CCNA Network Design Questions

54 of 504 questions · Page 7/7 · Network Design topic · Answers revealed

451
MCQhard

A company is designing a highly available network for a critical application that requires sub-second failover between two AWS regions. The application uses active-active traffic distribution. Which routing policy should they use in Amazon Route 53?

A.Latency routing with health checks
B.Failover routing
C.Geolocation routing
D.Weighted routing
AnswerA

Correct: Distributes traffic based on latency and health.

Why this answer

Option B is correct because Latency-based routing with health checks can distribute traffic to the region with lowest latency and failover sub-second if health check fails. Option A is wrong because failover routing is active-passive. Option C is wrong because weighted routing does not consider health.

Option D is wrong because geolocation is not for active-active failover.

452
MCQeasy

A company is deploying a multi-tier application in a VPC. The web servers must be accessible from the internet, while the application servers must only be accessible from the web servers. Which architecture meets these requirements?

A.All servers in private subnets; use a load balancer in a public subnet.
B.Web servers in private subnets; application servers in public subnets with an Internet Gateway.
C.All servers in public subnets; use Security Groups to restrict access.
D.Web servers in public subnets with an Internet Gateway; application servers in private subnets with a route to the NAT Gateway.
AnswerD

This provides internet access to web servers while keeping app servers private.

Why this answer

Option D is correct because it places web servers in public subnets with an Internet Gateway (IGW) for direct internet access, while application servers reside in private subnets that lack a direct route to the IGW. The private subnets have a route to a NAT Gateway, allowing the application servers to initiate outbound internet connections (e.g., for updates) without being reachable from the internet. Security Groups on the application servers can further restrict inbound traffic to only the web servers' security group, ensuring the application tier is isolated.

Exam trap

AWS often tests the misconception that Security Groups alone can fully isolate traffic in a public subnet, but the trap here is that instances in public subnets still have public IP addresses and are reachable from the internet unless explicitly blocked by a Network ACL or Security Group, which is less reliable than using private subnets with no IGW route.

How to eliminate wrong answers

Option A is wrong because placing all servers in private subnets and using a load balancer in a public subnet would make the web servers inaccessible from the internet unless the load balancer is configured as an internet-facing load balancer and the web servers are in private subnets with a route to the load balancer; however, the description 'all servers in private subnets' implies the web servers themselves are not directly internet-accessible, which contradicts the requirement that web servers must be accessible from the internet. Option B is wrong because placing application servers in public subnets with an Internet Gateway would expose them directly to the internet, violating the requirement that they must only be accessible from the web servers. Option C is wrong because placing all servers in public subnets with an Internet Gateway would expose both web and application servers to the internet, and while Security Groups can restrict traffic, the application servers would still have public IP addresses and be reachable from the internet if the Security Group rules are misconfigured or if a user accidentally allows broader access; the requirement demands that application servers must only be accessible from the web servers, which is best achieved by placing them in private subnets with no direct internet path.

453
MCQeasy

A company has a VPC with a public subnet and a private subnet. The private subnet contains Amazon RDS instances that should only be accessed by EC2 instances in the same VPC. The EC2 instances are in a security group named 'App-SG'. Which configuration will meet the requirement?

A.Configure a network ACL on the private subnet to allow inbound traffic from the VPC CIDR.
B.Configure a network ACL on the private subnet to allow inbound traffic from the public subnet CIDR.
C.Configure a security group on the RDS instances to allow inbound traffic from the 'App-SG' security group.
D.Configure a security group on the RDS instances to allow inbound traffic from the VPC CIDR.
AnswerC

Security group referencing another security group allows only instances with that security group.

Why this answer

Security groups are stateful and can reference other security groups as a source, allowing traffic from all instances associated with the source security group. By configuring the RDS security group to allow inbound traffic from 'App-SG', only EC2 instances in that group can access the RDS instances, meeting the requirement without exposing the database to the entire VPC CIDR.

Exam trap

The trap here is that candidates often confuse security groups with network ACLs, or assume that allowing the VPC CIDR is sufficient, not realizing that security group references provide more precise, instance-level access control than CIDR-based rules.

How to eliminate wrong answers

Option A is wrong because network ACLs are stateless and apply at the subnet level, not the instance level; allowing inbound traffic from the VPC CIDR would permit any resource in the VPC (including unauthorized instances) to access the RDS instances, and would also require explicit outbound rules for return traffic. Option B is wrong because allowing inbound traffic from the public subnet CIDR is overly permissive and does not restrict access to only the EC2 instances in 'App-SG'; it would also allow any instance in the public subnet, not just those in the security group. Option D is wrong because allowing inbound traffic from the VPC CIDR via a security group would permit any resource in the VPC (including unauthorized instances or services) to access the RDS instances, violating the requirement for access only by EC2 instances in 'App-SG'.

454
MCQmedium

A company is designing a multi-Region architecture with active-active failover for a web application. The application uses Application Load Balancers (ALBs) in two AWS Regions. Traffic must be routed to the closest healthy Region with automatic failover. Which AWS service should be used to route traffic?

A.Network Load Balancer with cross-zone load balancing
B.Amazon CloudFront with multiple origins
C.Amazon Route 53 with latency-based routing and health checks
D.AWS Global Accelerator
AnswerC

Route 53 latency routing directs traffic to the Region with the lowest latency, and health checks automatically fail over to the next best Region.

Why this answer

Option C is correct because Amazon Route 53 latency-based routing routes traffic to the Region with the lowest latency, and health checks enable automatic failover. Option A is wrong because Global Accelerator uses anycast IPs and does not provide latency-based routing with health checks in the same way. Option B is wrong because CloudFront is a CDN, not for active-active load balancing across Regions.

Option D is wrong because Network Load Balancer operates within a single Region.

455
Multi-Selecteasy

A company is designing a VPC for a three-tier application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which THREE design elements are required? (Choose THREE.)

Select 3 answers
A.A public subnet for the web tier with an internet gateway
B.A private subnet for the database tier with a route to the application subnet
C.A private subnet for the application tier with a route to the web subnet
D.A NAT gateway in the public subnet for outbound traffic from private subnets
E.A VPN connection to on-premises
AnswersA, B, C

Provides internet access to web servers.

Why this answer

Option A is correct: Public subnet for web servers. Option B is correct: Private subnet for application servers. Option D is correct: Private subnet for database servers.

Option C is wrong because a NAT gateway is not required for inbound access; outbound access for private subnets may be needed but is not specified. Option E is wrong because a VPN is not required.

456
Multi-Selectmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company does not want to assign public IP addresses to the instance. Which combination of resources is required? (Choose TWO.)

Select 2 answers
A.VPN connection to the on-premises data center
B.NAT Gateway in a public subnet
C.VPC endpoint for Amazon S3
D.Internet Gateway attached to the VPC
AnswersB, D

The NAT Gateway enables outbound internet traffic for instances in private subnets.

Why this answer

A NAT Gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet. The private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway. An Internet Gateway is needed for the NAT Gateway to reach the internet, but the question asks for resources; the IGW is already implied.

A VPC endpoint is for AWS services, not internet. A VPN connection is for on-premises connectivity.

457
MCQeasy

A company is designing a hybrid network connecting an on-premises data center to AWS via AWS Direct Connect. The company requires high availability and wants to avoid a single point of failure. Which design meets these requirements?

A.Provision a single Direct Connect connection with multiple virtual interfaces (VIFs).
B.Provision one Direct Connect connection with two VLANs to separate production and non-production traffic.
C.Use a single Direct Connect connection and a VPN backup over the internet.
D.Provision two Direct Connect connections at two different Direct Connect locations.
AnswerD

Two connections at different locations provide physical diversity and high availability.

Why this answer

Option D is correct because provisioning two Direct Connect connections at two different Direct Connect locations eliminates any single point of failure. This design ensures that if one connection or location fails, traffic can automatically fail over to the other connection, meeting the high availability requirement. A single Direct Connect connection, regardless of the number of VIFs or VLANs, remains a single point of failure.

Exam trap

AWS often tests the misconception that multiple VIFs or VLANs on a single Direct Connect connection provide redundancy, but they do not eliminate the physical single point of failure of the connection itself.

How to eliminate wrong answers

Option A is wrong because a single Direct Connect connection with multiple virtual interfaces (VIFs) still relies on a single physical link and single Direct Connect location; if that connection fails, all VIFs go down, so it does not avoid a single point of failure. Option B is wrong because using one Direct Connect connection with two VLANs only separates traffic logically on the same physical link; it does not provide physical redundancy, so a failure of the single connection takes down both VLANs. Option C is wrong because while a VPN backup over the internet provides a failover path, the primary single Direct Connect connection is still a single point of failure; the design does not meet the requirement to avoid a single point of failure for the primary connection, and the VPN backup may have lower performance and higher latency.

458
Multi-Selecteasy

Which TWO of the following are valid components of an AWS Transit Gateway design for connecting multiple VPCs and on-premises networks?

Select 2 answers
A.VPC Endpoint Gateway
B.Transit Gateway endpoint attached to a subnet in a VPC
C.Direct Connect Gateway associated with a Transit Gateway
D.Transit Gateway route table
E.Transit Gateway peering attachment
AnswersD, E

Route tables control traffic between attachments.

Why this answer

Option D is correct because a Transit Gateway route table is a fundamental component that controls how traffic is routed between attachments (VPCs, VPNs, Direct Connect) within the Transit Gateway. Each attachment is associated with exactly one route table, and route propagation enables dynamic learning of routes across the network.

Exam trap

AWS often tests the misconception that a Transit Gateway endpoint attaches to a subnet like a VPC endpoint, but in reality, Transit Gateway attachments are VPC-level constructs that require a subnet in each AZ for the attachment's elastic network interfaces.

459
MCQhard

A company uses AWS Direct Connect with a private VIF to connect its on-premises network to a VPC. The on-premises router advertises a specific route for a subnet (192.168.1.0/24) to the VPC via BGP. However, instances in the VPC cannot reach the 192.168.1.0/24 subnet. The VPC route table shows the route as 'active' and 'propagated' from the Direct Connect virtual interface. What is the most likely cause?

A.The security group for the VPC instances is blocking inbound traffic from the on-premises network.
B.The VPC has overlapping CIDR with the on-premises network.
C.The on-premises router is not advertising the correct BGP community.
D.The VPC route table does not have a route to the 192.168.1.0/24 subnet pointing to the virtual private gateway.
AnswerD

Route propagation does not automatically add the route to the route table; it must be associated.

Why this answer

Option B is correct. Even if the route is propagated, the VPC subnet route table must have a route pointing to the virtual private gateway for that CIDR. If the route is not explicitly added (or not propagated due to route table association), traffic will not be directed.

Option A is incorrect because BGP is used, so AS_PATH does not affect reachability inside VPC. Option C is incorrect because security groups don't apply to on-premises traffic via Direct Connect. Option D is incorrect because the VPC route table shows the route as active, so the prefix is known.

460
MCQmedium

A network engineer configured VPC Flow Logs for a subnet to capture all traffic. After reviewing the logs in CloudWatch Logs, they notice that some logs show 'NODATA' for the log-status field. What does 'NODATA' indicate?

A.No network traffic was observed for the given capture period.
B.The flow log record was skipped due to an internal error.
C.The log record was successfully delivered to CloudWatch.
D.The traffic was rejected by a network ACL or security group.
AnswerA

Correct meaning.

Why this answer

When VPC Flow Logs display 'NODATA' for the log-status field, it indicates that no network traffic was observed for the subnet during the aggregation interval (typically 10 minutes). This is a normal status meaning the capture window had zero packets flowing through the monitored interfaces, not an error or delivery issue.

Exam trap

AWS often tests the distinction between 'NODATA' (no traffic) and 'SKIPDATA' (internal error), leading candidates to incorrectly associate 'NODATA' with rejected traffic or delivery failures.

How to eliminate wrong answers

Option B is wrong because 'NODATA' is not caused by an internal error; internal errors are reported as 'SKIPDATA' in the log-status field. Option C is wrong because a successful delivery to CloudWatch is indicated by 'OK' in the log-status field, not 'NODATA'. Option D is wrong because traffic rejected by a network ACL or security group is still captured and logged with an 'ACCEPT' or 'REJECT' action in the flow log record, not as 'NODATA'.

461
MCQmedium

A company is migrating a legacy application to AWS. The application requires a fixed IP address for outbound traffic to a partner's firewall. The application will run on Amazon EC2 instances in a private subnet. Which design meets the requirement without exposing the instances to inbound internet traffic?

A.Deploy a NAT gateway with an Elastic IP and route outbound traffic through it
B.Attach an Internet Gateway to the VPC and assign public IPs to the instances
C.Place the instances behind an Application Load Balancer
D.Create a VPC Gateway Endpoint for the partner's service
AnswerA

A NAT gateway with an Elastic IP provides a single fixed IP for all outbound traffic from private instances, and no inbound traffic is allowed.

Why this answer

A NAT gateway with an Elastic IP provides a fixed public IP address for outbound traffic from instances in a private subnet while preventing any unsolicited inbound connections from the internet. The NAT gateway translates the private source IPs of the instances to its own Elastic IP, meeting the partner firewall's requirement for a fixed source IP without exposing the EC2 instances directly.

Exam trap

The trap here is that candidates often confuse a NAT gateway with an Internet Gateway, thinking both provide outbound connectivity, but an Internet Gateway alone does not offer a fixed source IP for private instances and would expose them to inbound traffic if public IPs are assigned.

How to eliminate wrong answers

Option B is wrong because attaching an Internet Gateway and assigning public IPs to the instances would expose them to inbound internet traffic, violating the requirement to keep instances private. Option C is wrong because an Application Load Balancer operates at Layer 7 and does not provide a fixed source IP for outbound traffic; it distributes inbound traffic to targets, not outbound. Option D is wrong because a VPC Gateway Endpoint is used for private connectivity to AWS services like S3 or DynamoDB, not for routing general outbound traffic to an external partner's firewall.

462
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). They launch an Amazon RDS for MySQL DB instance in the private subnet. The DB instance needs to be accessed by an EC2 instance in the public subnet. The security group for the DB instance allows inbound traffic on port 3306 from the security group of the EC2 instance. However, the EC2 instance cannot connect to the DB instance. What is the most likely cause?

A.The private subnet does not have a route to the public subnet
B.The network ACL for the private subnet is blocking inbound traffic
C.The security group for the EC2 instance does not allow outbound traffic
D.The DB instance does not have a public IP address
AnswerA

Without a route, traffic cannot flow between subnets.

Why this answer

The most likely cause is that the private subnet does not have a route to the public subnet. For an EC2 instance in the public subnet to reach an RDS DB instance in the private subnet, the private subnet's route table must include a route that directs return traffic back to the public subnet (e.g., via a VPC peering connection, a NAT gateway, or a transit gateway). Without this return path, the DB instance's response packets are dropped, even though the security group allows inbound traffic from the EC2 instance's security group.

Exam trap

The trap here is that candidates often focus on security group rules or public IP addresses, but the real issue is the missing return route in the private subnet's route table, which is a fundamental routing concept in VPC design.

How to eliminate wrong answers

Option B is wrong because network ACLs are stateless and, by default, allow all inbound and outbound traffic unless explicitly modified; the question does not indicate any custom NACL rules blocking traffic, so this is unlikely. Option C is wrong because the security group for the EC2 instance does not need to allow outbound traffic to the DB instance; security groups are stateful, so if the EC2 instance initiates the connection, the return traffic is automatically allowed regardless of outbound rules. Option D is wrong because the DB instance does not need a public IP address; it is in a private subnet and can be accessed from the public subnet via private IP routing, provided the route tables are correctly configured.

463
MCQeasy

A company wants to allow its employees to securely access internal applications hosted in a VPC without traversing the internet. The company also wants to be able to enforce security policies at the user level. Which AWS service should the company use?

A.Bastion host in a public subnet
B.AWS Direct Connect
C.AWS Site-to-Site VPN
D.AWS Client VPN
AnswerD

Client VPN provides per-user secure access to VPC.

Why this answer

Option C is correct because AWS Client VPN provides secure access to VPC resources with user-level authentication and authorization. Option A is incorrect because AWS Site-to-Site VPN is for site-to-site connectivity, not individual users. Option B is incorrect because Direct Connect is dedicated network connection, not for remote users.

Option D is incorrect because a bastion host requires SSH/RDP and does not enforce user-level policies natively.

464
MCQmedium

A company is designing a multi-region active-active application using Amazon Route 53 latency-based routing with health checks. The application is deployed in us-east-1 and eu-west-1. During a load test, users in South America experience high latency despite the Route 53 configuration. What is the most likely cause?

A.The health check for one region is failing, causing all traffic to be routed to the remaining healthy region.
B.The company should use geolocation routing instead of latency-based routing.
C.The latency records are not refreshed frequently enough, causing stale routing decisions.
D.The Route 53 health check is configured to use CloudWatch alarms, which introduced additional latency.
AnswerA

If a region fails health check, traffic is routed to healthy regions, increasing latency for users far from that region.

Why this answer

Option D is correct because latency-based routing selects the region with the lowest latency for the user, but if the health check fails for one region, Route 53 routes traffic to the other region regardless of latency. Option A is wrong because latency-based routing does not require geolocation routing. Option B is wrong because health checks use Route 53 health checkers, not CloudWatch.

Option C is wrong because latency records are evaluated per query and do not cause all traffic to go to one region.

465
MCQhard

A network engineer analyzes a VPC Flow Log entry showing an ACCEPT for a TCP connection from 203.0.113.50 (internet) to 10.0.1.5 on port 443. The security group for the instance allows inbound HTTPS only from 10.0.0.0/16, and the NACL for the subnet has the rules shown. Why was the traffic accepted?

A.The NACL inbound rule #120 allows HTTPS from 10.0.0.0/16, but the source is 203.0.113.50, so it should be denied.
B.The NACL inbound rule #100 allows HTTP from anywhere, and the traffic is HTTP.
C.The security group allows inbound HTTPS from 10.0.0.0/16, but the flow log source is 203.0.113.50, so it should be denied. The ACCEPT must be an error.
D.The flow log entry represents outbound traffic from the instance (source 10.0.1.5:443 to destination 203.0.113.50:38000). The security group's default outbound rule allows all traffic, and the NACL outbound (not shown) also allows it, resulting in ACCEPT.
AnswerD

Correct interpretation of the flow log: source is the instance, destination is internet. Outbound is allowed by default.

Why this answer

The VPC Flow Log entry shows an ACCEPT for traffic from 203.0.113.50:38000 to 10.0.1.5:443. Because flow logs record connection state, this entry actually represents the return traffic of an outbound connection initiated by the instance (10.0.1.5) to the internet host on port 443. The security group's default outbound rule allows all traffic, and the NACL outbound rules (not shown) also permit it, so the return ACCEPT is valid.

Exam trap

AWS often tests the misconception that VPC Flow Log entries always represent the direction of traffic as seen by the network, when in fact they record the connection tuple as observed, which can be the reverse direction of the original request, leading candidates to incorrectly apply inbound security rules.

How to eliminate wrong answers

Option A is wrong because the NACL inbound rule #120 allows HTTPS from 10.0.0.0/16, but the source IP is 203.0.113.50, so it would deny the traffic if this were an inbound connection; however, the traffic is actually outbound, so inbound NACL rules are irrelevant. Option B is wrong because the traffic is HTTPS (port 443), not HTTP (port 80), and rule #100 allows HTTP from anywhere, which does not apply to port 443. Option C is wrong because the security group's inbound rule restricts HTTPS to 10.0.0.0/16, but this is return traffic for an outbound connection, so inbound security group rules are not evaluated; the ACCEPT is not an error.

466
MCQhard

A financial services company must ensure that all traffic between its on-premises data center and VPC is encrypted in transit and does not traverse the public internet. The company has an AWS Direct Connect connection. Which solution meets these requirements?

A.Use a private virtual interface (VIF) over the Direct Connect connection and establish an IPsec VPN tunnel over the private VIF
B.Use a private virtual interface (VIF) and rely on Direct Connect encryption
C.Use a public virtual interface (VIF) over the Direct Connect connection and configure an IPsec VPN tunnel over it
D.Use a transit virtual interface (VIF) over the Direct Connect connection and attach it to a transit gateway
AnswerA

This provides encryption over a private connection, meeting both requirements.

Why this answer

A private VIF over Direct Connect provides a private connection that does not traverse the internet. When combined with IPsec VPN on top of the private VIF, traffic is encrypted. Direct Connect alone does not encrypt traffic.

A transit VIF is for connecting to transit gateways, not for encryption. A public VIF accesses public AWS services and still does not encrypt traffic.

467
MCQhard

A company has a VPC with multiple subnets. The security team requires that all outbound traffic from the VPC to the internet goes through a centralized firewall. Which design should be used?

A.Route all internet traffic through a centralized inspection VPC using Transit Gateway.
B.Attach an Internet Gateway to each VPC.
C.Use AWS Site-to-Site VPN to a third-party firewall.
D.Use VPC Endpoints for all services.
AnswerA

Enforces centralized firewall.

Why this answer

Option A is correct because it uses a Transit Gateway to route all outbound internet traffic from the VPC to a centralized inspection VPC, where a firewall (e.g., AWS Network Firewall or a third-party appliance) inspects and forwards traffic to an Internet Gateway. This design meets the security requirement by enforcing a single egress point, ensuring all traffic is inspected before reaching the internet.

Exam trap

The trap here is that candidates often assume an Internet Gateway is required for internet access and overlook the need for centralized inspection, leading them to choose Option B without considering the security constraint.

How to eliminate wrong answers

Option B is wrong because attaching an Internet Gateway to each VPC creates direct internet access, bypassing the centralized firewall and violating the security requirement. Option C is wrong because AWS Site-to-Site VPN connects to an on-premises firewall, not a centralized firewall within AWS, and does not inherently route all VPC outbound traffic through it without additional routing complexity. Option D is wrong because VPC Endpoints provide private connectivity to AWS services only, not general internet access, and thus cannot handle all outbound internet traffic.

468
MCQmedium

A company is designing a network for a three-tier web application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which VPC design meets these requirements with the highest security?

A.Create a single public subnet and use security groups to restrict traffic between instances.
B.Place all instances in public subnets but assign private IP addresses only.
C.Create public subnets for web tier and private subnets for app and database tiers. Use security groups to allow traffic from web to app and app to database.
D.Use network ACLs on subnets to restrict traffic instead of security groups.
AnswerC

Best practices for tiered architecture.

Why this answer

Option A is correct because separate public and private subnets in different Availability Zones with security group rules limiting traffic between tiers provides defense in depth. Option B is wrong because a single public subnet exposes all tiers. Option C is wrong because network ACLs are stateless and more complex to manage.

Option D is wrong because placing all instances in public subnets is insecure.

469
MCQhard

A company has multiple VPCs connected via a Transit Gateway. Each VPC has its own CIDR block. The company wants to isolate network traffic between specific VPCs. What is the most scalable way to achieve this?

A.Deploy AWS Network Firewall in each VPC.
B.Create separate Transit Gateway route tables and associate VPC attachments to the appropriate route tables.
C.Use Security Groups in each VPC to filter traffic.
D.Use VPC Peering connections and modify route tables.
AnswerB

Transit Gateway route tables provide scalable isolation.

Why this answer

Option C is correct. Transit Gateway supports route tables that can be used to control which VPCs can communicate. By creating separate route tables and associating them with the appropriate attachments, you can isolate traffic without complex routing.

Option A is wrong because VPC Peering requires many connections and manual routing; it is not scalable. Option B is wrong because Security Groups cannot filter traffic between VPCs. Option D is wrong because AWS Network Firewall is not the most scalable solution for simple isolation.

470
MCQmedium

A company is designing a multi-region application with an Application Load Balancer (ALB) in us-east-1 and us-west-2. They want to route traffic to the nearest region using latency-based routing. Which AWS service should they use to achieve this?

A.AWS Global Accelerator
B.AWS Transit Gateway
C.Amazon CloudFront with multiple origins
D.Amazon Route 53 with latency routing policy
AnswerD

Route 53 latency-based routing directs traffic to the region with the lowest latency for the user, perfect for multi-region ALBs.

Why this answer

Amazon Route 53 latency-based routing directs traffic to the region with the lowest latency for the end user. AWS Global Accelerator provides static IP and traffic management but not latency-based routing to specific load balancers in multiple regions. CloudFront is a CDN, not for routing to ALBs.

Direct Connect is for dedicated network connections. Transit Gateway is for VPC connectivity.

471
MCQmedium

Refer to the exhibit. A network engineer is analyzing VPC Flow Logs for an EC2 instance with IP 10.0.1.5. Based on the logs, which statement is true?

A.The instance is not communicating with the internet
B.The instance's security group is blocking traffic
C.The instance is only communicating with another instance in the same subnet
D.The instance is communicating with both internal and internet hosts
AnswerD

Logs show internal (10.0.1.8) and internet (203.0.113.5) traffic.

Why this answer

The VPC Flow Logs show the EC2 instance (10.0.1.5) communicating with both an internal IP (10.0.2.10) on port 443 and an external IP (203.0.113.50) on port 80, with ACCEPT records for both flows. This indicates successful bidirectional traffic to both internal and internet hosts, confirming option D is correct.

Exam trap

AWS often tests the misconception that any traffic to a non-RFC 1918 IP automatically implies internet access, but the trap here is that candidates may overlook the ACCEPT status and assume security group blocking, or misinterpret internal IPs as being in the same subnet when they are not.

How to eliminate wrong answers

Option A is wrong because the logs show an ACCEPT record for traffic to 203.0.113.50:80, which is a public IP, proving the instance is communicating with the internet. Option B is wrong because all logged flows show ACCEPT status, meaning neither the security group nor network ACLs are blocking traffic; a blocked flow would show REJECT or SKIPDATA. Option C is wrong because the instance communicates with 10.0.2.10 (different subnet) and 203.0.113.50 (internet), not just another instance in the same subnet.

472
Multi-Selecthard

A company has a VPC with a CIDR of 10.0.0.0/16. It creates a subnet 10.0.1.0/24 in us-east-1a and launches an EC2 instance with a private IP 10.0.1.10. The instance needs to send traffic to an on-premises server at 192.168.1.50 over a Direct Connect private VIF. The VPC has a virtual private gateway attached and a route table associated with the subnet. Which THREE entries must exist in the route table for the traffic to succeed?

Select 3 answers
A.Destination: 0.0.0.0/0, Target: igw-xxxxxxxx
B.Destination: 0.0.0.0/0, Target: nat-xxxxxxxx
C.Destination: 10.0.0.0/16, Target: local
D.Destination: 192.168.1.0/24, Target: vgw-xxxxxxxx
E.Destination: 10.0.1.0/29, Target: local
AnswersB, C, D

Default route for internet access via NAT Gateway (if needed, but not for on-premises; however, the question says 'send traffic to on-premises', so the default route may not be required, but it is a common entry. Actually, for on-premises only, the default route is not needed. Since the question asks for three entries and the local route is one, we need two more: the route to on-premises and a default route? Wait, the instance might need internet for updates. The stem doesn't specify, but let's assume it needs both. However, the correct answer set should be A, B, and something else. Let me re-evaluate: The instance needs to send traffic to on-premises, not necessarily internet. So the required entries are: local route (A), route to on-premises (B), and a route back? No, routing is based on destination. The instance sends traffic to 192.168.1.50, so the route table must have a route for that destination. That's B. Also, return traffic from on-premises needs a route back in the VPC route table? That is automatic via the virtual private gateway propagation. So the third required entry is actually the local route for the VPC (A). That's only two. But the question asks for three. Perhaps the instance also needs a default route to the internet, or the subnet needs a route to the virtual private gateway for the on-premises CIDR. Actually, the route to the virtual private gateway for the on-premises CIDR is B. The third could be a route to the internet if the instance needs internet, but the stem doesn't mention internet. However, many architectures include a default route. To match the answer, I will include D (default route) as the third, assuming the instance also needs internet. But the explanation should note that. Let me adjust the explanation: 'For on-premises communication, routes A and B are essential; route D is commonly added for internet access.' But the question expects three correct options. I'll go with A, B, D.

Why this answer

Options A, B, and D are correct. The subnet route table needs a default route to the NAT Gateway for internet, but for on-premises, it needs a route to the virtual private gateway. A local route for the VPC CIDR is automatically added.

For outbound traffic to on-premises, a route to the virtual private gateway for the on-premises CIDR is required. Option C is wrong because the subnet is 10.0.1.0/24, not 10.0.1.0/29. Option E is wrong because a route to the internet gateway is not needed for on-premises traffic.

473
MCQhard

A company is running a multi-tier web application across two AWS Regions (us-east-1 and eu-west-1) for disaster recovery. The application uses an Application Load Balancer (ALB) in each Region. The company uses Amazon Route 53 with latency-based routing to direct traffic to the closest Region. Recently, during a regional failure in us-east-1, users experienced timeouts instead of being redirected to eu-west-1. The DNS TTL is set to 60 seconds. The Route 53 health checks for the us-east-1 ALB are configured to check the HTTP endpoint every 30 seconds with 3 consecutive failures required to mark it unhealthy. The eu-west-1 ALB is healthy. The company's network design includes a VPC in each Region with public and private subnets. The ALBs are internet-facing and have proper security groups. The Route 53 records are configured correctly. What is the MOST likely cause of the timeout?

A.The latency-based routing policy does not fail over to the other region when a health check fails.
B.The ALB in us-east-1 is not configured to be cross-zone load balancing, causing it to fail.
C.The health check interval and failure threshold cause a delay in detecting the failure, and DNS caching causes clients to still resolve to the unhealthy endpoint.
D.The Route 53 health check is not able to reach the ALB in us-east-1 from eu-west-1 due to network ACLs.
AnswerC

The health check takes up to 90 seconds to mark unhealthy, and DNS TTL of 60 seconds extends the impact.

Why this answer

Option A is correct. Health checks check the endpoint every 30 seconds, and require 3 consecutive failures to mark unhealthy. This means it takes 90 seconds (30s * 3) to detect failure.

During that time, Route 53 continues to return the us-east-1 ALB IP, and users' DNS resolvers cache the IP for the TTL of 60 seconds. Therefore, even after the health check marks the endpoint unhealthy, some users may still have the cached IP and experience timeouts. Option B is incorrect because latency-based routing would automatically shift traffic to eu-west-1 when us-east-1 is unhealthy.

Option C is incorrect because the ALB is internet-facing and should be accessible from other regions. Option D is incorrect because Route 53 health checks can check endpoints across regions.

474
MCQmedium

A company is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect. The company wants to ensure high availability and avoid a single point of failure. The on-premises router connects to two separate AWS Direct Connect locations. Which configuration should be used to meet these requirements?

A.Create two private VIFs on the same Direct Connect connection and connect each to a different VPC.
B.Create a single private virtual interface (VIF) on one Direct Connect connection and connect it to a single VPC.
C.Create two Direct Connect connections, each with a private VIF, and connect them to a Direct Connect gateway that is associated with a Transit VPC.
D.Create a Direct Connect gateway and attach a single private VIF from one connection.
AnswerC

Provides redundancy with two separate connections and a Transit VPC.

Why this answer

Option C is correct because it uses two separate Direct Connect connections, each with a private VIF, both attached to a Direct Connect gateway. This eliminates a single point of failure at the connection level and, when combined with a Transit VPC, provides redundant, highly available connectivity from the on-premises data center to multiple VPCs. The Direct Connect gateway aggregates the private VIFs and allows traffic to be forwarded to the Transit VPC, which then routes to the attached VPCs, ensuring no single component failure disrupts the hybrid network.

Exam trap

AWS often tests the misconception that multiple VIFs on a single connection or a single VIF attached to a Direct Connect gateway provide high availability, but the trap is that the physical connection itself remains a single point of failure unless two separate Direct Connect connections are used.

How to eliminate wrong answers

Option A is wrong because creating two private VIFs on the same Direct Connect connection does not eliminate the single point of failure; if that single physical connection fails, both VIFs go down. Option B is wrong because a single private VIF on one Direct Connect connection creates a single point of failure; if the connection or VIF fails, all connectivity to AWS is lost. Option D is wrong because attaching a single private VIF from one connection to a Direct Connect gateway still relies on a single Direct Connect connection, leaving the architecture vulnerable to a failure of that connection.

475
MCQhard

A company is migrating its on-premises data center to AWS. The network team needs to design a hybrid connectivity solution that provides high availability with a bandwidth of at least 10 Gbps and low latency for real-time data replication. The company has two redundant on-premises routers connected to two separate internet service providers (ISPs). Which combination of AWS services should the company use to meet these requirements?

A.Use AWS Direct Connect Gateway to aggregate multiple VPN connections to achieve higher bandwidth.
B.Provision a single AWS Direct Connect connection with a 10 Gbps port and connect both on-premises routers to it via a single interface.
C.Provision two AWS Direct Connect connections at two different Direct Connect locations, each with a 10 Gbps port, and connect each on-premises router to one of them.
D.Set up two AWS Site-to-Site VPN tunnels from each on-premises router to two different AWS VPN endpoints in the same region.
AnswerC

Provides high availability and meets bandwidth/latency requirements.

Why this answer

Option C is correct because AWS Direct Connect provides dedicated, low-latency, high-bandwidth connections. Using two Direct Connect locations with redundant connections ensures high availability. Option A is wrong because AWS VPN is limited to ~1.25 Gbps per tunnel and may not meet the 10 Gbps requirement.

Option B is wrong because a single Direct Connect connection is a single point of failure. Option D is wrong because Direct Connect Gateway does not provide the connection itself.

476
MCQhard

A network engineer is designing a hybrid network with multiple AWS accounts. The company wants to simplify management by using a single AWS Direct Connect connection shared among accounts. Which service should be used to achieve this?

A.Transit Gateway with Direct Connect Gateway
B.VPC Peering
C.AWS PrivateLink
D.AWS VPN CloudHub
AnswerA

Transit Gateway with Direct Connect Gateway allows multi-account sharing of a single Direct Connect connection.

Why this answer

A Transit Gateway with a Direct Connect Gateway allows you to attach multiple VPCs from different AWS accounts to a single Direct Connect connection. The Direct Connect Gateway acts as a bridge between the on-premises network and the Transit Gateway, which then routes traffic to the appropriate VPCs across accounts. This setup simplifies management by centralizing the Direct Connect connection while supporting multi-account architectures.

Exam trap

The trap here is that candidates often confuse Direct Connect Gateway with a simple VIF or assume VPC Peering can provide transitive routing across multiple accounts, but only Transit Gateway with Direct Connect Gateway supports multi-account sharing of a single Direct Connect connection.

How to eliminate wrong answers

Option B is wrong because VPC Peering only connects two VPCs directly and does not support sharing a single Direct Connect connection across multiple accounts; it also lacks transitive routing. Option C is wrong because AWS PrivateLink is used to expose services privately within a VPC or across accounts via interface endpoints, not to share a Direct Connect connection. Option D is wrong because AWS VPN CloudHub is a hub-and-spoke VPN model that uses multiple VPN connections, not a single Direct Connect connection, and does not integrate with Direct Connect Gateway.

477
MCQmedium

A company is designing a network for a critical application that requires high availability across two AWS Regions (us-east-1 and us-west-2). The application uses an Application Load Balancer (ALB) in each region, with Auto Scaling groups behind them. The database is an Amazon Aurora Global Database with a primary cluster in us-east-1 and a secondary cluster in us-west-2. The company wants to use Amazon Route 53 to route traffic to the closest healthy ALB. They also need to ensure that if the primary database fails over to the secondary region, the application can still write to the database with minimal latency. Additionally, the application must be able to read from the local database in each region for read-intensive workloads. The network team has designed the following: Route 53 with latency-based routing and health checks for the ALBs. The application instances in each region are configured to connect to the local Aurora cluster endpoint. For writes, they use the global writer endpoint. What is the MOST significant design flaw?

A.The Auto Scaling groups are not configured with lifecycle hooks to drain connections during scale-in
B.The Route 53 health checks only monitor the ALB endpoint, not the overall application health including database connectivity
C.The application instances in us-west-2 experience high latency for write operations due to cross-region traffic to the primary database
D.The Aurora Global Database does not support cross-region replication for read replicas
AnswerB

If the database fails in a region, the ALB might still be healthy, causing traffic to be sent to a region that cannot serve requests.

Why this answer

Aurora Global Database has a single writer endpoint that always points to the primary region. If the primary region fails and the secondary is promoted, the writer endpoint updates to point to the new primary. However, during normal operations, writes to the global writer endpoint go to the primary region, which might be far away for users in us-west-2.

The latency for writes from us-west-2 to us-east-1 could be high. The design should consider using the local cluster for reads and the global writer for writes, but the write latency issue remains. The flaw is that writes from us-west-2 will always incur cross-region latency, which may be unacceptable.

A better design would be to use a multi-master or sharded database, but for Aurora Global Database, the only way to reduce write latency is to use the secondary cluster for writes only after failover. So the design flaw is that the write path is not optimized for the secondary region. However, among the options, the most significant flaw is likely that the application instances in us-west-2 are connecting to the global writer endpoint for writes, which routes to us-east-1, causing high latency.

But that is by design. The question asks for the most significant design flaw. Perhaps it's that there is no mechanism to redirect writes to the local cluster after failover without manual intervention? Actually, the global writer endpoint automatically updates, so that's fine.

The flaw might be that the application is using the global endpoint for reads? No, it uses local for reads. Maybe the flaw is that the health checks for ALBs are not configured to check the database health, so if the database fails, the ALB might still be healthy and traffic continues to a region with a failed database. That is a common design flaw: the application health check should include database connectivity.

So the most significant flaw is that the Route 53 health checks only check ALB health, not the overall application health including database.

478
Multi-Selectmedium

A company is designing a VPC architecture with a public subnet and a private subnet. They want to allow instances in the private subnet to download software updates from the internet. Which TWO options satisfy this requirement? (Choose TWO.)

Select 2 answers
A.Configure a forward proxy in the private subnet and configure the instances to use it.
B.Create a VPC Gateway Endpoint for Amazon S3 and route traffic to it.
C.Set up a NAT Gateway in a public subnet and add a default route in the private subnet route table pointing to the NAT Gateway.
D.Launch a NAT instance in a public subnet and add a default route in the private subnet route table pointing to the NAT instance.
E.Attach an Internet Gateway to the private subnet and add a default route to it.
AnswersC, D

NAT Gateway provides outbound internet access.

Why this answer

Option C is correct because a NAT Gateway in a public subnet provides outbound-only internet access to instances in a private subnet. By adding a default route (0.0.0.0/0) in the private subnet route table pointing to the NAT Gateway, traffic from private instances is source-NATed to the NAT Gateway's Elastic IP, allowing downloads while preventing inbound connections from the internet.

Exam trap

AWS often tests the misconception that a NAT Gateway or NAT instance can be placed in a private subnet, but both must reside in a public subnet with an Internet Gateway to translate private IPs to a public IP for outbound internet access.

479
MCQhard

A company is designing a network for a real-time financial trading application. The application requires deterministic low-latency connectivity between two EC2 instances in different Availability Zones within the same VPC. Which placement group type and networking feature should the company use?

A.Partition placement group and Elastic Network Adapter (ENA) with SR-IOV
B.Spread placement group and EC2 networking with jumbo frames
C.Cluster placement group and standard TCP/IP networking
D.Cluster placement group and Elastic Fabric Adapter (EFA)
AnswerD

Cluster placement group and EFA provide lowest latency.

Why this answer

Option B is correct because a cluster placement group provides the lowest latency and highest packet-per-second performance, and Elastic Fabric Adapter (EFA) provides low-latency networking for HPC. Option A is incorrect because a spread placement group is for fault isolation, not low latency. Option C is incorrect because a partition placement group is for large distributed systems.

Option D is incorrect because TCP/IP networking has higher overhead than EFA.

480
Multi-Selectmedium

Which THREE AWS services can be used to improve the availability of a web application across multiple AWS Regions? (Choose 3.)

Select 3 answers
A.VPC peering
B.AWS Global Accelerator
C.AWS Direct Connect
D.Amazon CloudFront
E.Amazon Route 53
AnswersB, D, E

Traffic management with health checks.

Why this answer

AWS Global Accelerator improves availability across multiple AWS Regions by using the AWS global network to route user traffic to the optimal regional endpoint based on health, latency, and geography. It provides static anycast IP addresses and automatically reroutes traffic to healthy endpoints during a regional failure, thereby enhancing fault tolerance and performance for global web applications.

Exam trap

AWS often tests the misconception that VPC peering or Direct Connect can provide multi-Region high availability, but these services are designed for private connectivity and do not include any global traffic routing, health monitoring, or automatic failover capabilities.

481
MCQhard

A company has deployed an application in a VPC with public and private subnets. The application uses an Amazon RDS for MySQL database in a private subnet. To meet security requirements, the database must not be accessible from the internet. The application team needs to connect to the database for maintenance using SSH over a bastion host. Which architecture is the most secure?

A.Bastion host in a public subnet with the same security group as the database, allowing SSH from the corporate IP range and MySQL from the bastion
B.Bastion host in a public subnet with a security group allowing SSH from 0.0.0.0/0, and database security group allowing MySQL from the bastion host's security group
C.Connect to the database directly using a Site-to-Site VPN without a bastion host
D.Bastion host in a public subnet with a security group allowing SSH from the corporate IP range, and database security group allowing MySQL from the bastion host's security group
AnswerD

This is secure and follows best practices.

Why this answer

A bastion host in a public subnet with a security group that allows SSH only from the corporate IP range, and the database security group allowing MySQL access only from the bastion host's security group, provides defense in depth. Using the same security group for both is less secure. Allowing SSH from anywhere (0.0.0.0/0) is insecure.

A VPN provides secure access but is not always the simplest for maintenance; the bastion approach is common and secure when properly restricted.

482
MCQmedium

A company has a VPC with a CIDR of 172.16.0.0/16. They have a subnet 172.16.1.0/24 for web servers and another subnet 172.16.2.0/24 for database servers. The web servers need to access the database servers on port 3306. Which configuration is required?

A.Configure network ACLs to allow inbound on port 3306 from web subnet.
B.Web SG: inbound from 0.0.0.0/0 on port 3306. DB SG: outbound to web SG on port 3306.
C.Web SG: outbound to DB SG on port 3306. DB SG: inbound from web SG on port 3306.
D.Web SG: outbound to DB SG on all ports. DB SG: inbound from web SG on all ports.
AnswerC

Allows only MySQL traffic from web to DB.

Why this answer

Option C is correct because security groups are stateful and control traffic at the instance level. The web server security group needs an outbound rule allowing traffic to the database security group on port 3306, and the database security group needs an inbound rule allowing traffic from the web security group on port 3306. This ensures that only the web servers can initiate connections to the database servers on the required port.

Exam trap

The trap here is that candidates often confuse the stateless nature of network ACLs with the stateful behavior of security groups, or they incorrectly assume that inbound rules on the source security group are needed instead of outbound rules on the source and inbound rules on the destination.

How to eliminate wrong answers

Option A is wrong because network ACLs are stateless and apply at the subnet level, not the instance level, and they require both inbound and outbound rules to allow traffic; additionally, the question asks for a configuration that works with security groups, not network ACLs. Option B is wrong because it incorrectly sets the web security group to allow inbound traffic on port 3306 from 0.0.0.0/0, which would allow any source to connect to the web servers on the database port, and the outbound rule on the database security group is unnecessary because security groups are stateful and return traffic is automatically allowed. Option D is wrong because it allows all ports instead of restricting to port 3306, violating the principle of least privilege and unnecessarily exposing the database servers to all traffic from the web servers.

483
MCQeasy

A company wants to connect its on-premises data center to AWS using a dedicated, high-bandwidth, low-latency connection. The data center is collocated with an AWS Direct Connect location. Which AWS service should be used to establish this connection?

A.VPC peering
B.AWS Transit Gateway
C.AWS Direct Connect
D.AWS Site-to-Site VPN
AnswerC

Direct Connect provides a dedicated, private connection with high bandwidth and low latency.

Why this answer

AWS Direct Connect provides a dedicated private connection from on-premises to AWS. Option B is correct. Option A (VPN) uses the public internet.

Option C (VPC peering) is for VPC-to-VPC. Option D (Transit Gateway) is a network transit hub but requires an underlying connection.

484
Multi-Selectmedium

A company is designing a multi-region active-active application. They need to ensure that traffic is routed to the closest healthy region and that failover happens automatically. Which TWO services should be used together to achieve this?

Select 2 answers
A.AWS Transit Gateway with inter-region peering
B.Amazon CloudFront with multiple origins
C.AWS Global Accelerator with endpoint groups
D.Amazon Route 53 with latency-based routing
E.AWS Direct Connect with multiple locations
AnswersC, D

Provides anycast IPs and health checks.

Why this answer

AWS Global Accelerator (C) uses Anycast IPs to direct traffic to the closest healthy endpoint group, automatically rerouting traffic if a region becomes unhealthy. This provides fast regional failover and low-latency routing without DNS caching delays, making it ideal for active-active multi-region applications.

Exam trap

The trap here is that candidates often think Route 53 latency-based routing (D) alone is sufficient for automatic failover, but it relies on DNS caching and TTLs, which can delay failover by minutes, whereas Global Accelerator provides sub-second failover and is the recommended service for active-active multi-region traffic steering.

485
MCQhard

A company is designing a network architecture for a critical application that requires sub-millisecond latency between EC2 instances in the same placement group. The instances will be launched in a single Availability Zone in us-east-1. Which combination of features should be used to achieve the lowest latency?

A.Launch instances in a cluster placement group with Enhanced Networking (ENA) enabled.
B.Launch instances in a spread placement group with SR-IOV enabled.
C.Launch instances in a spread placement group with Enhanced Networking (ENA) enabled.
D.Launch instances in a cluster placement group with Elastic Fabric Adapter (EFA) enabled.
AnswerD

Cluster placement group minimizes network distance, and EFA provides OS-bypass for low latency.

Why this answer

Option C is correct. A placement group with a cluster strategy places instances in a low-latency group within a single AZ, and Elastic Fabric Adapter (EFA) provides high-throughput, low-latency networking for HPC and ML workloads. Option A is wrong because Enhanced Networking alone does not guarantee sub-millisecond latency; EFA is needed.

Option B is wrong because Spread placement group spreads instances across hardware, increasing latency. Option D is wrong because a spread placement group with SR-IOV is not as low-latency as cluster placement with EFA.

486
MCQhard

A network engineer is setting up a cross-account Route 53 Resolver rule association. The engineer creates the above resource-based policy on a resolver rule in account 111111111111. The engineer then tries to associate the rule from account 222222222222 but receives an access denied error. What is the MOST likely reason for the failure?

A.The policy does not allow the 'route53resolver:AssociateResolverRule' action.
B.The policy does not include the 'route53resolver:DisassociateResolverRule' action.
C.The policy's Principal is set to account 111111111111 instead of account 222222222222.
D.The resolver rule is not shared with account 222222222222.
AnswerC

The principal should be the account that will use the rule.

Why this answer

The resource-based policy on the Route 53 Resolver rule must specify the consuming account (222222222222) as the Principal to authorize cross-account association. Since the policy incorrectly sets the Principal to the owning account (111111111111), the request from account 222222222222 lacks the required permissions, resulting in an access denied error.

Exam trap

AWS often tests the distinction between the resource-based policy's Principal field and the Action field, tricking candidates into thinking a missing action is the cause when the real issue is an incorrect principal account ID.

How to eliminate wrong answers

Option A is wrong because the policy does include the 'route53resolver:AssociateResolverRule' action (as shown in the policy snippet), so the failure is not due to a missing action. Option B is wrong because the 'DisassociateResolverRule' action is irrelevant for associating a rule; the error occurs during association, not disassociation. Option D is wrong because the policy itself is the mechanism for sharing; if the policy were correctly configured, the rule would be shared, but the error stems from an incorrect Principal, not from a lack of sharing.

487
MCQeasy

A startup is launching a new web application on AWS and needs to design a highly available and secure network architecture. The application will run on EC2 instances in an Auto Scaling group across two Availability Zones in a single region. The application must be accessible from the internet over HTTPS. The company expects variable traffic and wants to reduce costs where possible. They also need to protect against common web exploits like SQL injection and cross-site scripting. Which combination of AWS services should be used for the network design?

A.Use an Application Load Balancer (ALB) in private subnets. Enable AWS WAF on the ALB. Place EC2 instances in public subnets with a VPC endpoint for outbound traffic.
B.Use an Application Load Balancer (ALB) in public subnets. Enable AWS WAF on the ALB. Place EC2 instances in private subnets with a NAT gateway for outbound traffic.
C.Use an Application Load Balancer (ALB) in public subnets. Use a VPC endpoint for outbound traffic. Place EC2 instances in public subnets with Elastic IPs.
D.Use a Network Load Balancer (NLB) in public subnets. Enable AWS Shield Advanced for DDoS protection. Place EC2 instances in private subnets with a NAT gateway for outbound traffic.
AnswerB

ALB provides HTTP/HTTPS termination, integrates with WAF for web exploit protection, and supports private subnet instances.

Why this answer

Option B is correct because an Application Load Balancer (ALB) in public subnets can terminate HTTPS and distribute traffic to EC2 instances in private subnets, which enhances security by removing direct internet access from the instances. Enabling AWS WAF on the ALB protects against common web exploits like SQL injection and cross-site scripting. A NAT gateway in public subnets provides outbound internet access for instances in private subnets, which is cost-effective for variable traffic as it scales automatically and incurs charges only when used.

Exam trap

The trap here is that candidates often confuse the placement of load balancers and instances, mistakenly thinking that placing the ALB in private subnets is acceptable or that a VPC endpoint can replace a NAT gateway for general outbound internet access.

How to eliminate wrong answers

Option A is wrong because placing the ALB in private subnets would prevent it from receiving internet traffic directly, as private subnets lack a route to an internet gateway; also, placing EC2 instances in public subnets with a VPC endpoint for outbound traffic is incorrect because VPC endpoints are used for private connectivity to AWS services, not for general internet outbound traffic. Option C is wrong because placing EC2 instances in public subnets with Elastic IPs exposes them directly to the internet, bypassing the security and load-balancing benefits of the ALB, and using a VPC endpoint for outbound traffic does not provide general internet access. Option D is wrong because a Network Load Balancer (NLB) operates at Layer 4 and cannot inspect application-layer traffic, so it cannot be integrated with AWS WAF for web exploit protection; AWS Shield Advanced is overkill for basic DDoS protection and adds unnecessary cost for a startup with variable traffic.

488
Multi-Selectmedium

A company is designing a multi-region active-active application using Amazon Route 53 and Application Load Balancers (ALBs). The application must be highly available and route traffic to the closest healthy endpoint. Which TWO configurations should the company use? (Choose two.)

Select 2 answers
A.Configure Route 53 with failover routing
B.Configure Route 53 with latency-based routing
C.Associate health checks with each Route 53 record
D.Configure Route 53 with weighted routing
E.Configure Route 53 with geoproximity routing
AnswersB, C

Latency-based routing sends traffic to the region with the lowest latency, supporting active-active and health checks.

Why this answer

Latency-based routing directs traffic to the region with the lowest latency, supporting active-active. Health checks ensure traffic is not sent to unhealthy endpoints. Failover routing is active-passive, not active-active.

Geoproximity is for location-based, not latency. Weighted routing distributes traffic by weight, not based on health or latency for active-active.

489
MCQhard

A company has a multi-VPC architecture connected via AWS Transit Gateway. They have VPCs in different AWS accounts. The network team wants to centralize internet traffic through a single egress VPC that has a NAT Gateway and an Internet Gateway. All other VPCs should route outbound internet traffic through the Transit Gateway to the egress VPC. They have configured route tables accordingly, but instances in non-egress VPCs cannot reach the internet. What is the most likely missing configuration?

A.The Transit Gateway route table does not have a route to the non-egress VPC attachments for the return traffic.
B.The security group for the NAT Gateway in the egress VPC is blocking inbound traffic from other VPCs.
C.The egress VPC's route table does not have a route to the Transit Gateway for the return traffic from the internet.
D.The non-egress VPCs are using VPC endpoints instead of the Transit Gateway for internet access.
AnswerA

For return traffic from the egress VPC to reach the non-egress VPCs, the TGW route table must have routes to those attachments.

Why this answer

Option D is correct. For Transit Gateway to forward traffic from one VPC to another, attachment routes must be propagated and route tables must allow transitive routing. Also, the egress VPC must have a route to the Transit Gateway for return traffic.

Option A is incorrect because security groups are stateful. Option B is incorrect because NAT Gateway does not need routes back to Transit Gateway; it sends traffic to IGW. Option C is incorrect because VPC endpoints are not for general internet.

490
Multi-Selectmedium

A company has a VPC with multiple subnets and uses an AWS Direct Connect private VIF for connectivity to on-premises. The company wants to ensure that traffic from the VPC to on-premises uses the Direct Connect connection, while internet traffic uses an internet gateway. Which configurations must be applied? (Choose TWO.)

Select 2 answers
A.Create a VPC endpoint for Direct Connect.
B.Deploy a NAT gateway in a public subnet.
C.Add a default route (0.0.0.0/0) pointing to the virtual private gateway.
D.Add a route in the VPC route table for the on-premises CIDR pointing to the virtual private gateway.
E.Add a default route (0.0.0.0/0) pointing to the internet gateway.
AnswersD, E

Directs on-premises traffic to DX.

Why this answer

Option D is correct because adding a route for the on-premises CIDR block pointing to the virtual private gateway (VGW) ensures that traffic destined for the on-premises network is directed over the Direct Connect private VIF. This is necessary because the VGW is the attachment point for the Direct Connect private VIF, and without this specific route, VPC traffic to on-premises would not use the Direct Connect connection.

Exam trap

The trap here is that candidates often think a default route to the virtual private gateway is sufficient for all traffic, but they must remember that internet traffic requires a separate default route to the internet gateway, and the on-premises traffic needs a specific route to the VGW to avoid asymmetric routing.

491
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add additional IP address space for new subnets. The existing subnets use 10.0.0.0/17 and 10.0.128.0/17. Which CIDR block should be added as a secondary CIDR to the VPC to provide the most additional contiguous address space?

A.10.1.0.0/16
B.10.0.0.0/0
C.10.0.0.0/8
D.10.0.0.0/16
AnswerA

This is a non-overlapping /16 block contiguous to the existing /16, providing additional address space.

Why this answer

Option C is correct because 10.1.0.0/16 is a contiguous block that does not overlap with the existing CIDR and adds a full /16 of address space. Option A is wrong because 10.0.0.0/8 overlaps with the existing CIDR and is too large. Option B is wrong because 10.0.0.0/16 duplicates the existing CIDR.

Option D is wrong because 10.0.0.0/0 is invalid.

492
MCQhard

A company is expanding its on-premises data center to AWS using a hybrid cloud architecture. They have established an AWS Direct Connect connection with a private virtual interface to a VPC. The on-premises network uses BGP to exchange routes with the VPC. The network engineer notices that the on-premises network can reach some EC2 instances in the VPC but not others. All EC2 instances are in the same subnet (10.0.1.0/24) and have private IP addresses. The Direct Connect virtual interface is configured with the VPC CIDR (10.0.0.0/16) advertised to on-premises. The on-premises firewall logs show that traffic to the unreachable instances is being dropped. What is the most likely cause?

A.The subnet route table does not have a route to the on-premises network.
B.The BGP session is not advertising the on-premises routes to the VPC.
C.The network ACL on the subnet is blocking inbound traffic from on-premises.
D.The security group attached to the unreachable instances is not allowing inbound traffic from the on-premises network.
AnswerD

Correct: Security groups can be different per instance, causing inconsistent reachability.

Why this answer

Option D is correct because security groups are stateful and control inbound traffic; if the security group does not allow inbound traffic from on-premises, it will be dropped. Option A is wrong because the subnet route table has a route to the virtual private gateway, which is correct. Option B is wrong because the VPC CIDR is advertised.

Option C is wrong because network ACLs are stateless and need both inbound and outbound rules; but if they were misconfigured, all instances would be affected.

493
MCQeasy

A company is designing a VPC for a three-tier web application. The web servers must be accessible from the internet, while the application and database servers must be isolated. Which subnet design should the company use?

A.A single subnet for all tiers with network ACLs to isolate traffic
B.Public subnet for web servers, private subnets for application and database servers
C.Private subnets for all tiers
D.Public subnets for all tiers
AnswerB

Provides internet access to web servers while isolating backend tiers.

Why this answer

Option A is correct because a public subnet for web servers allows internet access, while private subnets for application and database servers provide isolation. Option B is wrong because placing all servers in public subnets exposes them to the internet. Option C is wrong because placing all servers in private subnets would block internet access to web servers.

Option D is wrong because a single subnet for all tiers does not provide isolation.

494
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs in different regions is encrypted. Which solution should be used?

A.Use a Site-to-Site VPN from each VPC to the on-premises network and route traffic through the corporate network.
B.Use AWS Transit Gateway inter-region peering with a VPN attachment between the transit gateways.
C.Use VPC Peering connections between the VPCs, which encrypts traffic automatically.
D.Use AWS PrivateLink to connect the VPCs across regions.
AnswerB

VPN attachment provides encryption for inter-region transit gateway traffic.

Why this answer

Option B is correct because AWS Transit Gateway inter-region peering provides encrypted transit between VPCs in different regions by establishing a VPN attachment between the transit gateways. This leverages IPsec VPN tunnels to encrypt traffic as it traverses the AWS global network, meeting the requirement for cross-region encryption without routing through on-premises infrastructure.

Exam trap

The trap here is that candidates often assume VPC Peering (Option C) provides encryption by default, but it does not; AWS only guarantees encryption for traffic within a single region via the AWS backbone, and cross-region VPC Peering traffic is not encrypted unless additional measures are taken.

How to eliminate wrong answers

Option A is wrong because routing traffic through the on-premises network introduces unnecessary latency, complexity, and potential single points of failure, and does not provide a direct encrypted path between VPCs in different regions. Option C is wrong because VPC Peering does not encrypt traffic by default; it only provides a private network connection using the AWS backbone, and encryption must be explicitly added (e.g., with VPN or TLS). Option D is wrong because AWS PrivateLink is designed for connecting VPCs to services via Network Load Balancers and does not support inter-region VPC-to-VPC connectivity or encryption between VPCs.

495
MCQmedium

A company is deploying a new application on AWS and needs a highly available architecture across two Availability Zones (AZs) in a single region. The application consists of an Application Load Balancer (ALB) in front of a fleet of EC2 instances running in an Auto Scaling group, and an Amazon RDS for MySQL database with Multi-AZ deployment. The company requires that the application remain available even if an entire AZ fails. The network team has designed the VPC with two public subnets and two private subnets, each in a different AZ. The ALB is internet-facing and placed in the public subnets. The EC2 instances are in the private subnets. The RDS instance is also in the private subnets. The route tables are configured with a default route via an Internet Gateway for public subnets and via a NAT Gateway for private subnets. What change is MOST likely needed to ensure the architecture can survive an AZ failure?

A.Add a second Internet Gateway in the other AZ
B.Use a Network Load Balancer instead of an Application Load Balancer
C.Create a NAT Gateway in each Availability Zone
D.Configure the Auto Scaling group to launch instances in both AZs
AnswerC

A NAT Gateway per AZ ensures outbound connectivity survives an AZ failure.

Why this answer

To survive an AZ failure, each AZ must have its own NAT Gateway to provide outbound internet access for instances in that AZ. If a single NAT Gateway is used (e.g., in one AZ), and that AZ fails, instances in the other AZ lose internet connectivity. Similarly, a single NAT Gateway would be a single point of failure.

Therefore, the architecture should include a NAT Gateway in each AZ. The ALB and RDS Multi-AZ already provide AZ resilience. So the missing component is a NAT Gateway per AZ.

496
Multi-Selecthard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. It needs to connect to two other VPCs: VPC B (10.1.0.0/16) and VPC C (10.2.0.0/16). The company wants to use AWS Transit Gateway. Which THREE configurations are required to enable full mesh connectivity between all three VPCs?

Select 3 answers
A.Create separate Transit Gateway route tables for each VPC to isolate traffic.
B.Create a VPN attachment to each VPC for encrypted communication.
C.Associate each VPC attachment with the Transit Gateway route table.
D.Create a Transit Gateway and attach each VPC to it.
E.Create a Transit Gateway route table and add static routes for each VPC CIDR pointing to the respective attachment.
AnswersC, D, E

Association allows the VPC to use the route table.

Why this answer

Options A, B, and C are correct. Transit Gateway requires VPC attachments, route tables with routes to each other's CIDR, and association of attachments to route tables. Option D is wrong because you can create a single route table and associate all attachments; separate route tables are needed for isolation, not required for full mesh.

Option E is wrong because a transit gateway does not require a VPN attachment for VPC-to-VPC routing.

497
MCQmedium

A company is designing a hybrid network architecture that requires high availability and low latency between its on-premises data center and AWS. The company currently has two Direct Connect connections from different providers terminating at two different AWS Direct Connect locations. Which solution provides the most resilient and high-performance connectivity?

A.Use a single Direct Connect connection with multiple VLANs.
B.Use two Direct Connect connections from different providers at different locations with a VPN backup.
C.Use Site-to-Site VPN over the internet as the primary connection.
D.Use two Direct Connect connections from the same provider at the same location.
AnswerB

Provides diverse paths and high availability.

Why this answer

Option B is correct because using two Direct Connect connections from different providers at different locations ensures physical and provider diversity, eliminating single points of failure. Adding a VPN backup provides an additional failover path over the internet, which is essential for maintaining connectivity if both Direct Connect links fail. This design meets the requirements for high availability and low latency by leveraging active/active or active/passive traffic engineering with BGP routing and AS path prepending.

Exam trap

AWS often tests the misconception that multiple connections from the same provider or location are sufficient for high availability, but the trap here is that true resilience requires both provider and location diversity to protect against provider-specific outages and location-level disasters.

How to eliminate wrong answers

Option A is wrong because a single Direct Connect connection with multiple VLANs does not provide any physical or provider diversity; a single failure (e.g., fiber cut or provider outage) would take down all VLANs, violating high availability. Option C is wrong because a Site-to-Site VPN over the internet typically introduces higher latency and jitter compared to Direct Connect, and it lacks the consistent performance and SLA guarantees of dedicated connections, making it unsuitable as a primary low-latency solution. Option D is wrong because using two Direct Connect connections from the same provider at the same location creates a single point of failure at the provider level and the location level; a provider outage or location-wide event (e.g., power failure) would impact both connections, failing the resilience requirement.

498
Multi-Selectmedium

A company wants to connect multiple VPCs in different AWS Regions using AWS Transit Gateway. The company requires full mesh connectivity with centralized inspection of inter-Region traffic. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Create Transit Gateway peering attachments between the Transit Gateways in each Region.
B.Create VPN attachments between each Transit Gateway and the inspection VPC.
C.Use VPC peering connections between VPCs in different Regions.
D.Route traffic through a central inspection VPC in one Region using Transit Gateway route tables.
E.Disable cross-Region peering on the Transit Gateway.
AnswersA, D

Peering attachments enable inter-Region connectivity.

Why this answer

Options B and D are correct. B: Transit Gateway peering attachments allow inter-Region connectivity. D: Centralized inspection is achieved by routing traffic through a shared services VPC with a network appliance.

Option A is incorrect because VPN attachments are not needed for inter-Region connectivity. Option C is incorrect because VPC peering does not scale. Option E is incorrect because cross-Region peering is supported.

499
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download updates from the internet. The company wants to minimize costs and avoid exposing the instance to inbound internet traffic. Which solution should the engineer choose?

A.Deploy a NAT instance in the private subnet and route traffic through it.
B.Deploy a NAT Gateway in the public subnet and add a route in the private subnet route table pointing to the NAT Gateway.
C.Configure a forward proxy on the EC2 instance itself.
D.Attach an internet gateway to the VPC and add a route to the internet gateway in the private subnet's route table.
AnswerB

NAT Gateway provides outbound internet access, cost-effective and managed.

Why this answer

Option C is correct because a NAT Gateway in the public subnet allows outbound internet access from private instances while blocking inbound traffic. Option A is wrong because a NAT instance is more expensive and less managed. Option B is wrong because an internet gateway alone does not allow private instances to reach the internet.

Option D is wrong because a proxy would need to be managed and adds latency.

500
MCQeasy

A company is designing a network for a three-tier web application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. All tiers must be in private subnets except the web tier. Which combination of AWS services and routing should be used to meet these requirements?

A.Use a NAT gateway in the public subnet for web tier, and route all traffic through it.
B.Use a VPN connection to the internet gateway and route traffic through a virtual private gateway.
C.Use an internet gateway, public subnet for web tier, private subnets for app and database, and network ACLs to filter traffic between tiers.
D.Use an internet gateway attached to the VPC, public subnet for web tier, private subnets for app and database tiers, and security groups to restrict traffic between tiers.
AnswerD

This standard architecture meets all requirements.

Why this answer

An internet gateway provides internet access to the public subnet (web tier). Security groups control traffic between tiers: allow HTTP/HTTPS from internet to web, allow traffic from web to app, and from app to database. Option A is correct.

Option B is incorrect because NACLs are stateless and more complex for tier-to-tier filtering. Option C is incorrect because NAT gateways are for outbound internet, not inbound. Option D is incorrect because a VPN is not needed for internet access.

501
Multi-Selecteasy

Which TWO AWS services can be used to provide inbound internet connectivity to resources in a VPC? (Select TWO.)

Select 2 answers
A.VPC Endpoint
B.Internet Gateway
C.Elastic Load Balancer (internet-facing)
D.Amazon CloudFront
AnswersB, C

Direct inbound access.

Why this answer

An Internet Gateway (IGW) is a horizontally scaled, redundant VPC component that provides a target in VPC route tables for internet-routable traffic and performs network address translation (NAT) for instances with public IPs. It enables inbound internet connectivity by allowing traffic from the internet to reach resources in the VPC, provided the resources have public IPs and the route table directs 0.0.0.0/0 traffic to the IGW.

Exam trap

The trap here is that candidates often confuse NAT Gateway with providing inbound internet access, but NAT Gateway is strictly one-way (outbound only) and cannot initiate or forward unsolicited inbound connections from the internet.

502
MCQmedium

A company has a VPC with multiple subnets across two Availability Zones. They are designing a highly available web application using an Application Load Balancer (ALB) and EC2 instances in an Auto Scaling group. Which of the following is the most resilient and cost-effective design for the network layer?

A.Deploy a Network Load Balancer (NLB) in each AZ and associate them with a single ALB.
B.Deploy an ALB in one AZ and EC2 instances in the same AZ.
C.Deploy a single ALB with subnets in two AZs and enable cross-zone load balancing.
D.Deploy an ALB in each AZ and use Route 53 weighted routing.
AnswerC

Cross-zone balancing ensures traffic is distributed across instances in all AZs.

Why this answer

Option C is correct because deploying a single Application Load Balancer (ALB) with subnets in two Availability Zones (AZs) and enabling cross-zone load balancing provides high availability and fault tolerance at the network layer. The ALB automatically distributes incoming traffic across healthy targets in all enabled AZs, eliminating the need for multiple load balancers and reducing costs while maintaining resilience. This design leverages the ALB's native ability to handle AZ failures by routing traffic only to healthy AZs, making it both resilient and cost-effective.

Exam trap

The trap here is that candidates often assume deploying a load balancer in each AZ (Option D) is necessary for high availability, but they overlook that a single ALB with subnets in multiple AZs and cross-zone load balancing already provides full AZ-level redundancy at lower cost and complexity.

How to eliminate wrong answers

Option A is wrong because deploying a Network Load Balancer (NLB) in each AZ and associating them with a single ALB introduces unnecessary complexity and cost; the ALB already supports multi-AZ deployments natively, and the NLB at Layer 4 does not provide application-layer features like path-based routing or host-based routing that the ALB offers, making this design redundant and more expensive. Option B is wrong because deploying an ALB and EC2 instances in a single AZ creates a single point of failure; if that AZ goes down, the entire application becomes unavailable, violating the high availability requirement. Option D is wrong because deploying an ALB in each AZ and using Route 53 weighted routing is overly complex and costly; Route 53 weighted routing does not provide automatic health-based failover between ALBs, and each ALB incurs separate hourly and data processing charges, making this design less resilient and more expensive than a single ALB with cross-zone load balancing.

503
MCQhard

A company is using AWS CloudFormation to deploy a VPC with public and private subnets across multiple Availability Zones. The template includes a NAT gateway in each public subnet. The company wants to ensure that the private subnet route tables automatically update when the NAT gateway ID changes. Which feature should be used?

A.Use the 'DependsOn' attribute to ensure the route is created after the NAT gateway.
B.Use the 'AWS::EC2::Route' resource with a 'GatewayId' property that references the NAT gateway using 'Ref'.
C.Use the 'Fn::GetAtt' intrinsic function to retrieve the NAT gateway ID and pass it to the route.
D.Use an AWS Lambda custom resource to update the route table when the NAT gateway changes.
AnswerC

Fn::GetAtt can retrieve the physical ID of the NAT gateway, and if the NAT gateway is replaced, CloudFormation updates the route automatically.

Why this answer

Option C is correct because the `Fn::GetAtt` intrinsic function can retrieve the NAT gateway ID (e.g., `Fn::GetAtt: [NatGateway, NatGatewayId]`) and pass it as the `GatewayId` property of an `AWS::EC2::Route` resource. This ensures that when the NAT gateway is replaced (e.g., due to an update or failure), the route automatically updates to reference the new NAT gateway ID, maintaining connectivity for private subnets without manual intervention.

Exam trap

The trap here is that candidates confuse `Ref` (which returns the logical resource name or a default attribute like the AZ) with `Fn::GetAtt` (which returns a specific physical attribute like the NAT gateway ID), leading them to choose Option B incorrectly.

How to eliminate wrong answers

Option A is wrong because the `DependsOn` attribute only controls the order of resource creation, not the dynamic resolution of the NAT gateway ID; it does not cause the route to update when the NAT gateway ID changes. Option B is wrong because the `AWS::EC2::Route` resource does not have a `GatewayId` property; it uses `NatGatewayId` for NAT gateway routes, and using `Ref` on a NAT gateway returns its logical name, not the physical ID, so the route would not automatically update on replacement. Option D is wrong because using an AWS Lambda custom resource is unnecessarily complex and introduces custom code and potential failure points; CloudFormation's built-in `Fn::GetAtt` already provides the required dynamic reference without additional resources.

504
Multi-Selecthard

A company has a VPC with public and private subnets. They want to implement a bastion host to allow secure SSH access to instances in private subnets. Which TWO components are required for this design?

Select 2 answers
A.A bastion host deployed in a public subnet
B.A NAT gateway in the public subnet
C.An Internet Gateway attached to the VPC
D.Security group rules allowing SSH from the bastion to private instances
E.A Site-to-Site VPN connection to the VPC
AnswersA, D

Bastion must be publicly accessible.

Why this answer

A bastion host must be deployed in a public subnet because it needs direct internet access via an Internet Gateway (IGW) to allow administrators to initiate SSH connections from the internet. The bastion then acts as a jump box, forwarding SSH traffic to private instances. Security group rules on the private instances must explicitly allow inbound SSH (TCP port 22) from the bastion host's private IP or security group, ensuring that only the bastion can reach them, not the internet directly.

Exam trap

AWS often tests the misconception that a NAT gateway is required for inbound SSH access to private instances, when in fact it only provides outbound internet access and cannot initiate inbound connections from the internet.

← PreviousPage 7 of 7 · 504 questions total

Ready to test yourself?

Try a timed practice session using only Network Design questions.