffic to the firewall instances.

Why this answer

To inspect traffic, the firewall must be placed in the path. Transit Gateway supports routing to a network appliance in a VPC. The firewall VPC must be attached to the Transit Gateway.

Route tables in the Transit Gateway must be configured to direct traffic to the firewall VPC. A Gateway Load Balancer (GWLB) is the modern way to deploy firewall appliances transparently. A simple VPC peering bypasses Transit Gateway.

NAT Gateway is for outbound internet traffic, not for east-west inspection.

251
MCQeasy

A company is deploying a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application must be accessible from the internet. Which component must be attached to the VPC to allow internet traffic to reach the ALB?

B.Virtual private gateway
C.Internet gateway
D.Transit gateway
AnswerC

An internet gateway is required for internet traffic to reach resources in a VPC.

Why this answer

Option A is correct. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between the VPC and the internet. It is required for internet-facing load balancers.

Option B is incorrect because a NAT gateway is for outbound-only traffic from private subnets. Option C is incorrect because a virtual private gateway is for VPN connections. Option D is incorrect because a transit gateway is for connecting multiple VPCs and on-premises networks.

252
Multi-Selectmedium

A company is designing a network architecture for a critical application that requires high availability across multiple AWS regions. The application uses an Application Load Balancer (ALB) in each region. Which TWO services can provide global routing and failover between the two ALBs?

Select 2 answers
A.Amazon Route 53 with failover routing and health checks
B.AWS WAF
C.Network Load Balancer (NLB)
D.Amazon CloudFront
E.AWS Global Accelerator
AnswersA, E

Route 53 can route traffic to the primary region and failover to the secondary based on health checks.

Why this answer

Options A and D are correct. Amazon Route 53 with health checks can route DNS queries to healthy endpoints across regions. AWS Global Accelerator provides anycast IPs and can route traffic to healthy regional endpoints.

Option B is wrong because CloudFront is a CDN and does not route to ALBs directly for failover. Option C is wrong because a Network Load Balancer is regional. Option E is wrong because AWS WAF is a web application firewall.

253
MCQhard

A company has a VPC with a CIDR block of 10.0.0.0/16. They need to add a new CIDR block 10.1.0.0/16 to accommodate more subnets. The VPC already has multiple subnets and route tables. What is the impact of adding this secondary CIDR?

A.The secondary CIDR will be automatically advertised to all route tables.
B.Existing subnets and route tables remain unchanged; new subnets can be created in the new CIDR.
C.The VPC will experience a brief outage while the new CIDR is being associated.
D.Existing subnets will automatically be extended to include IPs from the new CIDR.
AnswerB

Secondary CIDRs do not affect existing resources.

Why this answer

Adding a secondary CIDR block to an existing VPC is a non-disruptive operation. The existing subnets and route tables remain completely unchanged because the secondary CIDR is an additional IP address space, not a modification of the existing one. New subnets can be created within the new CIDR block, and you must explicitly associate them with route tables as needed.

Exam trap

AWS often tests the misconception that adding a secondary CIDR automatically propagates to route tables or extends existing subnets, when in fact it requires manual route table updates and new subnet creation.

How to eliminate wrong answers

Option A is wrong because secondary CIDRs are not automatically advertised to route tables; you must explicitly add routes for the new CIDR to each route table where it is needed. Option C is wrong because adding a secondary CIDR does not cause any outage or disruption to the VPC or its existing resources. Option D is wrong because existing subnets are not automatically extended; they are tied to their original CIDR block, and new subnets must be created in the new CIDR range.

254
MCQeasy

A company needs to resolve DNS names for their EC2 instances using custom domain names like "app.example.com". Which AWS service should they use?

A.AWS Cloud Map
B.AWS Directory Service
C.Amazon Route 53
D.Amazon Cognito
AnswerC

Managed DNS service.

Why this answer

Amazon Route 53 is a scalable DNS web service that can resolve custom domain names like 'app.example.com' to EC2 instance IP addresses. It supports private hosted zones for VPCs, enabling DNS resolution for internal resources without exposing them to the internet, and integrates with EC2 via alias records or health checks.

Exam trap

The trap here is that candidates confuse AWS Cloud Map's service discovery capabilities with DNS resolution, but Cloud Map is designed for dynamic service endpoints (e.g., ECS tasks) and does not natively resolve arbitrary custom domain names like 'app.example.com' without Route 53.

How to eliminate wrong answers

Option A is wrong because AWS Cloud Map is a service for service discovery that manages dynamic resource mappings (e.g., for microservices), not a DNS resolver for custom domain names; it relies on Route 53 for DNS resolution. Option B is wrong because AWS Directory Service provides managed Microsoft Active Directory or LDAP-based directory services for authentication and authorization, not DNS resolution for custom domain names. Option D is wrong because Amazon Cognito is an identity and access management service for user sign-up, sign-in, and federation, not a DNS service.

255
MCQeasy

A company wants to use Amazon Route 53 to resolve DNS queries for a domain they own. They want to ensure that DNS queries are answered quickly and that there is no single point of failure. Which configuration should they use?

A.Deploy Route 53 in multiple AWS Regions.
B.Create a hosted zone and let Route 53 automatically handle the DNS resolution.
C.Create multiple hosted zones in separate AWS accounts.
D.Create a single hosted zone and assign it to one Route 53 name server.
AnswerB

Route 53 is inherently highly available.

Why this answer

Option B is correct because when you create a hosted zone in Route 53, AWS automatically provisions four authoritative name servers (NS records) distributed across multiple globally redundant data centers. This design inherently provides high availability and low-latency DNS resolution without any additional configuration, as Route 53 uses Anycast routing to direct queries to the nearest healthy name server.

Exam trap

The trap here is that candidates may think Route 53 is a regional service like EC2 or RDS, leading them to choose Option A, or they may mistakenly believe that creating multiple hosted zones or accounts increases redundancy, when in fact a single hosted zone with its four automatically assigned name servers already provides full fault tolerance and low latency.

How to eliminate wrong answers

Option A is wrong because Route 53 is a global service, not a regional one; deploying it in multiple AWS Regions is not possible or necessary, as the service already operates from multiple edge locations worldwide via Anycast. Option C is wrong because creating multiple hosted zones in separate AWS accounts does not improve DNS resolution speed or fault tolerance; it only adds administrative complexity and potential synchronization issues, as each hosted zone would be authoritative for the same domain, causing conflicts. Option D is wrong because a single hosted zone is automatically assigned to four Route 53 name servers, not one; assigning it to a single name server would create a single point of failure and violate DNS best practices (RFC 1034/1035 require multiple authoritative servers).

256
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: subnet-A (10.0.1.0/24) and subnet-B (10.0.2.0/24). An EC2 instance in subnet-A needs to communicate with an RDS database in subnet-B. Both subnets are in the same Availability Zone. What is the most efficient way to enable this communication?

A.Create a Transit Gateway and attach both subnets to it.
B.Place a NAT Gateway in subnet-A and configure route tables accordingly.
C.No additional configuration is required. The instance and database can communicate within the same VPC.
D.Create a VPC Peering connection between the two subnets.
AnswerC

VPC internal routing allows communication between subnets in the same VPC.

Why this answer

Option A is correct. By default, VPC subnets can communicate with each other; no additional configuration is needed if the security groups and network ACLs allow traffic. Option B is wrong because VPC Peering is for cross-VPC communication.

Option C is wrong because a NAT Gateway is for outbound internet access. Option D is wrong because a Transit Gateway is for connecting multiple VPCs or networks.

257
MCQmedium

A company wants to connect multiple VPCs across different AWS Regions using AWS Transit Gateway. Which feature allows the VPCs to communicate with each other using private IP addresses without creating peering connections?

A.AWS Direct Connect gateway
B.AWS PrivateLink
C.Transit Gateway inter-Region peering
D.VPC Peering
AnswerC

Transit Gateway supports inter-Region peering for transitive routing between VPCs across Regions.

Why this answer

Transit Gateway inter-Region peering allows VPCs in different AWS Regions to communicate using private IP addresses through a central Transit Gateway, without requiring individual VPC peering connections. This feature uses the AWS global network to route traffic between peered Transit Gateways, enabling cross-region connectivity with a hub-and-spoke architecture.

Exam trap

The trap here is that candidates may confuse Transit Gateway inter-Region peering with VPC Peering, assuming VPC Peering is the only way to connect VPCs across regions, but Transit Gateway provides a scalable, centralized alternative without the need for full-mesh peering.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect gateway is used to connect on-premises networks to AWS via Direct Connect, not to connect VPCs across regions. Option B is wrong because AWS PrivateLink enables private connectivity to services via Network Load Balancers and interface VPC endpoints, but it does not provide routing between multiple VPCs. Option D is wrong because VPC Peering requires creating individual peering connections between each pair of VPCs, which does not scale and does not use a central Transit Gateway.

258
MCQhard

A company is deploying a critical application across three AWS Regions using an active-active architecture with Amazon Route 53 latency-based routing. Each region has an Application Load Balancer (ALB) as the endpoint. The application health checks are configured to check the /health endpoint every 10 seconds. During a regional failure, some users experience timeouts while others are redirected correctly. What is the most likely cause?

A.Route 53 health checkers take multiple intervals to detect failure, and timeouts occur before failover completes.
B.The ALB health check is misconfigured and returns a non-200 status code during normal operation.
C.The TTL on the Route 53 record is set too low, causing stale DNS responses.
D.Users have cached DNS records from the failed region, and Route 53 does not return healthy endpoints.
AnswerA

Route 53 health checks have a 30-second interval and multiple checks are needed to confirm failure.

Why this answer

Route 53 health checkers operate from multiple global locations and evaluate the /health endpoint every 10 seconds. However, to declare an endpoint unhealthy, Route 53 requires a configurable number of consecutive failures (default is 3), meaning it can take 30 seconds or more before the DNS record is updated to remove the failed region. During this detection window, some users whose DNS queries are answered by Route 53 before the failure is fully propagated may receive the IP of the failing ALB, leading to timeouts, while others who query after the failover complete successfully.

Exam trap

AWS often tests the misconception that Route 53 instantly fails over when an endpoint becomes unhealthy, but the trap here is that health check detection requires multiple consecutive failures (default 3) before the endpoint is removed from DNS responses, causing a delay that leads to intermittent timeouts for some users.

How to eliminate wrong answers

Option B is wrong because a misconfigured ALB health check returning a non-200 status during normal operation would cause Route 53 to mark the endpoint as unhealthy continuously, not just during a regional failure, and would not explain why some users experience timeouts while others do not. Option C is wrong because a low TTL on the Route 53 record actually reduces the time DNS responses are cached, which would help failover happen faster, not cause stale responses or timeouts. Option D is wrong because Route 53 latency-based routing does not return unhealthy endpoints; once a health check fails, Route 53 stops including that region's IP in responses, so cached DNS records from the failed region are not served by Route 53—the issue is that the health check failure detection itself takes multiple intervals, not that Route 53 returns unhealthy endpoints.

259
MCQmedium

A company has a VPC with public and private subnets. The private subnets need outbound internet access for software updates. The company wants to ensure that traffic from private subnets uses a single, highly available IP address for outbound traffic. Which solution meets these requirements?

A.Deploy a single EC2 instance configured as a NAT instance in a public subnet.
B.Configure a fleet of proxy servers in an Auto Scaling group with a Network Load Balancer.
C.Create a NAT gateway in a public subnet and route traffic from private subnets to it.
D.Use a VPC endpoint for Amazon S3 to access software updates.
AnswerC

NAT gateway is managed, highly available, and provides a single Elastic IP.

Why this answer

Option D is correct because a NAT gateway provides highly available outbound internet access with a single Elastic IP address. Option A is incorrect because a NAT instance is not highly available. Option B is incorrect because a VPC endpoint is for specific AWS services, not general internet access.

Option C is incorrect because a proxy fleet adds complexity and does not provide a single IP.

260
Multi-Selecteasy

Which TWO of the following are required to establish an AWS Site-to-Site VPN connection? (Select TWO.)

Select 2 answers
A.Direct Connect gateway
B.Virtual private gateway
C.Customer gateway
D.Transit gateway
E.VPN connection
AnswersB, C

AWS-side endpoint for the VPN.

Why this answer

A virtual private gateway (VGW) is required as the AWS-side endpoint for the VPN tunnel; it anchors the encrypted IPsec session and routes traffic from the VPC to the on-premises network. The customer gateway (CGW) represents the on-premises VPN device in AWS, providing the public IP and BGP ASN (for dynamic routing) or static route configuration needed to establish the tunnel. Both are mandatory components of an AWS Site-to-Site VPN connection.

Exam trap

AWS often tests the misconception that a transit gateway is required for Site-to-Site VPN, but it is only needed when connecting multiple VPCs or using advanced routing features; a simple VPN to a single VPC only needs a VGW and CGW.

261
MCQeasy

A company has an existing VPC with a public subnet and a private subnet. The company launches an EC2 instance in the private subnet. The instance needs to access an S3 bucket to download software updates. The company does not want the instance to have a public IP address. The company creates a VPC endpoint for S3 (Gateway type) in the VPC, and associates it with the private subnet route table by adding a route for the S3 prefix list. However, the instance still cannot access the S3 bucket. The security group for the instance allows all outbound traffic. The network ACL for the private subnet allows all inbound and outbound traffic. What is the MOST likely reason for the connectivity failure?

A.The network ACL is blocking the traffic
B.The security group does not allow outbound HTTPS traffic
C.The VPC endpoint policy does not grant access to the S3 bucket
D.The instance does not have a route to the internet
AnswerC

Correct; the endpoint policy may be restrictive.

Why this answer

The most likely reason is that the VPC endpoint policy does not grant access to the S3 bucket. Even though the Gateway VPC Endpoint is created and associated with the private subnet route table, the endpoint's policy controls which S3 buckets and actions are allowed. If the policy is too restrictive (e.g., default deny or does not explicitly allow access to the specific bucket), traffic will be dropped at the endpoint, preventing the instance from downloading updates.

The security group and network ACL are already permissive, and internet access is not required because the Gateway endpoint uses AWS's private network.

Exam trap

AWS often tests the misconception that a Gateway VPC Endpoint automatically grants access to all S3 buckets once the route is added, ignoring that the endpoint policy must explicitly allow the desired S3 actions and resources.

How to eliminate wrong answers

Option A is wrong because the network ACL for the private subnet allows all inbound and outbound traffic, so it is not blocking anything. Option B is wrong because the security group allows all outbound traffic (including HTTPS), so outbound HTTPS is permitted. Option D is wrong because the instance does not need a route to the internet; a Gateway VPC Endpoint for S3 provides connectivity to S3 over the AWS private network without requiring internet access.

262
MCQmedium

A company is designing a multi-region architecture with VPCs in us-east-1 and eu-west-1. The company needs low-latency connectivity between the VPCs and wants to avoid traffic over the public internet. The VPCs have overlapping CIDR blocks (10.0.0.0/16). Which solution should the network engineer recommend?

A.Set up an AWS Transit Gateway in each region and connect them via a VPN attachment.
B.Use a Direct Connect connection between the regions.
C.Use VPC peering between the two VPCs.
D.Place all resources in a single VPC with multiple Availability Zones.
AnswerA

Transit Gateway with VPN can handle overlapping CIDRs.

Why this answer

Option A is correct because AWS Transit Gateway supports inter-region peering attachments that use the AWS global network backbone, providing low-latency, private connectivity between VPCs in different regions. Even when VPCs have overlapping CIDR blocks, Transit Gateway can handle this through route table isolation and network segmentation (e.g., using separate route tables for each VPC attachment), which VPC peering cannot do. VPN attachments between Transit Gateways in each region establish encrypted tunnels over the AWS backbone, avoiding the public internet.

Exam trap

The trap here is that candidates assume VPC peering is always the simplest solution, but they overlook the critical requirement that VPC peering cannot work with overlapping CIDR blocks, making Transit Gateway with VPN attachments the only viable option for this scenario.

How to eliminate wrong answers

Option B is wrong because Direct Connect is a dedicated connection from on-premises to AWS, not between AWS regions; it does not provide inter-region VPC connectivity. Option C is wrong because VPC peering requires non-overlapping CIDR blocks; with overlapping 10.0.0.0/16 CIDRs, peering is impossible as it would cause routing conflicts and AWS explicitly prohibits peering with overlapping ranges. Option D is wrong because the requirement is for a multi-region architecture, and placing all resources in a single VPC with multiple Availability Zones only provides high availability within one region, not cross-region connectivity.

263
MCQhard

A company is designing a multi-region active-active architecture using Application Load Balancers (ALBs) and AWS Global Accelerator. The application must have the lowest possible latency for global users. Which design meets these requirements?

A.Use AWS Global Accelerator with endpoints in both regions and configure traffic dials to distribute traffic.
B.Use Amazon CloudFront with multiple origins pointing to each ALB.
C.Use Amazon Route 53 with latency routing policy to route users to the closest ALB.
D.Use AWS Global Accelerator with a single endpoint in one region and failover to the other region.
AnswerA

Global Accelerator provides anycast IPs and can distribute traffic across multiple regions with traffic dials.

Why this answer

AWS Global Accelerator uses the Anycast static IP addresses to route traffic over the AWS global network to the optimal endpoint based on health, latency, and traffic dials. By configuring endpoints in both regions with traffic dials, you can distribute traffic actively across both regions, ensuring the lowest possible latency for global users by directing them to the nearest healthy endpoint.

Exam trap

The trap here is that candidates often confuse DNS-based routing (Route 53 latency routing) with anycast-based routing (Global Accelerator), not realizing that DNS caching and propagation delays prevent true real-time, lowest-latency routing for active-active architectures.

How to eliminate wrong answers

Option B is wrong because Amazon CloudFront is a content delivery network (CDN) optimized for caching static and dynamic content at edge locations, not for accelerating TCP/UDP traffic to ALBs with active-active multi-region load balancing; it adds an extra hop and does not provide the same low-latency, anycast-based routing for non-HTTP(S) workloads. Option C is wrong because Amazon Route 53 latency routing policy operates at the DNS level, which introduces DNS caching and propagation delays, and cannot route traffic based on real-time network conditions or provide fast failover for active-active architectures; it also does not offer static IP addresses. Option D is wrong because using a single endpoint in one region with failover to the other region creates an active-passive architecture, not active-active, which means users are always routed to the primary region unless it fails, increasing latency for users far from that region and failing to meet the requirement for lowest possible latency for global users.

264
MCQmedium

A company is deploying a new application in a VPC that uses a single Availability Zone. The application consists of an Application Load Balancer (ALB) in a public subnet and EC2 instances in a private subnet. The EC2 instances need to send logs to an Amazon S3 bucket. The company has created a VPC gateway endpoint for S3 and associated it with the route table for the private subnet. The EC2 instances have an instance profile that grants access to the S3 bucket. However, the log delivery fails. The network team has verified that the route table for the private subnet includes a route to the S3 prefix list via the gateway endpoint. What is the MOST likely cause of the failure?

A.The route table does not have a route to the S3 prefix list.
B.The VPC endpoint is not configured with private DNS.
C.The security group on the EC2 instances does not allow outbound traffic to the S3 prefix list.
D.The VPC endpoint policy does not allow the PutObject action on the S3 bucket.
AnswerD

Correct: Endpoint policy must allow the action.

Why this answer

The most likely cause is that the VPC endpoint policy does not allow the PutObject action on the S3 bucket. Even though the route table has a route to the S3 prefix list via the gateway endpoint and the EC2 instance profile grants access, the endpoint policy acts as an additional layer of authorization. If the endpoint policy does not explicitly allow the s3:PutObject action for the target bucket, requests will be denied, causing the log delivery to fail.

Exam trap

The trap here is that candidates often assume that if routing is correct and the instance has IAM permissions, the request will succeed, overlooking that the VPC endpoint policy is a separate authorization layer that must explicitly allow the action.

How to eliminate wrong answers

Option A is wrong because the network team has verified that the route table includes a route to the S3 prefix list via the gateway endpoint, so routing is correctly configured. Option B is wrong because private DNS is only relevant for interface endpoints (which use private IP addresses and DNS resolution), not for gateway endpoints, which do not support private DNS. Option C is wrong because security groups do not filter traffic to prefix lists for gateway endpoints; gateway endpoints use route tables for routing and security groups apply to traffic at the instance level, but outbound traffic to the S3 prefix list is not blocked by a security group since the traffic is routed through the endpoint and not through a NAT or internet gateway.

265
MCQmedium

A company is designing a multi-region application with Amazon RDS for MySQL as the primary database. The application requires read-after-write consistency across regions. Which design should the company choose to meet this requirement?

A.Use Amazon RDS with cross-Region replication enabled using MySQL binary log
B.Use Amazon RDS Multi-AZ deployments in each region with read replicas
C.Use Amazon Aurora Global Database with cluster endpoints in each region
D.Use Amazon RDS with synchronous replication across regions
AnswerC

Aurora Global Database uses dedicated replication infrastructure with typical latency under 1 second and supports read-after-write consistency via global transaction IDs.

Why this answer

Amazon Aurora Global Database is the correct choice because it provides dedicated cluster endpoints in each region that automatically route write traffic to the primary region and read traffic to local replicas, ensuring read-after-write consistency through its storage-layer replication with typical latency under 1 second. Unlike standard RDS cross-Region replication, Aurora Global Database uses a physical storage-based replication mechanism that guarantees global consistency without relying on MySQL binary logs, which can introduce replication lag and potential inconsistency.

Exam trap

AWS often tests the misconception that standard RDS cross-Region replication (Option A) can provide read-after-write consistency, but the trap is that MySQL binary log replication is inherently asynchronous and cannot guarantee global consistency, whereas Aurora Global Database's storage-level replication is designed specifically for this purpose.

How to eliminate wrong answers

Option A is wrong because cross-Region replication using MySQL binary log is asynchronous and can introduce significant replication lag, making it impossible to guarantee read-after-write consistency across regions. Option B is wrong because Multi-AZ deployments provide high availability within a single region only and do not support cross-Region read replicas for global consistency; read replicas in other regions would still be asynchronous. Option D is wrong because Amazon RDS does not support synchronous replication across regions; synchronous replication would require a custom solution and would introduce unacceptable latency over inter-region distances.

266
Multi-Selecthard

A company is designing a network for a critical application that requires an SLA of 99.99% availability. The application runs on EC2 instances in an Auto Scaling group across three Availability Zones. The company needs to ensure that the network design meets the SLA. Which THREE components should the company include? (Choose THREE.)

Select 3 answers
A.A single AWS Direct Connect connection for all inbound traffic.
B.A NAT gateway in each Availability Zone for outbound internet access.
C.A single AWS Site-to-Site VPN connection for administrative access.
D.VPC endpoints for AWS services used by the application.
E.An Application Load Balancer (ALB) configured to route traffic to instances in all three Availability Zones.
AnswersB, D, E

NAT gateways per AZ eliminate single point of failure.

Why this answer

Options A, B, and C are correct. A: Application Load Balancer distributes traffic across AZs. B: NAT gateways in each AZ provide highly available outbound access.

C: VPC endpoints avoid internet dependency. Option D is incorrect because a single Direct Connect connection is a single point of failure. Option E is incorrect because a VPN connection alone is not highly available.

267
Multi-Selecthard

A company has a multi-account AWS environment using AWS Organizations. The network team wants to centralize VPC traffic inspection using a Transit Gateway and a firewall appliance in a central account. Which THREE steps are required to implement this design? (Choose THREE.)

Select 3 answers
A.Create a VPC peering connection between each spoke VPC and the central VPC.
B.Create a Transit Gateway in the central account and attach the central VPC.
C.Accept the Transit Gateway share in each spoke account and attach their VPCs.
D.Deploy a firewall appliance in each spoke VPC.
E.Use AWS Resource Access Manager to share the Transit Gateway with spoke accounts.
AnswersB, C, E

Transit Gateway is the hub.

Why this answer

Option B is correct because a Transit Gateway (TGW) in the central account acts as the hub for VPC traffic inspection. Attaching the central VPC (which contains the firewall appliance) to the TGW allows all inter-VPC traffic to be routed through the central inspection VPC, enabling centralized traffic inspection without requiring VPC peering or per-spoke firewalls.

Exam trap

AWS often tests the misconception that VPC peering can be used for transitive routing in a hub-and-spoke model, but the trap here is that VPC peering does not support transitive routing, so a Transit Gateway is required for centralized inspection across multiple VPCs.

268
MCQmedium

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. It needs to connect to an on-premises data center over AWS Direct Connect. The on-premises network uses the 10.0.0.0/8 address space. The company cannot change the on-premises addressing. Which solution will allow connectivity without overlapping IP addresses?

A.Use VPC peering between the existing VPC and a new VPC with a non-overlapping CIDR, then route traffic through the new VPC.
B.Create a new VPC with a non-overlapping CIDR such as 172.16.0.0/16 and migrate resources.
C.Assign IPv6 CIDR to the existing VPC, use IPv6 for all resources, and connect over Direct Connect using IPv6.
D.Use AWS Transit Gateway with a Network Address Translation (NAT) attachment to translate the VPC CIDR.
AnswerC

IPv6 addresses do not overlap with the on-premises IPv4 space, providing unique addressing.

Why this answer

Option C is correct because assigning an IPv6 CIDR to the existing VPC and using IPv6 for all resources avoids the IPv4 address overlap with the on-premises 10.0.0.0/8 network. AWS Direct Connect supports both IPv4 and IPv6 traffic, so you can establish a BGP session over IPv6 and route IPv6 traffic between the VPC and on-premises, completely bypassing the conflicting IPv4 address space.

Exam trap

The trap here is that candidates assume Direct Connect only works with IPv4 or that overlapping IPv4 addresses can be resolved with NAT or Transit Gateway, but the exam tests the understanding that IPv6 is a clean way to avoid IPv4 overlap without changing the existing VPC CIDR.

How to eliminate wrong answers

Option A is wrong because VPC peering does not resolve IP address overlap; the existing VPC still uses 10.0.0.0/16, which overlaps with the on-premises 10.0.0.0/8, and routing through a new VPC does not change the fact that overlapping addresses cannot be communicated with directly. Option B is wrong because migrating resources to a new VPC with a non-overlapping CIDR (e.g., 172.16.0.0/16) is a valid long-term solution but does not allow connectivity without changing the existing VPC's addressing; the question asks for a solution that allows connectivity without overlapping IP addresses, and migration is a disruptive change, not a direct connectivity solution. Option D is wrong because AWS Transit Gateway does not have a 'NAT attachment'; NAT is typically implemented at the instance or gateway level (e.g., NAT gateway or instance), and Transit Gateway itself cannot perform network address translation between the VPC and on-premises networks.

269
Multi-Selecthard

A company is designing a network architecture for a multi-tier web application. The application includes a public-facing Application Load Balancer (ALB) in a public subnet, web servers in private subnets, and an Amazon RDS database in a private subnet. The company requires that the database is not directly accessible from the application servers except through specific ports, and that traffic between the web servers and the database is encrypted. Which TWO actions should the company take to meet these requirements? (Choose two.)

Select 2 answers
A.Place the RDS database in a public subnet with a security group that allows only the web servers' IP addresses
B.Establish a VPC peering connection between the web servers' VPC and the RDS VPC
C.Enable SSL/TLS encryption for connections between the web servers and the RDS database
D.Configure a security group on the RDS instance that allows inbound traffic from the web servers' security group on the database port
E.Use a network ACL to restrict inbound traffic to the RDS subnet to only the web server's IP range
AnswersC, D

SSL/TLS encrypts data in transit, meeting the encryption requirement.

Why this answer

Option C is correct because enabling SSL/TLS encryption for connections between the web servers and the RDS database ensures that data in transit is encrypted, meeting the requirement for encrypted traffic. Option D is correct because configuring a security group on the RDS instance that allows inbound traffic from the web servers' security group on the database port provides a stateful, instance-level firewall rule that restricts direct access to only the web servers, without exposing the database to the public subnet or relying on IP-based rules.

Exam trap

AWS often tests the distinction between security groups (stateful, instance-level) and network ACLs (stateless, subnet-level), and candidates mistakenly choose network ACLs for fine-grained access control when security groups are the correct choice for allowing traffic based on source security group IDs.

270
Multi-Selecteasy

A company is designing a VPC for a web application that requires high availability. The application will be deployed across multiple Availability Zones. Which THREE components are essential for a highly available network design? (Choose THREE.)

Select 3 answers
A.Subnets in at least two Availability Zones
B.A single VPN connection to on-premises
C.A NAT gateway in each Availability Zone
D.VPC peering with a backup VPC
E.An internet gateway attached to the VPC
AnswersA, C, E

Provides AZ redundancy.

Why this answer

Option A is correct: Multiple AZs ensure availability if one AZ fails. Option B is correct: An internet gateway provides internet access. Option D is correct: A NAT gateway in each AZ ensures outbound internet access even if one AZ fails.

Option C is wrong because a single VPN connection is a single point of failure. Option E is wrong because VPC peering is for connecting VPCs, not for high availability within a VPC.

271
MCQmedium

A company is designing a hybrid network architecture that connects multiple VPCs in different AWS regions to an on-premises data center. The company wants to minimize the number of VPN tunnels and reduce management overhead. Which AWS service should be used to simplify this design?

A.AWS Transit Gateway with VPN attachments
B.AWS Direct Connect with multiple virtual interfaces
C.AWS VPN CloudHub
D.VPC peering between each VPC and the on-premises network
AnswerA

Transit Gateway provides a central hub that can connect multiple VPCs and on-premises networks via VPN, reducing the number of connections and simplifying management.

Why this answer

AWS Transit Gateway with VPN attachments is correct because it acts as a central hub that connects multiple VPCs across different AWS regions and an on-premises data center through a single VPN connection. This minimizes the number of VPN tunnels by eliminating the need for individual VPN connections between each VPC and the on-premises network, and reduces management overhead through a single point of configuration and routing.

Exam trap

The trap here is that candidates often confuse VPC peering as a viable option for on-premises connectivity, not realizing that VPC peering only works between VPCs and cannot extend to an on-premises network, leading them to overlook the centralized hub-and-spoke model of Transit Gateway.

How to eliminate wrong answers

Option B is wrong because AWS Direct Connect with multiple virtual interfaces does not inherently reduce the number of VPN tunnels; it still requires separate VPN connections or complex routing for multi-region VPC connectivity, and does not provide a centralized hub for inter-VPC and on-premises traffic. Option C is wrong because AWS VPN CloudHub is designed for connecting multiple on-premises sites to AWS via VPN, but it does not natively support inter-VPC connectivity across different regions without additional configuration and still requires multiple VPN tunnels for each VPC. Option D is wrong because VPC peering between each VPC and the on-premises network is not supported; VPC peering only connects VPCs within AWS and cannot directly connect to an on-premises data center, requiring additional VPN or Direct Connect attachments for each VPC, which increases management overhead.

272
MCQhard

A company has a VPC with multiple subnets and an AWS Transit Gateway. They have a requirement to inspect traffic between subnets using a third-party firewall appliance that is deployed in a centralized inspection VPC. The firewall appliance must process all traffic between the VPC subnets, including traffic between subnets in the same Availability Zone. Which routing configuration achieves this?

A.Create a VPC route table that routes all traffic (0.0.0.0/0) to the Transit Gateway.
B.Create a VPC route table that routes the VPC CIDR to the Transit Gateway and associate it with each subnet.
C.Use the main route table and add a route for the VPC CIDR to the Transit Gateway.
D.Associate each subnet with a custom route table that has a route for the VPC CIDR to the Transit Gateway.
AnswerB

This forces all traffic destined for other subnets to go to the Transit Gateway for inspection.

Why this answer

Option D is correct. To force all inter-subnet traffic through the Transit Gateway, you must create a VPC route table that routes traffic destined for other subnets (the VPC's CIDR) to the Transit Gateway. This ensures traffic leaves the VPC and goes through the Transit Gateway to the inspection VPC.

Option A is incorrect because the default route for intra-VPC traffic is local, which would bypass the Transit Gateway. Option B is incorrect because the main route table still has the local route for the VPC CIDR, so traffic between subnets stays within the VPC. Option C is incorrect because subnet route tables are attached to subnets, but if the route tables have the local route for the VPC CIDR, traffic will not go to the Transit Gateway.

273
Multi-Selectmedium

A company is designing a hybrid network using AWS Direct Connect. They need to ensure high availability and failover. Which THREE components should be deployed to meet these requirements?

Select 3 answers
A.A single AWS Direct Connect connection.
B.Two Customer Gateways (CGWs).
C.Two Virtual Private Gateways (VGWs).
D.Two AWS Direct Connect connections.
E.An AWS Site-to-Site VPN connection as backup.
AnswersB, C, D

Two CGWs provide on-premises redundancy.

Why this answer

Options A, C, and D are correct. Two Direct Connect connections (A) provide redundancy. Two Customer Gateways (C) ensure redundant on-premises termination.

Two Virtual Private Gateways (D) provide redundant AWS-side termination. Option B is wrong because a single connection is a single point of failure. Option E is wrong because a VPN connection is not required if Direct Connect is used.

274
Drag & Dropmedium

Arrange the steps to configure VPC Flow Logs for a VPC and publish logs to CloudWatch Logs:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the log group, then the IAM role, then the flow log, then verify, then analyze.

275
Multi-Selecteasy

A company is deploying a VPC with public and private subnets. They need to provide internet access to instances in the private subnets for software updates. Which THREE components are required to achieve this?

Select 3 answers
A.Route table in the private subnet with a default route pointing to the NAT Gateway
B.AWS Site-to-Site VPN connection
C.NAT Gateway in a public subnet
D.Internet Gateway attached to the VPC
E.AWS Direct Connect connection
AnswersA, C, D

The route table must direct traffic to the NAT Gateway for internet access.

Why this answer

Options B, C, and E are correct. A NAT Gateway (or NAT instance) in a public subnet, an Internet Gateway attached to the VPC, and a route table in the private subnet pointing to the NAT Gateway are required. Option A is wrong because a VPN connection is not needed.

Option D is wrong because a Direct Connect connection is not needed.

276
Multi-Selectmedium

A company is designing a network architecture for a critical application that requires high availability and fault tolerance. The application will be deployed on EC2 instances in an Auto Scaling group across three Availability Zones. The instances must be able to communicate with each other across AZs. Which TWO design decisions improve the fault tolerance of the application? (Choose TWO.)

Select 2 answers
A.Use a single NAT Gateway in one Availability Zone for internet access
B.Use VPC endpoints for Amazon S3 to reduce internet dependency
C.Configure the Auto Scaling group to launch instances in multiple Availability Zones
D.Use a single Network Load Balancer in one Availability Zone
E.Deploy EC2 instances evenly across three Availability Zones
AnswersC, E

Auto Scaling across AZs automatically replaces failed instances and maintains capacity.

Why this answer

Options B and D are correct. Option B is correct because distributing instances across three AZs ensures that the application survives an AZ failure. Option D is correct because Auto Scaling across AZs automatically replaces failed instances.

Option A is wrong because a single NAT Gateway is a single point of failure. Option C is wrong because a single NLB in one AZ is a single point of failure. Option E is wrong because VPC endpoints do not improve fault tolerance for inter-instance communication.

277
MCQhard

A company runs a critical application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) in a VPC. The application experiences unpredictable traffic spikes. The company notices that during peak traffic, the ALB returns 503 errors. The network engineer checks the ALB's CloudWatch metrics and sees that the 'ActiveConnectionCount' is high but 'TargetResponseTime' is low. The ALB's target group is configured with a deregistration delay of 300 seconds. The ALB is internet-facing and uses an SSL/TLS certificate from AWS Certificate Manager. The security group for the ALB allows inbound HTTPS from 0.0.0.0/0. The target instances' security group allows inbound traffic from the ALB's security group. The VPC has a CIDR of 10.0.0.0/16 with public and private subnets. The ALB is in public subnets, and the instances are in private subnets. The route tables for private subnets have a default route to a NAT gateway in the public subnets. The company wants to resolve the 503 errors. What should the network engineer do?

A.Disable cross-zone load balancing on the ALB.
B.Increase the deregistration delay to 600 seconds.
C.Increase the idle timeout setting on the ALB to a higher value.
D.Move the ALB to private subnets and use a NAT gateway for internet access.
AnswerC

Higher idle timeout keeps connections alive, reducing connection rate.

Why this answer

Option C is correct. The 503 errors are likely due to the ALB's connection limit or insufficient target capacity. Since target response time is low, the targets are not overloaded.

The deregistration delay of 300 seconds may cause connections to drain slowly, but the main issue is that the ALB may be hitting its connection limit. Increasing the ALB's idle timeout will allow connections to stay open longer, reducing the rate of new connections. Option A is incorrect because increasing the deregistration delay would make the problem worse.

Option B is incorrect because the ALB is already in public subnets. Option D is incorrect because disabling cross-zone load balancing would reduce capacity.

278
Multi-Selectmedium

A company is designing a network for a critical application that requires low-latency communication between EC2 instances in the same AWS Region. They want to maximize network throughput and minimize latency. Which TWO design choices should they make? (Choose two.)

Select 2 answers
A.Attach an internet gateway to the VPC and route traffic through it.
B.Enable enhanced networking (ENA) on the EC2 instances.
C.Use a VPN connection to route traffic between instances.
D.Use a spread placement group for the EC2 instances.
E.Place the EC2 instances in a cluster placement group.
AnswersB, E

Enhanced networking provides higher bandwidth and lower latency.

Why this answer

Option B is correct because enabling Enhanced Networking (ENA) on EC2 instances provides higher bandwidth, higher packet-per-second (PPS) performance, and consistently lower inter-instance latencies by using a modern network interface driver that offloads network processing to dedicated hardware. This is essential for critical applications requiring maximum throughput and minimal latency within the same AWS Region.

Exam trap

AWS often tests the misconception that spread placement groups improve network performance, when in fact they are designed for high availability and fault tolerance, not low latency or high throughput.

279
MCQmedium

Refer to the exhibit. A network architect is reviewing an IAM policy for a junior engineer. What is the security concern with this policy?

A.The policy does not include a condition to restrict the actions to specific VPCs
B.The policy allows deletion of VPCs and subnets, which could lead to resource loss
C.The policy allows creation of VPCs and subnets, which could cause resource exhaustion
D.The policy allows read-only actions that could expose sensitive network configurations
AnswerB

Delete actions are destructive.

Why this answer

Option B is correct because the IAM policy grants `ec2:DeleteVpc` and `ec2:DeleteSubnet` permissions, which allow the junior engineer to delete VPCs and subnets. This could lead to irreversible resource loss, including all associated resources like route tables, security groups, and network interfaces, disrupting network connectivity and services.

Exam trap

AWS often tests the misconception that allowing creation actions (like `ec2:CreateVpc`) is the primary risk, but the trap here is that destructive actions (like `ec2:DeleteVpc`) pose a more immediate and severe security concern due to potential data loss and service disruption.

How to eliminate wrong answers

Option A is wrong because the policy does not include a condition to restrict actions to specific VPCs, but the primary security concern is the ability to delete resources, not the lack of conditions; conditions are a best practice but not the most immediate risk here. Option C is wrong because while creating VPCs and subnets could cause resource exhaustion, the policy also allows deletion, which poses a more direct risk of data loss and service disruption; resource exhaustion is a potential issue but less critical than destructive actions. Option D is wrong because the policy does not include read-only actions; it includes `ec2:CreateVpc`, `ec2:CreateSubnet`, `ec2:DeleteVpc`, and `ec2:DeleteSubnet`, which are all write or destructive actions, not read-only.

280
MCQhard

A financial services company must meet PCI DSS compliance for its VPC design. It requires that all traffic between application tiers be encrypted in transit and that no traffic can bypass the encryption. The architecture includes a public-facing Application Load Balancer (ALB), a web tier in public subnets, an app tier in private subnets, and a database tier in isolated subnets. Which design meets these requirements?

A.Terminate TLS at the ALB. Use HTTP between ALB and web tier. Use HTTPS between web and app tier. Use TLS between app and database tier.
B.Terminate TLS at the ALB. Use HTTP between ALB and web tier. Use HTTPS between web and app tier. Use TLS between app and database tier.
C.Terminate TLS at the ALB. Use HTTPS between ALB and web tier. Use TLS mutual authentication between web and app tier. Use TLS between app and database tier.
D.Terminate TLS at the ALB. Use HTTPS between ALB and web tier. Use HTTP between web and app tier. Use TLS between app and database tier.
AnswerC

All traffic is encrypted: ALB to web (HTTPS), web to app (TLS mutual auth), app to database (TLS).

Why this answer

Option C is correct because it ensures encryption in transit for all traffic between application tiers, meeting PCI DSS requirements. The ALB terminates TLS from clients, then uses HTTPS (TLS) to the web tier, mutual TLS between web and app tiers for strong authentication and encryption, and TLS between app and database tiers. This design prevents any unencrypted traffic from bypassing encryption, as every hop uses TLS.

Exam trap

The trap here is that candidates may assume terminating TLS at the ALB is sufficient for all internal traffic, overlooking the need for encryption between every tier, especially the web-to-app hop where HTTP is often mistakenly considered acceptable.

How to eliminate wrong answers

Option A is wrong because it uses HTTP between the ALB and web tier, which transmits data in plaintext, violating the requirement that no traffic can bypass encryption. Option B is identical to A and thus also wrong for the same reason. Option D is wrong because it uses HTTP between the web and app tier, leaving that hop unencrypted and failing to meet PCI DSS encryption requirements.

281
MCQhard

A financial services company must meet PCI DSS compliance requirements. The company's VPC contains a web server in a public subnet and an application server in a private subnet. The application server must communicate with a third-party payment gateway over the internet, but the security team prohibits using an Elastic IP address or a NAT gateway due to auditing concerns. Which solution satisfies these requirements?

A.Deploy a NAT instance in the public subnet and route traffic through it
B.Configure a proxy server in the public subnet and have the application server use the proxy
C.Use AWS PrivateLink to connect to the payment gateway via a VPC Endpoint Service
D.Attach an Internet Gateway to the VPC and use a default route to 0.0.0.0/0 in the private subnet
AnswerC

PrivateLink enables private connectivity to services over the AWS network, avoiding public IPs and internet transit, meeting compliance requirements.

Why this answer

AWS PrivateLink allows the application server in the private subnet to connect to the third-party payment gateway via a VPC Endpoint Service without traversing the internet, using private IP addresses. This eliminates the need for an Elastic IP address or a NAT gateway, satisfying the security team's auditing concerns while meeting PCI DSS compliance requirements.

Exam trap

The trap here is that candidates often assume a NAT gateway or proxy is required for outbound internet access, but PrivateLink provides a private, internet-free connection to third-party services, directly addressing the auditing and compliance constraints.

How to eliminate wrong answers

Option A is wrong because a NAT instance requires an Elastic IP address to provide outbound internet access, which is explicitly prohibited by the security team. Option B is wrong because a proxy server in the public subnet still requires an Elastic IP address or a NAT gateway for outbound connectivity, and it does not eliminate the auditing concerns. Option D is wrong because attaching an Internet Gateway and adding a default route to 0.0.0.0/0 in the private subnet would route traffic directly to the internet, but private subnets cannot route to an Internet Gateway without a NAT device or Elastic IP; this configuration would fail to provide outbound connectivity and violates the security team's requirements.

282
MCQhard

A company has a VPC with CIDR 10.0.0.0/16. They have an on-premises network with CIDR 172.16.0.0/12 connected via AWS Site-to-Site VPN. The company also has a second VPC (VPC B) with CIDR 10.1.0.0/16 peered with the first VPC. They notice that instances in VPC B cannot reach the on-premises network. What is the most likely cause?

A.Route propagation is disabled in VPC B.
B.The VPN connection is not compatible with VPC peering.
C.The VPN tunnel is down.
D.VPC peering does not support transitive routing.
AnswerD

Transitive routing is not supported; on-premises cannot reach VPC B through VPC peering.

Why this answer

VPC peering does not support transitive routing. This means that if VPC A is peered with VPC B and also connected to an on-premises network via VPN, traffic from VPC B cannot use VPC A as a transit point to reach the on-premises network. Each VPC must have its own direct connection to the on-premises network, or a transit gateway must be used to enable transitive routing.

Exam trap

The trap here is that candidates often assume VPC peering works like a router or a hub-and-spoke model, not realizing that AWS explicitly disables transitive routing across VPC peering connections to prevent unintended network loops and complexity.

How to eliminate wrong answers

Option A is wrong because route propagation in VPC B is irrelevant; even if VPC B had propagated routes from the VPN, the VPC peering connection itself does not allow traffic to be forwarded from VPC B through VPC A to the on-premises network due to the lack of transitive routing. Option B is wrong because the VPN connection is fully compatible with VPC peering; the issue is not compatibility but the architectural limitation that VPC peering does not support transitive routing. Option C is wrong because if the VPN tunnel were down, instances in VPC A would also be unable to reach the on-premises network, but the problem is specific to VPC B, indicating the VPN is operational.

283
MCQmedium

A company has a VPC with a CIDR block of 172.16.0.0/16. They have two subnets: 172.16.1.0/24 (public) and 172.16.2.0/24 (private). They launch an EC2 instance in the private subnet and an Application Load Balancer (ALB) in the public subnet. The ALB needs to forward traffic to the EC2 instance on port 80. The security group for the EC2 instance allows inbound traffic on port 80 from the security group of the ALB. The ALB health checks are failing. What is the most likely cause?

A.The ALB cannot route traffic to a private subnet
B.The private subnet does not have a route to a NAT gateway
C.The ALB is in a different VPC than the EC2 instance
D.The security group for the EC2 instance does not allow inbound traffic from the ALB's security group
AnswerD

Health checks come from the ALB's security group, so it must be allowed.

Why this answer

Option D is correct because the EC2 instance's security group must have an inbound rule allowing traffic from the ALB's security group. If this rule is missing or misconfigured, the ALB's health check requests (which originate from the ALB's private IP addresses) will be blocked, causing health checks to fail. The scenario states the rule 'allows inbound traffic on port 80 from the security group of the ALB,' but if the rule is not properly associated or the ALB's security group ID is incorrect, traffic will be denied.

Exam trap

The trap here is that candidates often assume health check failures are due to routing or NAT issues, but the most common cause is a missing or misconfigured inbound security group rule on the target instance that does not explicitly allow traffic from the ALB's security group.

How to eliminate wrong answers

Option A is wrong because an ALB can route traffic to targets in private subnets as long as the ALB itself is in public subnets and the targets are reachable via the VPC's internal routing. Option B is wrong because health checks do not require a NAT gateway; the ALB sends health check requests from its own IP addresses within the VPC, and the EC2 instance only needs a route back to the ALB (which exists via the VPC's local route). Option C is wrong because the question explicitly states the ALB and EC2 instance are in the same VPC, so cross-VPC routing is not an issue.

284
MCQmedium

A company is designing a multi-region architecture with an active-active setup. They need to route traffic to the nearest healthy endpoint. Which AWS service should they use?

A.Application Load Balancer (ALB)
B.Amazon Route 53 latency-based routing
C.AWS Global Accelerator
D.Amazon CloudFront
AnswerB

Route 53 latency-based routing directs traffic to the region with the lowest latency for the user.

Why this answer

Option B is correct because Amazon Route 53 latency-based routing directs traffic based on the lowest latency to the nearest healthy endpoint. Option A is wrong because Application Load Balancer is regional. Option C is wrong because Global Accelerator uses Anycast IPs but does not use latency-based routing by default.

Option D is wrong because CloudFront is a CDN, not for routing to application endpoints.

285
Multi-Selectmedium

A company is designing a network for a critical application that requires maximum availability. The application will be deployed across multiple Availability Zones in a single region. Which THREE design choices improve network availability?

Select 3 answers
A.Use an Application Load Balancer with targets in multiple Availability Zones
B.Deploy EC2 instances in at least two Availability Zones
C.Use a single NAT gateway in one Availability Zone
D.Use a single subnet per Availability Zone
E.Use multiple NAT gateways, one in each Availability Zone
AnswersA, B, E

Distributes traffic across AZs.

Why this answer

An Application Load Balancer (ALB) with targets in multiple Availability Zones (AZs) improves availability by distributing incoming traffic across healthy targets in different AZs. If one AZ fails, the ALB automatically routes traffic to targets in the remaining AZs, ensuring the application remains accessible. This design eliminates a single point of failure at the load balancer level and leverages the regional nature of the ALB to provide cross-AZ fault tolerance.

Exam trap

AWS often tests the misconception that a single NAT gateway is sufficient for high availability because it can route traffic from multiple AZs, but the trap here is that the NAT gateway itself is a zonal resource—if its AZ fails, all outbound traffic is lost, making it a critical single point of failure.

286
MCQmedium

A company is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect. The company requires high availability and uses BGP for dynamic routing. The on-premises router supports BGP multipath. Which configuration ensures the highest availability for the Direct Connect connection?

A.Provision two Direct Connect connections to two different Direct Connect locations and configure BGP multipath.
B.Provision a single Direct Connect connection and a Site-to-Site VPN as a backup.
C.Provision a single Direct Connect connection with two virtual interfaces.
D.Provision a single Direct Connect connection with multiple VLANs.
AnswerA

Physical diversity ensures high availability.

Why this answer

Option A is correct because provisioning two Direct Connect connections to two different Direct Connect locations eliminates single points of failure at the physical layer and the facility level. BGP multipath allows the on-premises router to load-balance traffic across both connections, maximizing availability by ensuring that if one connection or location fails, traffic continues over the other without relying on a slower failover mechanism like VPN.

Exam trap

The trap here is that candidates often confuse logical redundancy (multiple VLANs or virtual interfaces) with physical redundancy, assuming that multiple logical constructs on a single physical connection provide high availability, when in fact a single physical failure will take down all logical constructs.

How to eliminate wrong answers

Option B is wrong because a Site-to-Site VPN over the internet introduces latency, jitter, and potential bandwidth limitations, and it is typically used as a backup only when Direct Connect is unavailable, not as a primary high-availability solution; it does not provide the same SLA or consistent performance as a second Direct Connect. Option C is wrong because a single Direct Connect connection with two virtual interfaces still shares the same physical port, fiber path, and Direct Connect location, meaning a single failure at the physical layer (e.g., fiber cut, device failure) will bring down both virtual interfaces, violating high availability. Option D is wrong because multiple VLANs on a single Direct Connect connection are used to segregate traffic (e.g., public vs. private VIFs) but do not provide redundancy; they all depend on the same physical connection and location, so a single failure disrupts all VLANs.

287
MCQeasy

A company needs to establish private connectivity between two VPCs in different AWS accounts. The VPCs are in the same Region. Which AWS feature should be used?

A.AWS Transit Gateway
B.AWS Direct Connect
C.VPC peering
D.AWS Site-to-Site VPN
AnswerC

VPC peering enables private connectivity between VPCs across accounts.

Why this answer

VPC peering is the correct choice because it establishes a direct, private network connection between two VPCs in the same AWS Region, even across different AWS accounts, using the AWS backbone without requiring a transit hub or external connectivity. It leverages the existing AWS infrastructure to route traffic between the VPCs via private IPv4 or IPv6 addresses, with no bandwidth bottlenecks or single points of failure inherent in the design.

Exam trap

The trap here is that candidates often choose AWS Transit Gateway because they think it is required for cross-account connectivity, but VPC peering directly supports cross-account VPC connections in the same Region without needing a central hub.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a hub-and-spoke architecture designed for connecting many VPCs and on-premises networks, which introduces additional cost and complexity for a simple two-VPC scenario where VPC peering is more straightforward and cost-effective. Option B is wrong because AWS Direct Connect provides dedicated private connectivity from an on-premises data center to AWS, not between two VPCs within the same Region; it requires physical infrastructure and is not designed for VPC-to-VPC peering. Option D is wrong because AWS Site-to-Site VPN establishes encrypted tunnels over the public internet to connect on-premises networks to AWS, not for direct VPC-to-VPC connectivity; using it for VPC peering would introduce unnecessary latency and complexity.

288
MCQmedium

A company has a hub-and-spoke network topology using AWS Transit Gateway in us-east-1. The hub VPC hosts centralized inspection appliances from a third-party vendor. The spokes include VPCs with application workloads and a Direct Connect VIF attached to a Direct Connect gateway which is associated with the Transit Gateway. The company notices that traffic from the on-premises network to the spoke VPCs is not being inspected by the centralized appliances. They have verified that the Transit Gateway route tables are correctly configured with static routes pointing to the inspection VPC for all spoke CIDRs, and the inspection appliances are properly configured to forward traffic. What is the most likely cause of this issue?

A.The Direct Connect gateway is not propagating routes to the Transit Gateway, causing the on-premises traffic to be dropped.
B.The Transit Gateway route table associated with the Direct Connect gateway attachment does not have a route that sends traffic to the inspection VPC.
C.The inspection VPC is sending traffic back to the on-premises network via a different path, causing asymmetric routing that drops packets.
D.The Transit Gateway route table for the spoke VPC attachments does not have a route to the on-premises network via the Direct Connect gateway.
AnswerB

The route table associated with the attachment determines the path. Without a specific route to the inspection VPC, traffic goes directly to the spoke.

Why this answer

Option B is correct because in a hub-and-spoke topology with AWS Transit Gateway, traffic from on-premises (via Direct Connect) to spoke VPCs must be routed through the inspection VPC. This requires the Transit Gateway route table associated with the Direct Connect gateway attachment to contain a static route pointing to the inspection VPC attachment for the spoke CIDRs. Without this route, traffic bypasses inspection entirely.

Exam trap

The trap here is that candidates assume configuring routes in the spoke VPC route tables or the inspection VPC is sufficient, but they overlook that the Transit Gateway route table associated with the Direct Connect gateway attachment must also direct traffic to the inspection VPC.

How to eliminate wrong answers

Option A is wrong because the Direct Connect gateway does not propagate routes to the Transit Gateway; instead, the Transit Gateway must have static routes or propagated routes from the Direct Connect gateway, and the issue is not about propagation but about missing inspection routes. Option C is wrong because asymmetric routing is not the primary cause; the problem is that traffic never reaches the inspection VPC in the first place, so asymmetric routing is irrelevant. Option D is wrong because the spoke VPC route tables do not need a route to on-premises via the Direct Connect gateway; the Transit Gateway handles inter-VPC routing, and the spoke attachments only need routes to the inspection VPC for return traffic, which is already configured.

289
MCQhard

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The company wants to add a second VPC in the same AWS Region using the same Direct Connect connection. Which solution meets the requirements with the least operational effort?

A.Create a Direct Connect gateway and associate both VPCs, then associate the private VIF with the Direct Connect gateway
B.Set up a VPN connection over the Direct Connect for the second VPC
C.Create a transit virtual interface and attach it to a transit gateway, then attach both VPCs
D.Create a second private virtual interface for the second VPC
AnswerA

Allows multiple VPCs to use the same private VIF via the Direct Connect gateway.

Why this answer

A Direct Connect gateway allows a single private virtual interface (VIF) to connect to multiple VPCs in the same AWS Region, eliminating the need for multiple VIFs or complex routing. By associating both VPCs with the Direct Connect gateway and attaching the private VIF to it, you achieve the goal with minimal operational overhead, as the gateway handles the routing between the on-premises network and the VPCs.

Exam trap

AWS often tests the misconception that a single private VIF can only connect to one VPC, leading candidates to choose Option D, but the Direct Connect gateway enables multi-VPC connectivity with the same VIF.

How to eliminate wrong answers

Option B is wrong because setting up a VPN over Direct Connect adds unnecessary complexity and operational effort, as it requires managing VPN tunnels and encryption, whereas a Direct Connect gateway provides a simpler native solution. Option C is wrong because a transit virtual interface is used with a transit gateway for connecting multiple VPCs or VPNs, but it requires creating a transit gateway and additional configuration, which is more effort than using a Direct Connect gateway with existing private VIF. Option D is wrong because creating a second private virtual interface would require additional Direct Connect configuration and potentially more bandwidth allocation, increasing operational effort compared to reusing the existing VIF via a Direct Connect gateway.

290
MCQhard

Refer to the exhibit. A developer created this CloudFormation template to create a public subnet. However, instances in the subnet cannot access the internet. What is the MOST likely cause?

A.The subnet does not have auto-assign public IP enabled
B.The route to the internet gateway is missing
C.The route table is not associated with the subnet
D.The internet gateway is not attached to the VPC
AnswerA

Instances need public IPs for internet access; template does not enable it.

Why this answer

Option A is correct because the CloudFormation template creates a public subnet but does not set the 'MapPublicIpOnLaunch' property to 'true'. Without this setting, EC2 instances launched in the subnet do not automatically receive a public IPv4 address, which is required for internet-bound traffic to be routed through the Internet Gateway (IGW). Even if the route table has a default route (0.0.0.0/0) pointing to the IGW, the instance lacks a public IP, so the IGW cannot perform source NAT for outbound traffic, making internet access impossible.

Exam trap

AWS often tests the misconception that a default route to an IGW alone guarantees internet access, but the trap here is that the instance must have a public IP address for the IGW to perform source NAT, and auto-assign public IP is disabled by default in CloudFormation unless explicitly enabled.

How to eliminate wrong answers

Option B is wrong because the route to the internet gateway is not missing; the template explicitly includes a route in the public route table with destination 0.0.0.0/0 and target referencing the Internet Gateway. Option C is wrong because the route table is associated with the subnet via the 'AWS::EC2::SubnetRouteTableAssociation' resource in the template. Option D is wrong because the Internet Gateway is created and attached to the VPC using the 'AWS::EC2::VPCGatewayAttachment' resource, so the attachment is present.

291
MCQeasy

A company has a VPC with public and private subnets in three Availability Zones. The company hosts a web application on Amazon EC2 instances in the private subnets. The instances need to download security patches from the internet but must not be directly accessible from the internet. Which solution meets these requirements with the least operational overhead?

A.Deploy a NAT instance in a public subnet and configure the private subnet route tables to point to the NAT instance.
B.Attach an internet gateway to the VPC and add a default route to the internet gateway in the private subnet route tables.
C.Create a VPC endpoint for Amazon S3 and configure the instances to use the endpoint.
D.Deploy a NAT gateway in each public subnet and configure the private subnet route tables to point to the respective NAT gateway.
AnswerD

Managed service, highly available, minimal operational overhead.

Why this answer

Option D is correct because a NAT gateway is a fully managed AWS service that provides outbound internet connectivity for instances in private subnets while preventing inbound internet access. Deploying a NAT gateway in each public subnet across three Availability Zones ensures high availability and fault tolerance, and configuring private subnet route tables with a default route (0.0.0.0/0) pointing to the respective NAT gateway meets the requirement with minimal operational overhead, as AWS handles patching and scaling.

Exam trap

AWS often tests the distinction between managed NAT gateways and self-managed NAT instances, where candidates may choose the NAT instance option (A) due to lower cost, overlooking the 'least operational overhead' requirement, or they may incorrectly select the VPC endpoint option (C) thinking it provides general internet access.

How to eliminate wrong answers

Option A is wrong because a NAT instance is a self-managed EC2 instance that requires ongoing maintenance, patching, and scaling, which increases operational overhead compared to a managed NAT gateway. Option B is wrong because attaching an internet gateway and adding a default route to it in private subnet route tables would make the instances directly accessible from the internet, violating the requirement that instances must not be directly accessible. Option C is wrong because a VPC endpoint for Amazon S3 only provides private connectivity to S3, not general internet access for downloading security patches from arbitrary internet sources.

292
MCQeasy

A company is deploying a hybrid network with AWS Direct Connect and a VPN backup. The Direct Connect virtual interface is configured for private VIF with BGP. The VPN uses IPsec tunnels over the internet. What is the best practice to ensure symmetric routing and failover?

A.Configure ASN prepending on the VPN BGP advertisements to make them less preferred.
B.Use different BGP ASNs for Direct Connect and VPN to allow AWS to prefer the Direct Connect path.
C.Disable BGP on the Direct Connect private VIF and use static routes to force traffic through Direct Connect.
D.Use the same BGP ASN for both Direct Connect and VPN, and set a higher MED (Multi-Exit Discriminator) on the VPN routes.
AnswerD

Same ASN ensures AWS sees both as same neighbor, and MED controls preference.

Why this answer

Option B is correct. Using the same BGP ASN on the VPN side ensures that AWS treats both paths as equal, and with BGP attributes you can control active/passive behavior. Option A is wrong because ASN prepending is used to influence path selection, not to ensure symmetry.

Option C is wrong because you cannot disable BGP on Direct Connect private VIF; it requires BGP. Option D is wrong because using different ASNs would make AWS treat them as separate paths and might cause asymmetric routing.

293
MCQhard

A company has a VPC with a CIDR block of 10.0.0.0/16. It has a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to ensure that traffic to S3 does not traverse the internet. Which solution should be used?

A.Create a VPC Interface Endpoint for S3 and associate it with the private subnet
B.Create a NAT Gateway in the public subnet and add a route in the private subnet route table pointing to the NAT Gateway
C.Create a VPC Gateway Endpoint for S3 and add a route in the private subnet route table pointing to the endpoint
D.Set up an AWS Direct Connect connection and use a private virtual interface
AnswerC

Gateway Endpoint provides private access to S3.

Why this answer

A VPC Gateway Endpoint for S3 allows private subnet instances to access S3 without internet. A NAT Gateway uses the internet. An Interface Endpoint is for other AWS services, not S3.

Direct Connect is not necessary for S3 access within the same region.

294
Multi-Selectmedium

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) in a VPC. They need to ensure that the application can handle a sudden increase in traffic and that the ALB can scale automatically. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Configure the target group's deregistration delay to a low value to quickly remove unhealthy targets.
B.Use a single subnet for the ALB to reduce complexity.
C.Use a Network Load Balancer instead of an ALB to improve throughput.
D.Enable cross-zone load balancing on the ALB.
E.Disable deletion protection on the ALB to allow automatic replacement.
AnswersA, D

A low deregistration delay ensures that unhealthy instances are removed quickly, preventing them from receiving traffic.

Why this answer

Option A is correct because configuring a low deregistration delay on the target group allows the ALB to quickly stop sending traffic to unhealthy targets, reducing the risk of failed requests during traffic spikes. This setting controls how long the ALB waits for in-flight requests to complete before deregistering a target, and a lower value accelerates the removal of unhealthy instances to maintain application responsiveness. Option D is correct because enabling cross-zone load balancing distributes incoming traffic evenly across all healthy targets in all Availability Zones, maximizing resource utilization and ensuring the ALB can scale automatically by leveraging capacity from multiple zones.

Exam trap

AWS often tests the misconception that enabling cross-zone load balancing is optional or unnecessary for high availability, when in fact it is a critical feature for distributing traffic evenly and supporting automatic scaling across zones.

295
MCQmedium

A company is designing a multi-Region Active-Active architecture using Application Load Balancers (ALBs) behind AWS Global Accelerator. The application requires sticky sessions (session affinity) and must maintain session persistence even during failover. Which configuration should be used to achieve this?

A.Enable stickiness on each ALB individually and use a single Regional endpoint group.
B.Configure Global Accelerator to use session affinity with the 'two-tuple' protocol.
C.Configure Route 53 with latency-based routing and enable stickiness on each ALB.
D.Use a custom application cookie for stickiness that is consistent across all ALBs, and set the cookie domain to the Global Accelerator DNS name.
AnswerD

A custom cookie with a shared domain allows session persistence across ALBs in different Regions.

Why this answer

Option D is correct because AWS Global Accelerator does not natively support session affinity (sticky sessions). To maintain session persistence across multi-Region ALBs during failover, you must use a custom application cookie that is consistent across all ALBs and set the cookie domain to the Global Accelerator DNS name. This ensures the client's browser sends the same cookie to any healthy ALB in any Region, preserving the session even when traffic shifts due to a failover.

Exam trap

The trap here is that candidates assume Global Accelerator can provide session affinity natively, similar to an ALB's stickiness feature, but Global Accelerator is a Layer 3/4 service and cannot maintain application-layer session state; the solution requires a custom cookie approach at the application level.

How to eliminate wrong answers

Option A is wrong because using a single Regional endpoint group defeats the purpose of a multi-Region Active-Active architecture; it would not provide cross-Region failover. Option B is wrong because Global Accelerator does not support session affinity with any tuple (two-tuple, three-tuple, or five-tuple); it is a network-layer service that does not maintain session state. Option C is wrong because Route 53 latency-based routing does not provide the fast failover and client IP preservation that Global Accelerator offers, and enabling stickiness on each ALB individually does not ensure session persistence across Regions during failover.

296
MCQmedium

A company is deploying a critical application across multiple Availability Zones in a single AWS Region. They need a network design that provides the lowest possible latency between application tiers and supports automatic failover if an AZ becomes unavailable. Which design meets these requirements?

A.Use Amazon Route 53 weighted routing to distribute traffic to each AZ
B.Deploy an internal NLB per Availability Zone, with each NLB only registering targets in its own AZ, and an internet-facing Application Load Balancer (ALB) with targets in all AZs
C.Use a single internal Classic Load Balancer across all AZs
D.Deploy an internal Network Load Balancer (NLB) in a single AZ and route traffic from other AZs through it
AnswerB

This keeps traffic within the AZ for lowest latency, and the ALB provides failover across AZs.

Why this answer

Using an internal Network Load Balancer (NLB) in each AZ with cross-zone load balancing disabled ensures traffic stays within the AZ for lowest latency, and using an Application Load Balancer (ALB) for the front end with targets in each AZ provides failover. A single NLB across AZs adds cross-AZ latency. Classic Load Balancer is legacy.

Route 53 weighted routing is not automatic failover.

297
MCQmedium

A company has a multi-tier web application running on EC2 instances in a VPC. The web tier must be accessible from the internet, but the application tier should only be accessible from the web tier. Which network design configuration meets these requirements?

A.Use a VPN connection from the web tier to the application tier, and place both tiers in private subnets.
B.Place both tiers in public subnets and use security groups to restrict traffic from the web tier to the application tier.
C.Place web servers in a public subnet with a NAT gateway, and application servers in a private subnet with a default route to the NAT gateway.
D.Place web servers in a public subnet with an internet gateway, and application servers in a private subnet with a route to the web subnet via a VPC peering connection.
AnswerD

Correct design for inbound internet access to web tier and internal access to app tier.

Why this answer

Option A is correct because public subnets with internet gateways allow internet access, and private subnets without direct internet access ensure the application tier is only reachable from the web tier via internal routing. Option B is wrong because NAT gateways are for outbound internet access from private subnets, not for inbound. Option C is wrong because VPC peering does not provide internet access.

Option D is wrong because a VPN connection is for on-premises connectivity, not internet access.

298
MCQeasy

A company wants to improve disaster recovery by replicating data between two AWS Regions. Which AWS service provides a managed solution for cross-Region network connectivity?

A.AWS Direct Connect
B.VPC Peering
C.AWS Site-to-Site VPN
D.AWS Global Accelerator
AnswerD

Global Accelerator improves performance and availability across Regions using the AWS global network.

Why this answer

Option D is correct because AWS Global Accelerator uses the AWS global network to route traffic to optimal endpoints, improving performance and availability for cross-Region replication. Option A is wrong because VPC Peering does not support cross-Region. Option B is wrong because Direct Connect is for on-premises connections.

Option C is wrong because AWS VPN is not managed for cross-Region replication.

299
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). They launch an EC2 instance in subnet A and another in subnet B. The security groups for both instances allow all traffic from the other instance's private IP. However, the instances cannot communicate. What is the most likely cause?

A.The instances are in different Availability Zones
B.The network ACLs are blocking the traffic
C.The security groups are stateful and block return traffic
D.The route tables do not have a local route
AnswerB

NACLs are stateless and need to allow both outbound and inbound traffic for each direction.

Why this answer

The most likely cause is that the network ACLs (NACLs) are blocking the traffic. Security groups are stateful and allow return traffic automatically, but NACLs are stateless and require explicit inbound and outbound rules for both directions. By default, custom NACLs deny all traffic, so even though the security groups permit communication, the NACLs on subnets A and B must allow the traffic.

The correct answer is B.

Exam trap

The trap here is that candidates often assume security groups are the only firewall layer or forget that NACLs are stateless and require explicit rules for both directions, leading them to overlook NACL misconfigurations when security groups appear permissive.

How to eliminate wrong answers

Option A is wrong because instances in different Availability Zones can communicate within the same VPC as long as routing and security rules permit; AZ placement does not inherently block traffic. Option C is wrong because security groups are stateful, meaning they automatically allow return traffic for permitted outbound connections, so they do not block return traffic. Option D is wrong because VPCs automatically have a local route in the main route table for the VPC CIDR (10.0.0.0/16), enabling communication between subnets without additional routes.

300
MCQhard

A company designs a multi-account AWS environment using AWS Organizations. The networking team wants a centralized inspection VPC for traffic between VPCs and on-premises. Which architecture ensures that all inter-VPC traffic passes through the inspection VPC?

A.VPC peering between all VPCs and the inspection VPC.
B.AWS Network Firewall deployed in each VPC.
C.AWS Transit Gateway with centralized routing to the inspection VPC.
D.AWS Direct Connect Gateway with virtual interfaces.
AnswerC

Centralized routing enforces inspection.

Why this answer

Option C is correct because AWS Transit Gateway enables centralized routing by attaching all VPCs and the on-premises network to a single transit gateway, then configuring route tables to force all inter-VPC traffic through a dedicated inspection VPC appliance (e.g., firewall or NGFW). This ensures traffic flows via the inspection VPC without requiring full-mesh peering or per-VPC firewalls.

Exam trap

The trap here is that candidates often confuse VPC peering with transitive routing, assuming that peering multiple VPCs to a central VPC automatically routes traffic through it, but VPC peering does not support transitive routing—each peering connection is non-transitive, so traffic between two spoke VPCs would not go through the central VPC unless explicit routing is configured, which is complex and not natively supported.

How to eliminate wrong answers

Option A is wrong because VPC peering creates direct, one-to-one connections between VPCs; traffic between peered VPCs does not traverse a central inspection point unless explicitly routed through an intermediate VPC, which would require complex transitive routing that VPC peering does not support (no transitive peering). Option B is wrong because AWS Network Firewall deployed in each VPC only inspects traffic entering or leaving that specific VPC; it does not force inter-VPC traffic to pass through a centralized inspection VPC, as traffic can still flow directly via peering or transit gateway without being routed through the inspection VPC. Option D is wrong because AWS Direct Connect Gateway is used to connect on-premises networks to multiple VPCs via Direct Connect, but it does not provide centralized routing or inspection for inter-VPC traffic; it only extends connectivity from on-premises to VPCs, not between VPCs.

← PreviousPage 4 of 7 · 504 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Design questions.