CCNA Network Implementation Questions

75 of 434 questions · Page 2/6 · Network Implementation topic · Answers revealed

76
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and an on-premises network via VPN. The on-premises network advertises a route for 10.0.0.0/8. One VPC has a CIDR of 10.0.1.0/24. How does Transit Gateway handle the overlapping route?

A.The Transit Gateway uses the longest prefix match; the VPC route 10.0.1.0/24 is more specific.
B.The Transit Gateway prefers the on-premises route because it is learned via BGP.
C.The Transit Gateway drops traffic to 10.0.1.0/24 due to conflict.
D.The Transit Gateway summarises the on-premises route to 10.0.0.0/16.
AnswerA

Longest prefix match determines forwarding.

Why this answer

Option B is correct because Transit Gateway uses the longest prefix match, so the more specific 10.0.1.0/24 route from the VPC takes precedence. Option A is wrong because it does not summarise. Option C is wrong because there is no conflict resolution based on attachment type.

Option D is wrong because it does not blackhole.

77
Multi-Selectmedium

Which TWO of the following are valid configurations for an AWS Direct Connect virtual interface? (Choose two.)

Select 2 answers
A.VPN virtual interface
B.Private virtual interface
C.Hosted virtual interface
D.Transit virtual interface
E.Public virtual interface
AnswersB, E

Private VIF is used to connect to a VPC.

Why this answer

A private virtual interface (B) allows you to connect your on-premises network directly to an Amazon VPC using private IP addresses, providing a secure, dedicated connection that bypasses the internet. A public virtual interface (E) enables access to all AWS public services (e.g., Amazon S3, DynamoDB) over the Direct Connect link using public IP addresses, without traversing the internet. Both are standard, supported virtual interface types for AWS Direct Connect.

Exam trap

AWS often tests the distinction between the three valid virtual interface types (private, public, transit) and tricks candidates by including 'VPN virtual interface' or 'Hosted virtual interface' as plausible-sounding options, exploiting confusion about how VPNs and partner-provisioned connections relate to Direct Connect.

78
MCQeasy

A company is deploying a VPC with public and private subnets in two Availability Zones. The public subnets are used for NAT gateways and an Application Load Balancer (ALB). The private subnets host EC2 instances running a web application. What is the most cost-effective and highly available configuration for internet access from the private instances?

A.Deploy a NAT gateway in each public subnet and configure private route tables with a default route to the NAT gateway in the same AZ.
B.Create a single NAT gateway in one public subnet and route all private traffic to it.
C.Attach an internet gateway to the VPC and add a default route to it in the private subnets.
D.Launch a NAT instance in each public subnet and configure the private route tables.
AnswerA

Provides high availability (each AZ independent) and uses managed service, cost-effective for moderate traffic.

Why this answer

Option D is correct because using a NAT gateway in each AZ provides high availability and cost-effectiveness compared to NAT instances (which require management) or a single NAT gateway (single point of failure). Option A is wrong because NAT instances are less reliable and require maintenance. Option B is wrong because a single NAT gateway lacks high availability.

Option C is wrong because internet gateway is not used for private instances; it's for public subnets.

79
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is associated with a security group that allows outbound HTTPS (443) traffic. The route table for the private subnet has a default route pointing to a NAT Gateway in the public subnet. Which additional configuration is required to ensure the NAT Gateway can route the traffic?

A.Configure the security group of the NAT Gateway to allow inbound traffic from the private subnet.
B.Add a route in the private subnet route table to the NAT Gateway's private IP.
C.Add a route in the public subnet route table to the Internet Gateway.
D.Assign an Elastic IP address to the NAT Gateway.
AnswerC

The NAT Gateway needs a route to the Internet Gateway to forward traffic.

Why this answer

The NAT Gateway must be in a public subnet with an Internet Gateway route. The security group of the NAT Gateway does not control traffic; it's a managed service. The NAT Gateway's Elastic IP is automatically assigned.

The route table of the public subnet must have a default route to the Internet Gateway. The private subnet route is already correct.

80
MCQmedium

A company has a Direct Connect connection with a private virtual interface to a VPC. They want to use the same Direct Connect connection to access another VPC in the same region. Which solution should they implement?

A.Create a second private virtual interface to the second VPC.
B.Set up a Site-to-Site VPN over the Direct Connect connection to the second VPC.
C.Use a Transit Gateway and a transit virtual interface.
D.Order a second Direct Connect connection.
AnswerC

Transit VIF connects to TGW, which can attach to multiple VPCs.

Why this answer

Option B is correct because a Transit Gateway can be attached to both VPCs and a transit VIF can be used. Option A is incorrect because a private VIF is for a single VPC. Option C is incorrect because a VPN can be used but is not leveraging Direct Connect fully.

Option D is incorrect because a second Direct Connect is unnecessary.

81
MCQhard

An organization uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. They want to implement traffic inspection between VPCs using a third-party firewall appliance in a central VPC. The firewall must inspect traffic for all inter-VPC flows. Which architecture meets this requirement?

A.Configure Transit Gateway route tables to send inter-VPC traffic to the inspection VPC's attachment, and enable appliance mode on the attachment.
B.Create VPC peering connections between all VPCs and route traffic through the central VPC.
C.Use a Network Load Balancer in the central VPC to distribute traffic to the firewall appliances.
D.Set up Direct Connect gateways and route all traffic through the on-premises network for inspection.
AnswerA

Appliance mode ensures that return traffic is sent back through the same firewall, enabling stateful inspection.

Why this answer

Option D is correct because Transit Gateway with appliance mode (enabling asymmetric routing) and appropriate route tables can force traffic through the inspection VPC. Option A is wrong because VPC peering does not allow centralized inspection without complex routing. Option B is wrong because Network Load Balancer does not support traffic inspection.

Option C is wrong because Direct Connect alone does not provide inspection.

82
MCQeasy

A company is designing a multi-tier application with web servers in public subnets and database servers in private subnets. The database servers should only be accessible from the web servers. Which AWS feature should be used to enforce this?

A.Security groups that reference the web server security group as a source
B.VPC endpoints to restrict access to the database servers
C.Network ACLs with allow rules for the web server subnet CIDR
D.Network ACLs with deny rules for all traffic except from the web server subnet
AnswerA

Security groups allow you to specify another security group as the source, enabling fine-grained access control.

Why this answer

Option C is correct because security groups act as a virtual firewall for instances, and you can allow inbound traffic from a specific security group (the web servers' security group). Option A is wrong because NACLs are stateless and applied at subnet level, not instance-level. Option B is wrong because network ACLs are not as granular as security groups for this use case.

Option D is wrong because VPC endpoints are for accessing AWS services privately.

83
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via AWS Direct Connect. The on-premises network advertises the 10.0.0.0/8 prefix. One VPC has a route to the Transit Gateway for 0.0.0.0/0. Instances in that VPC can reach the internet via a NAT gateway but cannot reach on-premises resources. What is the most likely issue?

A.The security group of the instances does not allow inbound traffic from on-premises
B.The Direct Connect virtual interface is not associated with the Transit Gateway
C.The VPC route table does not have a route to the on-premises CIDR via the Transit Gateway
D.The on-premises router is not advertising the 10.0.0.0/8 prefix to AWS
AnswerC

A specific route for 10.0.0.0/8 via Transit Gateway must exist.

Why this answer

Option D is correct because the more specific 10.0.0.0/8 route from on-premises should be preferred over the default route. If propagation is not enabled, the route is missing. Option A is wrong because the NAT gateway is for internet access, not on-premises.

Option B is wrong because security groups can block traffic but the question implies connectivity issue due to routing. Option C is wrong because Direct Connect bandwidth does not affect routing.

84
Multi-Selecteasy

A company has an AWS Direct Connect connection and wants to connect to multiple VPCs in the same region. Which TWO services can be used to achieve this? (Choose TWO.)

Select 2 answers
A.VPC Peering
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.Direct Connect Gateway
E.AWS CloudHub
AnswersB, D

Transit Gateway can connect multiple VPCs and Direct Connect.

Why this answer

AWS Transit Gateway (Option B) acts as a central hub that interconnects VPCs and on-premises networks via a single Direct Connect connection, allowing you to connect to multiple VPCs in the same region without needing individual virtual interfaces. Direct Connect Gateway (Option D) enables you to associate multiple VPCs in the same or different regions with a single Direct Connect connection by using a single private virtual interface (VIF) and transit virtual interfaces (VIFs) to reach those VPCs through Transit Gateway or virtual private gateways.

Exam trap

The trap here is that candidates often confuse VPC Peering (Option A) as a way to extend Direct Connect connectivity to multiple VPCs, but VPC Peering does not support transitive routing and cannot be used to route traffic from Direct Connect to multiple VPCs without a central hub like Transit Gateway.

85
Multi-Selectmedium

A company is using AWS Client VPN to provide remote access to their VPC. Users report that they can connect to the VPN but cannot reach resources in the VPC. Which THREE configuration items should the engineer verify?

Select 3 answers
A.The authorization rules allow access to the VPC's CIDR.
B.The Client VPN endpoint is associated with the correct subnets.
C.The Client VPN endpoint has a public IP address.
D.The security groups attached to the target resources allow traffic from the VPN CIDR.
E.The client certificate is issued by a valid CA.
AnswersA, B, D

Authorization rules define which networks users can access.

Why this answer

Option B is correct because the subnet association determines which subnets are accessible. Option C is correct because the authorization rules control access to specific networks. Option E is correct because security groups associated with the VPC resources can block traffic.

Option A is incorrect because client certificates are for authentication, not routing. Option D is incorrect because the VPN endpoint does not have a public IP; clients connect via a DNS name.

86
MCQeasy

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to add an additional non-overlapping CIDR to the VPC. What is a valid CIDR block they can add?

A.10.0.1.0/24
B.10.1.0.0/16
C.10.0.0.0/8
D.10.0.0.0/16
AnswerB

Non-overlapping, valid addition.

Why this answer

Option C is correct because 10.1.0.0/16 does not overlap with 10.0.0.0/16. Option A is wrong because 10.0.0.0/8 is a superset and overlaps. Option B is wrong because 10.0.0.0/16 is the same CIDR.

Option D is wrong because 10.0.1.0/24 is within 10.0.0.0/16 and overlaps.

87
MCQeasy

Refer to the exhibit. A flow log record shows ACCEPT for traffic from 10.0.1.5 to 10.0.2.10 on port 443. Which AWS service is most likely the destination?

A.Amazon RDS instance
B.Application Load Balancer
D.Amazon S3
AnswerB

ALB listens on port 443 for HTTPS.

Why this answer

An Application Load Balancer (ALB) terminates HTTPS (port 443) connections and forwards traffic to targets. Flow logs showing ACCEPT for traffic to port 443 on an ALB's internal IP (10.0.2.10) are expected because the ALB listens on that port for incoming client connections. The ALB operates at Layer 7 and is the only listed service that natively accepts HTTPS traffic on port 443 within a VPC.

Exam trap

AWS often tests the misconception that any service accepting HTTPS traffic must be an Amazon S3 endpoint, but S3 does not have a VPC private IP; the trap here is confusing a service's public endpoint with its internal VPC representation, leading candidates to pick S3 instead of recognizing the ALB's private IP and port 443 listener.

How to eliminate wrong answers

Option A is wrong because an Amazon RDS instance does not accept traffic on port 443 by default; it uses port 3306 (MySQL/Aurora), 5432 (PostgreSQL), or other database-specific ports, and HTTPS is not a native protocol for RDS. Option C is wrong because a NAT Gateway does not accept inbound traffic from private subnets; it only forwards outbound traffic from private instances to the internet and does not listen on port 443 for incoming connections. Option D is wrong because Amazon S3 is a global object storage service accessed via an S3 endpoint (e.g., bucket.s3.amazonaws.com) and does not have a VPC IP address like 10.0.2.10; S3 traffic uses HTTPS but the destination is an S3 API endpoint, not a private IP.

88
MCQmedium

A company has an AWS Transit Gateway with multiple VPC attachments. They need to inspect traffic between VPCs using a third-party firewall appliance. What is the best approach?

A.Create a firewall VPC with the appliance and use Transit Gateway route tables to direct traffic through it
B.Use VPC security groups across VPCs
C.Use AWS Network Firewall directly in each VPC
D.Use network ACLs on each VPC subnet
AnswerA

This allows centralized inspection via routing.

Why this answer

Placing a firewall appliance in a dedicated VPC and routing traffic through it via Transit Gateway route tables allows inspection.

89
MCQhard

A company is deploying a latency-sensitive application across two AWS Regions using Application Load Balancers (ALBs) and AWS Global Accelerator. The application uses TCP port 8443. Which configuration ensures the lowest possible latency for global users?

A.Use Amazon CloudFront with the ALBs as origins.
B.Use Amazon Route 53 latency-based routing with ALB endpoints in each Region.
C.Use AWS Global Accelerator with endpoints as the ALBs in each Region.
D.Deploy a Network Load Balancer in each Region and use Route 53 geoproximity routing.
AnswerC

Global Accelerator uses anycast and AWS backbone for lower latency.

Why this answer

Option D is correct because Global Accelerator uses the AWS global network and anycast IPs, reducing latency. Option A is wrong because Route 53 with latency routing still uses public internet. Option B is wrong because CloudFront is for HTTP/HTTPS, not TCP.

Option C is wrong because Network Load Balancer does not have multi-region capability.

90
MCQmedium

A network engineer is assigned an IAM policy to manage VPC resources. The engineer attempts to create a VPC with CIDR 10.0.0.0/16 and fails. What is the reason?

A.The resource ARN in the Deny statement does not match the VPC being created.
B.The Deny statement overrides the Allow statement for the specific CIDR.
C.The condition in the Deny statement is not evaluated correctly.
D.The first statement allows only specific actions, not CreateVpc.
AnswerB

Explicit deny overrides allow.

Why this answer

Option C is correct because the second statement explicitly denies creating a VPC with CIDR 10.0.0.0/16. Option A is incorrect because the first statement allows VPC creation in general. Option B is incorrect because the resource ARN matches all VPCs.

Option D is incorrect because the condition is on the CIDR, not region.

91
MCQeasy

A network engineer is troubleshooting an AWS Direct Connect connection that is experiencing high latency. The connection is a 1 Gbps dedicated connection. The engineer notices that the link utilization is at 90%. What is the MOST likely cause of the high latency?

A.The virtual interface is configured as private instead of public
B.BGP keepalive timer misconfiguration
C.High bandwidth utilization causing queuing
D.The use of jumbo frames
AnswerC

Correct; when utilization is high, packets are queued, increasing latency.

Why this answer

Option B is correct because high link utilization can cause queuing delays, which increase latency. Option A is wrong because jumbo frames generally reduce latency. Option C is wrong because BGP timers affect convergence, not latency.

Option D is wrong because the virtual interface type does not directly cause high latency.

92
MCQhard

A financial services company is migrating its on-premises data center to AWS. The company has a three-tier application that consists of web servers, application servers, and a database. The application servers must communicate with the database using a private IP address. The database is hosted on an Amazon RDS for MySQL instance in a private subnet. The application servers are in a public subnet. The company has a security requirement that all traffic between the application servers and the database must be encrypted in transit. The network engineer has created a security group for the RDS instance that allows inbound traffic on port 3306 from the security group of the application servers. The engineer has also enabled encryption at rest for the RDS instance. During a security audit, it is discovered that traffic between the application servers and the database is not encrypted. The application team confirms that the application is configured to connect to the database using standard MySQL client library without any SSL/TLS options. The network engineer must ensure that all traffic between the application servers and the database is encrypted without modifying the application code. What should the network engineer do?

A.Create an AWS Site-to-Site VPN connection between the application servers' subnet and the database subnet to encrypt all traffic.
B.Enable the 'require_secure_transport' parameter in the RDS parameter group and set it to ON.
C.Deploy a Network Load Balancer (NLB) with a TLS listener in front of the RDS instance. Configure the NLB to terminate TLS from the application servers and forward traffic to the RDS instance using TLS.
D.Modify the security group for the RDS instance to only allow traffic from the application servers' security group on port 3306 with the 'tls' protocol.
AnswerC

The NLB can offload TLS encryption, allowing the application to connect without modification while ensuring encryption.

Why this answer

Option B is correct because using a Network Load Balancer (NLB) with TLS termination between the application servers and the RDS instance allows offloading the SSL/TLS encryption from the application. The NLB can be configured with a TLS listener that terminates the client's TLS connection and then re-encrypts traffic to the RDS instance using TLS. This requires the RDS instance to have SSL/TLS enabled.

Option A is incorrect because the application does not support TLS, so enabling SSL on RDS alone will not encrypt traffic if the client does not request it. Option C is incorrect because a VPN connection between subnets is unnecessarily complex and still requires the application to use TLS. Option D is incorrect because creating a new security group does not enforce encryption at the transport layer.

93
Multi-Selecteasy

Which TWO of the following are benefits of using AWS Global Accelerator? (Choose TWO.)

Select 2 answers
A.Static anycast IP addresses that serve as a fixed entry point
B.Built-in AWS WAF capabilities
C.Content caching similar to CloudFront
E.Improved application performance by using edge locations
AnswersA, E

Provides consistent IP addresses.

Why this answer

Option A (improved performance via edge locations) and Option C (static anycast IP addresses) are correct. Option B is wrong because it's not a DNS service. Option D is wrong because it does not replace CloudFront.

Option E is wrong because it does not provide DDoS protection (AWS Shield does).

94
MCQmedium

A network engineer runs the above command to list VPC endpoints. The engineer notices that the second endpoint (vpce-0b2c3d4e5f6g7h8i9) does not have a policy document displayed. What does this indicate?

A.The endpoint is configured to use an AWS managed policy that is not shown.
B.The endpoint is not active and needs to be recreated.
C.The endpoint is for DynamoDB, which does not support endpoint policies.
D.The endpoint has the default full-access policy.
AnswerD

If no custom policy is specified, the default policy allows full access.

Why this answer

Option B is correct because by default, a Gateway endpoint for DynamoDB uses a full-access policy if no custom policy is specified. Option A is wrong because the endpoint is active. Option C is wrong because the missing policy field indicates no custom policy was set.

Option D is wrong because DynamoDB endpoints do not require a policy; the default allows all actions.

95
MCQmedium

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company wants to ensure that traffic can only go out to the internet and not be initiated from the internet. Which configuration should be used?

A.Attach an Internet Gateway to the private subnets
B.Deploy a NAT Gateway in a public subnet and update the private subnet route table
C.Set up a VPN connection to an on-premises network
D.Create a VPC endpoint for S3
AnswerB

NAT Gateway provides outbound-only internet access for private instances.

Why this answer

Option B is correct because a NAT Gateway in a public subnet allows private instances to initiate outbound traffic to the internet while blocking inbound traffic. Option A is incorrect because an Internet Gateway allows both inbound and outbound traffic. Option C is incorrect because a VPC endpoint is for accessing AWS services, not the internet.

Option D is incorrect because a VPN connection is for private connectivity to on-premises.

96
MCQmedium

A company is migrating on-premises workloads to AWS using AWS Direct Connect. The company has two Direct Connect connections from different providers for redundancy. Which configuration ensures seamless failover with automatic traffic rerouting?

A.Create two Direct Connect gateways, each attached to a separate Transit Gateway, and advertise the same prefixes via BGP.
B.Use one Direct Connect connection as primary and the other as standby with static routes.
C.Connect both Direct Connect connections to the same Virtual Private Gateway (VGW) and enable BGP.
D.Use a VPN connection over the internet as a backup for the Direct Connect links.
AnswerA

Enables automatic failover using BGP path selection.

Why this answer

Option C is correct because using a Transit Gateway with two Direct Connect gateways (one for each connection) and dynamic BGP routing enables automatic failover via BGP path selection. Option A is wrong because both connections to the same VGW do not provide true redundancy if the VGW fails. Option B is wrong because static routes require manual intervention.

Option D is wrong because a VPN over the internet defeats the purpose of Direct Connect.

97
Multi-Selecthard

Which THREE considerations are important when implementing a multi-region Direct Connect architecture? (Choose 3)

Select 3 answers
A.Ensure Direct Connect connections are in at least two separate geographic locations.
B.Use a single Direct Connect connection to reduce complexity.
C.Connect all Direct Connect connections to the same AWS Direct Connect device.
D.Use diverse paths and providers for the Direct Connect connections.
E.Set up a VPN connection as a backup to Direct Connect.
AnswersA, D, E

Diverse locations provide redundancy against site failures.

Why this answer

To ensure high availability and disaster recovery, you should have Direct Connect connections in at least two separate locations, use diverse paths, and have a backup VPN connection. Using a single location creates a single point of failure. Using the same AWS device also creates a single point of failure.

Direct Connect gateway can be used to associate multiple VPCs.

98
MCQeasy

A company is setting up a Direct Connect connection to AWS. They have a virtual private gateway (VGW) attached to their VPC. They need to establish a single logical connection over the Direct Connect link to access all subnets in the VPC. Which resource should they create on the Direct Connect virtual interface?

A.A private virtual interface (VIF) with a BGP session to the VGW.
B.A hosted virtual interface (VIF) provided by an AWS Partner.
C.A public virtual interface (VIF) with a BGP session to the VGW.
D.A transit virtual interface (VIF) to the VGW.
AnswerA

Private VIF allows access to the entire VPC via the VGW.

Why this answer

Option C is correct. A private virtual interface (VIF) allows access to all subnets in the VPC through the VGW. Option A is wrong because a public VIF provides access to public IP addresses.

Option B is wrong because a transit VIF is used with a transit gateway. Option D is wrong because a hosted VIF is a shared connection.

99
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They want to use BGP to advertise a specific /24 prefix from their on-premises network to AWS. After configuration, the prefix is not visible in the VPC route tables. The BGP session is established. What should the company check?

A.Verify that the prefix is included in the allowed prefixes list for the Direct Connect virtual interface
B.Ensure that route propagation is enabled on the VPC route table
C.Check that the BGP ASN on the customer gateway is unique and not conflicting
D.Add a static route in the VPC route table for the on-premises prefix
AnswerA

The virtual private gateway only accepts prefixes that are in the allowed prefix list.

Why this answer

Option A is correct because the prefix must be allowed by the allowed prefixes list on the virtual private gateway; otherwise, it will not be propagated. Option B is wrong because the BGP session is established, so ASN is not an issue. Option C is wrong because route propagation is for VPN, not Direct Connect.

Option D is wrong because the VPC route table can have custom routes, but the virtual private gateway will not accept prefixes not in the allowed list.

100
MCQmedium

A network engineer is troubleshooting connectivity issues from an on-premises data center to an Amazon VPC via an AWS Site-to-Site VPN. The VPN tunnel is up, but ping from an on-premises host (10.0.0.5) to an EC2 instance (172.16.1.10) fails. The VPC CIDR is 172.16.0.0/16. The on-premises CIDR is 10.0.0.0/8. The customer gateway device has a route for 172.16.0.0/16 pointing to the VPN tunnel. The VPC route table has a route for 10.0.0.0/8 pointing to the virtual private gateway. Security groups and NACLs allow ICMP. What is the MOST likely cause?

A.The on-premises host does not have a route to the VPC CIDR
B.The customer gateway device is not configured with the correct pre-shared key
C.The route table associated with the EC2 instance's subnet does not have a route for the on-premises CIDR
D.The virtual private gateway is not attached to the correct VPC
AnswerC

Correct; the subnet route table must include a route for the on-premises CIDR pointing to the virtual private gateway.

Why this answer

Option D is correct because by default, an EC2 instance in a VPC does not send traffic destined for the VPC's own CIDR range to the virtual private gateway; it uses local routing. The on-premises ping source IP is 10.0.0.5, which is within the VPC CIDR (172.16.0.0/16) range? Actually 10.0.0.5 is not within VPC CIDR, but the issue is that the EC2 instance's response to 10.0.0.5 will be sent via the local route (since 10.0.0.0/8 is not local but the VPC has a route for it) – wait: The VPC has a route for 10.0.0.0/8 to the virtual private gateway, so the EC2 instance should send traffic to the VGW. But the ping might be failing due to asymmetric routing if the on-premises side does not have a route for the return traffic? No, the on-premises has a route.

Actually, the most common issue is that the EC2 instance does not have the correct route in its subnet route table for the return traffic? But the route table has the route. Another common issue is that the virtual private gateway does not propagate routes to the subnet route table? But the route is there. Wait: The correct answer is that the on-premises host's return traffic might be dropped due to the VPN tunnel not having the correct source/destination check? No.

Let me re-evaluate: The VPC route table has a route for 10.0.0.0/8 to the virtual private gateway. That is correct. The on-premises has a route for 172.16.0.0/16 to the VPN tunnel.

So traffic should flow. However, by default, EC2 instances have source/destination check enabled. If the EC2 instance is used as a NAT instance or similar, it might need to be disabled.

But here it's a simple ping. The most likely cause is that the on-premises network does not have a route for the VPC CIDR pointing to the customer gateway? But it does. Actually, the issue might be that the customer gateway device's route is not pointing to the correct interface.

Another possibility: The VPN tunnel uses dynamic routing (BGP) and the routes are not being advertised correctly. But the question does not specify BGP. Given the options, the correct answer is likely D: The route table does not have a route for the on-premises CIDR.

Wait, the VPC route table does have a route for 10.0.0.0/8. So that's not it. Let me think again: The ping from 10.0.0.5 to 172.16.1.10: The packet goes from on-prem to VPC via VPN.

The EC2 instance receives it. The EC2 instance sends a reply to 10.0.0.5. The EC2 instance checks its route table: the VPC route table has a route for 10.0.0.0/8 to the virtual private gateway.

So it sends the reply to the VGW. The VGW forwards it to the VPN tunnel. That should work.

But why does it fail? Possibly because the subnet route table for the EC2 instance does not have the route for 10.0.0.0/8? The question says the VPC route table has the route, but the subnet route table might be different. Actually, each subnet route table can be different. The question says 'The VPC route table has a route for 10.0.0.0/8 pointing to the virtual private gateway.' That implies the main route table.

But the EC2 instance might be in a subnet with a custom route table that does not have that route. So the most likely cause is that the route is missing from the subnet route table associated with the EC2 instance's subnet. Option D says 'The route table associated with the EC2 instance's subnet does not have a route for on-premises traffic.' That is exactly it.

So D is correct.

101
MCQmedium

A company is deploying a VPC with public and private subnets in two Availability Zones. The public subnets contain NAT gateways for outbound internet access from the private subnets. The private subnets host web servers that need to make API calls to an external service over the internet. After implementation, the web servers cannot reach the internet. Which configuration is the most likely cause?

A.The NAT gateway is placed in a private subnet and does not have a route to the internet gateway.
B.The route table for the private subnets is not associated with the VPC's main route table.
C.The private subnets have a default route (0.0.0.0/0) pointing to an internet gateway instead of the NAT gateway.
D.The public subnets have a default route pointing to the NAT gateway instead of the internet gateway.
AnswerA

NAT gateways must reside in a public subnet with a route to an internet gateway. If placed in a private subnet, outbound traffic cannot reach the internet.

Why this answer

Option B is correct because each NAT gateway must be in a public subnet with a route to an internet gateway. If the NAT gateway is in a private subnet, it cannot route traffic to the internet. Option A is incorrect because private subnets do not need default routes to the internet gateway.

Option C is incorrect because route propagation is not required. Option D is incorrect because NAT gateway is not a required check for public subnets.

102
MCQhard

A company has a VPC with multiple subnets. An EC2 instance in a private subnet needs to access an S3 bucket to download files. The company wants to avoid using a NAT gateway and minimize latency. Which solution should be used?

A.Create a VPC endpoint for S3 and attach it to the private subnet's route table.
B.Place the instance in a public subnet and use a NAT gateway.
C.Use a VPC endpoint for EC2.
D.Use an internet gateway and a route to 0.0.0.0/0.
AnswerA

Provides private, low-latency access to S3.

Why this answer

Option C is correct because a VPC endpoint for S3 allows private access without NAT or IGW. A is not for S3. B adds latency.

D is not for S3.

103
Multi-Selectmedium

Which THREE of the following are features of AWS Transit Gateway? (Select THREE.)

Select 3 answers
A.Multicast support
B.Built-in NAT capabilities
C.Transitive routing between multiple VPCs
D.Centralized routing and management
E.Edge-to-edge routing for VPN connections
AnswersA, C, D

Transit Gateway supports multicast groups.

Why this answer

Options A, B, and D are correct. Transit Gateway supports transitive peering, multicast, and central routing. Option C is incorrect because Transit Gateway does not support edge-to-edge routing for VPN.

Option E is incorrect because Transit Gateway does not replace NAT Gateway; NAT Gateway is separate.

104
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to connect two separate branch offices using AWS Client VPN. Each branch office has a different subnet: Branch A uses 10.0.1.0/24 and Branch B uses 10.0.2.0/24. The Client VPN endpoint is configured with a CIDR range of 10.0.3.0/24. The route table for the VPC has the local route and routes to the Client VPN endpoint. Users from both branches can connect to the VPN but cannot communicate with each other. What is the most likely reason?

A.The branch subnets 10.0.1.0/24 and 10.0.2.0/24 are part of the VPC CIDR, so the VPC routes traffic locally instead of via the VPN
B.The route tables in the branch subnets do not have routes to the Client VPN endpoint
C.The Client VPN endpoint is configured with a CIDR that overlaps with the branch subnets
D.The security group for the Client VPN endpoint does not allow inbound traffic from branch subnets
AnswerA

Local routes take precedence.

Why this answer

Branch subnets overlap with the VPC CIDR, causing routing conflicts. The VPC sees 10.0.1.0/24 and 10.0.2.0/24 as local, thus traffic destined to those addresses is routed locally within the VPC, not to the VPN. Options B and C are not relevant to inter-branch communication.

Option D would not cause the issue because branch subnets are within the VPC CIDR.

105
MCQhard

A network engineer created a VPC endpoint for the service shown in the exhibit. The endpoint is in the 'available' state, but instances in the VPC cannot resolve the private DNS name 'example.com'. What is the most likely cause?

A.The VPC does not have a Route 53 private hosted zone for example.com
B.The VPC does not have an internet gateway
C.The endpoint does not have 'Private DNS names enabled'
D.The security group for the endpoint is blocking DNS traffic
AnswerC

Without enabling this option, the private DNS name is not resolved.

Why this answer

The private DNS name is only resolved via Route 53 private hosted zone if 'Private DNS names enabled' is set. The exhibit shows the service has a PrivateDnsName, but the endpoint must have 'Private DNS names enabled' for resolution to work.

106
Multi-Selectmedium

A company is deploying a multi-tier web application across multiple Availability Zones in a VPC. The architecture includes public-facing Application Load Balancers, Amazon EC2 instances in private subnets, and an Amazon RDS for MySQL Multi-AZ DB instance. To meet compliance requirements, all traffic between the web tier and database tier must be encrypted and must not traverse the internet. Which TWO actions should the company take to implement this securely? (Choose two.)

Select 2 answers
A.Establish an AWS Site-to-Site VPN between the web tier subnets and the database subnet.
B.Create a VPC endpoint for Amazon RDS and route database traffic through it.
C.Enable SSL/TLS encryption on the RDS DB instance and configure the web servers to connect using SSL.
D.Assign an Elastic IP address to the RDS DB instance to ensure a stable IP for the web tier.
E.Use the RDS endpoint (DNS name) that resolves to a private IP within the same VPC.
AnswersC, E

Encrypts traffic between web and database tiers.

Why this answer

Option A is correct because enabling encryption in transit with SSL/TLS between web tier and RDS MySQL encrypts the traffic. Option C is correct because using an RDS endpoint within the same VPC ensures traffic does not traverse the internet. Option B is incorrect because RDS instances do not have Elastic IPs in private subnets.

Option D is incorrect because an RDS endpoint already provides a private IP within the VPC; a VPC endpoint is for services like S3. Option E is incorrect because a VPN connection is not needed for traffic within the same VPC.

107
MCQhard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and needs to add IPv6 support for its public-facing web application. The application must be accessible via both IPv4 and IPv6. The VPC already has an Internet Gateway attached. What is the correct set of steps to enable IPv6?

A.Assign a custom IPv6 CIDR block from your own range to the VPC and add a route to the Internet Gateway.
B.Associate an Amazon-provided IPv6 CIDR block to the VPC, add a route for ::/0 to the Internet Gateway, and allocate IPv6 addresses to the subnets.
C.Associate an IPv6 CIDR block, create an Egress-Only Internet Gateway, and route ::/0 to it.
D.Associate a /64 IPv6 CIDR block to the VPC, add a route for ::/0 to the Internet Gateway, and assign IPv6 addresses to instances.
AnswerB

Standard procedure for public IPv6 access.

Why this answer

Option D is correct because to enable IPv6, you must associate an Amazon-provided IPv6 CIDR block with the VPC, update the route table to include a route for ::/0 to the Internet Gateway, and ensure the subnet has an IPv6 CIDR. Option A is wrong because you cannot assign a /64 block to a VPC. Option B is wrong because Egress-Only Internet Gateway is for outbound-only IPv6, not inbound.

Option C is wrong because you cannot assign a custom IPv6 block without requesting it.

108
MCQeasy

A company is running a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application needs to store session state in an ElastiCache Redis cluster. The Redis cluster should not be accessible from the internet. Which network design should be used?

A.Place the Redis cluster in a public subnet and restrict access via security group.
B.Place the Redis cluster in a private subnet and the EC2 instances in a private subnet, with a NAT Gateway for outbound traffic.
C.Place the Redis cluster in a private subnet and the EC2 instances in a public subnet.
D.Place both the EC2 instances and the Redis cluster in private subnets with appropriate security groups.
AnswerD

Both in private subnets, security groups allow traffic from EC2 to Redis.

Why this answer

The Redis cluster should be in a private subnet to prevent internet access. The ALB is typically in a public subnet or a private subnet with an internet-facing ALB. The EC2 instances should be in a private subnet and access Redis via the private subnet.

Option A is wrong because a public subnet would expose Redis. Option B is wrong because placing Redis in a public subnet exposes it. Option C is wrong because a NAT Gateway is not needed for private subnet communication within the VPC.

109
MCQeasy

A company is deploying an application across multiple Availability Zones in a single AWS Region. The application requires that all traffic between EC2 instances in the same subnet be inspected by a network appliance. Which configuration should be used to meet this requirement?

A.Set up a VPC peering connection between the subnets
B.Use a Transit Gateway to route traffic through the appliance
C.Deploy AWS Network Firewall in the subnet
D.Create a Gateway Load Balancer and configure the appliance as a target
AnswerD

GWLB can be used to inspect all traffic between instances in the same subnet via a Gateway Load Balancer Endpoint.

Why this answer

Option B is correct because a Gateway Load Balancer (GWLB) can be deployed in a subnet and configured to route traffic between instances in the same subnet through the network appliance. Option A is incorrect because a Transit Gateway is used for inter-VPC routing, not intra-subnet inspection. Option C is incorrect because a VPC peering connection connects different VPCs.

Option D is incorrect because AWS Network Firewall inspects traffic at VPC boundaries, not within a subnet.

110
MCQmedium

A company has a VPC with a public subnet and a private subnet. They have a NAT Gateway in the public subnet. They also have an EC2 instance in the private subnet that needs to access the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. The security group for the EC2 instance allows outbound HTTPS traffic. The network ACL for the private subnet allows inbound and outbound ephemeral ports. However, the EC2 instance cannot reach the internet. The network engineer checks the NAT Gateway and sees that it has an Elastic IP attached. The engineer also checks the route table for the public subnet and finds no route to the internet. What should the engineer do to fix the issue?

A.Deploy a second NAT Gateway in the private subnet.
B.Add a route in the public subnet route table to 0.0.0.0/0 via the internet gateway.
C.Add a route in the private subnet route table to 0.0.0.0/0 via the internet gateway.
D.Attach a second Elastic IP to the NAT Gateway.
AnswerB

This allows the NAT gateway to reach the internet.

Why this answer

Option C is correct. The public subnet needs a route to an internet gateway for the NAT Gateway to forward traffic to the internet. Option A is wrong because the private subnet route is already correct.

Option B is wrong because a second NAT Gateway is not needed. Option D is wrong because the NAT Gateway already has an EIP.

111
MCQeasy

A company is using AWS Direct Connect to connect its on-premises data center to a VPC. The company wants to use a single Direct Connect connection to connect to multiple VPCs in different AWS accounts. Which AWS service should be used to achieve this?

A.Direct Connect Gateway
B.Transit Gateway
C.AWS Site-to-Site VPN
D.VPC Peering
AnswerA

Direct Connect Gateway enables connectivity to multiple VPCs over a single Direct Connect connection.

Why this answer

A Direct Connect Gateway allows a single Direct Connect connection to be associated with multiple VPCs across accounts and regions. Option A is wrong because a VPN connection is separate. Option B is wrong because a transit gateway is used for inter-VPC routing but not directly for Direct Connect.

Option D is wrong because VPC peering does not extend Direct Connect.

112
Multi-Selectmedium

Which TWO options are valid methods to connect a VPC to an on-premises network? (Choose 2)

Select 2 answers
A.Internet gateway
B.AWS Direct Connect
C.VPC endpoint
D.VPC peering connection
E.AWS Site-to-Site VPN
AnswersB, E

Direct Connect provides a dedicated private connection from on-premises to AWS.

Why this answer

AWS Site-to-Site VPN and AWS Direct Connect are the two primary services for hybrid connectivity. VPC peering is for VPC-to-VPC, not on-premises. VPC endpoints are for accessing AWS services privately.

Internet gateway is for public internet access.

113
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They also have a VPN connection as a backup. They want to ensure that traffic always uses the Direct Connect connection when it is available, and only fails over to the VPN if Direct Connect goes down. How should they configure routing?

A.Advertise a more specific prefix over Direct Connect and a less specific prefix over VPN.
B.Use static routes pointing to the Direct Connect virtual interface with a lower metric than the VPN route.
C.Advertise the same prefix over both connections but with a lower AS path length over Direct Connect.
D.Advertise the same prefix over both connections but set a higher weight on the VPN BGP session.
AnswerA

BGP always prefers the most specific prefix (longest match). This ensures Direct Connect is used when available.

Why this answer

By advertising a more specific prefix (e.g., /24) over Direct Connect and a less specific prefix (e.g., /16) over VPN, BGP will prefer the more specific route. Option A (same prefix with lower AS path) is incorrect because AS path length is considered after prefix length. Option B (same prefix with different local preference) could work but the standard approach is prefix length.

Option C (VPN with higher weight) is not a standard BGP attribute.

114
Multi-Selectmedium

Which TWO of the following are true about using a Network Load Balancer (NLB) with AWS PrivateLink? (Choose 2.)

Select 2 answers
A.NLB supports Server Name Indication (SNI)
B.NLB can perform TLS termination
C.NLB supports sticky sessions by default
D.NLB can be assigned Elastic IPs
E.NLB can be used as a service provider in a VPC endpoint service
AnswersD, E

NLB supports static IPs via Elastic IPs.

Why this answer

Option D is correct because a Network Load Balancer (NLB) supports the assignment of Elastic IPs (EIPs) per Availability Zone, which provides a static, fixed IP address for the NLB. This is critical for AWS PrivateLink, as the service provider's VPC endpoint service uses the NLB's IP addresses to accept traffic from consumer VPCs, ensuring the endpoint remains reachable even if the underlying instances change.

Exam trap

The trap here is that candidates often confuse NLB's ability to be assigned Elastic IPs with the misconception that NLB can terminate TLS or support SNI, but NLB is a Layer 4 load balancer and does not inspect HTTP headers, making SNI impossible, while TLS termination is an optional feature not inherent to PrivateLink usage.

115
MCQhard

A company is deploying a multi-tier application across multiple VPCs connected via AWS Transit Gateway. The web tier must be able to initiate connections to the app tier, but the app tier must not be able to initiate connections to the web tier. How can this be achieved?

A.Configure network ACLs on the web tier subnets to allow outbound traffic and deny inbound from app tier.
B.Establish VPC peering between the web and app VPCs and restrict routes.
C.Use security groups across the VPCs by referencing each other's CIDR blocks.
D.Deploy a centralized firewall appliance in a shared VPC and use Transit Gateway to route all inter-VPC traffic through it.
AnswerD

Enables stateful inspection and unidirectional rules.

Why this answer

Option D is correct because a stateful network firewall appliance in a central VPC can enforce unidirectional traffic rules. Transit Gateway route tables can direct traffic to the firewall VPC for inspection, and the firewall rules allow only web-to-app traffic. Option A is wrong because NACLs are stateless and cannot track connection state.

Option B is wrong because VPC peering does not provide transitive routing. Option C is wrong because security groups are stateful but cannot be applied across VPCs.

116
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They want to use the same connection to access another VPC in a different region. What is the simplest way to achieve this?

A.Use a Direct Connect Gateway
B.Create a new private VIF for the second VPC
C.Use a VPN over the internet to connect the VPCs
D.Set up VPC peering between the two VPCs
AnswerA

Direct Connect Gateway enables multi-VPC connectivity across regions over the same private VIF.

Why this answer

Direct Connect Gateway allows a single private VIF to connect to multiple VPCs in different regions.

117
MCQmedium

A company is using AWS CloudFormation to deploy a VPC with two public subnets and two private subnets across two Availability Zones. The template includes an internet gateway and a NAT gateway in each public subnet. The company needs to ensure that instances in the private subnets can access the internet. Which route table configuration should be used?

A.Add a route to the internet gateway in the private subnet route tables.
B.Add a route to the NAT gateway in the public subnet route tables.
C.Add a route 0.0.0.0/0 pointing to the NAT gateway in the same AZ in each private subnet route table.
D.Add a route 0.0.0.0/0 pointing to a single NAT gateway in both private subnet route tables.
AnswerC

Provides high availability and AZ independence.

Why this answer

Option D is correct because private subnets need a default route (0.0.0.0/0) pointing to a NAT gateway in the same AZ for high availability. A and B point to IGW which would not work for private subnets. C only points to one NAT gateway, not AZ-specific.

118
Drag & Dropmedium

Order the steps to set up a Network Load Balancer with a TCP listener in front of an Auto Scaling group:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the target group, then the load balancer, register targets, associate the target group with the listener, and configure health checks.

119
Multi-Selectmedium

A company is designing a VPC with multiple subnets. The company wants to use VPC Flow Logs to monitor network traffic. Which TWO of the following are valid destinations for VPC Flow Logs?

Select 2 answers
A.Amazon RDS
B.Amazon CloudWatch Logs
C.Amazon S3
D.Amazon SQS
E.Amazon Kinesis Data Firehose
AnswersB, C

Supported destination.

Why this answer

Option B and D are correct. VPC Flow Logs can be published to Amazon S3 or Amazon CloudWatch Logs. Option A is wrong because Kinesis Data Firehose is not a direct destination; it can be used via a subscription filter, but not directly.

Option C is wrong because an SQS queue is not a supported destination. Option E is wrong because an RDS database is not a destination.

120
Multi-Selectmedium

A company is deploying a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets across multiple Availability Zones. The security team requires that all traffic between the ALB and the EC2 instances be encrypted using TLS. The application must also support HTTP health checks from the ALB. Which TWO actions should the network engineer take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Configure the ALB listener to use HTTP and enable stickiness.
B.Install a certificate on each EC2 instance and configure the target group to use HTTPS.
C.Configure the ALB listener to use HTTPS and set the target group protocol to HTTP.
D.Configure the target group health check to use HTTPS.
E.Configure the security group for EC2 instances to allow inbound HTTP traffic from the ALB.
AnswersB, D

Installing a certificate on instances allows TLS termination, and HTTPS target group ensures encrypted health checks.

Why this answer

Options B and D are correct. Option B: Installing a certificate on EC2 instances enables TLS termination at the instance, allowing encrypted traffic from the ALB. Option D: Configuring the target group to use HTTPS health checks ensures health checks are sent over TLS.

Option A is incorrect because ALB does not support HTTPS health checks to instances without a certificate. Option C is incorrect because the listener should use HTTPS to forward encrypted traffic. Option E is incorrect because the security group should allow HTTPS (port 443) from the ALB, not HTTP.

121
MCQhard

A company is setting up a new AWS account and wants to centrally manage VPC network traffic inspection across multiple accounts using a central VPC. The company uses AWS Organizations. Which architecture meets these requirements?

A.Create VPC peering connections between each account's VPC and the central VPC.
B.Use AWS Transit Gateway with a central inspection VPC that has firewall appliances.
C.Use VPC endpoints to route traffic to the central VPC.
D.Deploy a Network Load Balancer in each VPC and route traffic through it.
AnswerB

TGW enables hub-and-spoke architecture with inspection.

Why this answer

Option B is correct because using a Transit Gateway with a central inspection VPC allows centralized traffic inspection across accounts. Option A is wrong because VPC peering does not centralize inspection. Option C is wrong because Network Load Balancer is not for inspection.

Option D is wrong because VPC endpoints are for specific services.

122
MCQhard

A company has a VPC with multiple subnets that are peered with another VPC using a VPC Peering connection. They want to ensure that traffic between the two VPCs is encrypted. What should they do?

A.Configure network ACLs to enforce encryption.
B.Use AWS Transit Gateway with a VPN attachment between the VPCs.
C.Use AWS Direct Connect with a public VIF.
D.Enable encryption on the VPC Peering connection using a security group.
AnswerB

Transit Gateway with VPN can provide encrypted connectivity between VPCs.

Why this answer

VPC Peering does not support encryption of traffic. To add encryption, you can deploy a VPN connection between the VPCs, or use an overlay solution. Option A (Transit Gateway with VPN) is a valid approach.

Option B (Internet Gateway) would expose traffic to the internet. Option C (NACL) does not encrypt. Option D (Direct Connect) does not encrypt by default.

123
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer. They need to ensure that if an instance fails health checks, it is automatically terminated and replaced. Which AWS service should they use?

A.AWS Lambda
B.EC2 Instance Connect
C.Auto Scaling group
D.Amazon CloudWatch
AnswerC

Auto Scaling groups can use ELB health checks to automatically replace unhealthy instances.

Why this answer

The correct answer is D because Auto Scaling groups can automatically replace unhealthy instances based on health checks from the load balancer. Option A (EC2) does not provide automatic replacement. Option B (CloudWatch) can monitor but not replace.

Option C (Lambda) could be used with custom logic but is not the standard solution.

124
MCQmedium

A company has deployed an application across multiple AWS Regions using Application Load Balancers (ALBs). The company wants to route traffic to the nearest healthy endpoint using latency-based routing. Which AWS service should be used to distribute traffic across the ALBs?

A.Amazon CloudFront with multiple origins.
B.AWS Network Load Balancer with cross-zone load balancing.
C.Amazon Route 53 with latency routing policy.
D.AWS Global Accelerator.
AnswerC

Route 53 latency routing routes traffic based on the lowest latency between the client and the endpoint.

Why this answer

Option A is correct because Amazon Route 53 supports latency-based routing policies to route traffic to the endpoint with the lowest latency. Option B is wrong because AWS Global Accelerator uses Anycast IPs and directs traffic to the nearest edge location, not necessarily latency-based routing. Option C is wrong because CloudFront is a CDN and not designed for routing to ALBs based on latency.

Option D is wrong because Network Load Balancer is a regional service and does not route across regions.

125
MCQhard

A company is troubleshooting high latency on an AWS Direct Connect connection. The network team notices that the latency increases during peak hours. The connection uses a single virtual interface (VIF) with a 1 Gbps capacity. What is the MOST likely cause of the latency?

A.The VLAN ID is mismatched between the customer router and AWS
B.The bandwidth limit of the virtual interface is being exceeded
C.Jumbo frames are not enabled on the customer router
D.BGP keepalive timers are set too high
AnswerB

Congestion causes packet drops and increased latency.

Why this answer

Option B is correct because traffic can be dropped if it exceeds the bandwidth limit, causing retransmissions and increased latency. Option A is wrong because jumbo frames typically reduce latency. Option C is wrong because BGP timers affect convergence, not latency.

Option D is wrong because VLAN mismatch would cause connectivity loss, not just latency.

126
MCQeasy

A company has a VPC with an application load balancer (ALB) in public subnets and EC2 instances in private subnets. The EC2 instances must only accept traffic from the ALB. Which security group configuration achieves this?

A.Allow inbound traffic from 0.0.0.0/0 on the application port.
B.Allow inbound traffic from the VPC CIDR on the application port.
C.Allow inbound traffic from the private subnet CIDR on the application port.
D.Allow inbound traffic from the ALB's security group on the application port.
AnswerD

This ensures only traffic from the ALB is accepted.

Why this answer

Option C is correct because a security group rule referencing the ALB's security group allows traffic only from the ALB. Option A is wrong because allowing 0.0.0.0/0 allows all traffic. Option B is wrong because allowing the VPC CIDR allows all instances in the VPC, not just the ALB.

Option D is wrong because allowing the private subnet CIDR allows all instances in those subnets.

127
MCQmedium

A company is implementing a multi-region active-active application. They want to route users to the nearest healthy endpoint using DNS. Which AWS service should be used?

A.Elastic Load Balancer (ELB)
B.Amazon CloudFront
C.Amazon Route 53 latency-based routing
D.AWS Global Accelerator
AnswerC

Routes based on lowest latency.

Why this answer

Option C is correct because Route 53 latency-based routing routes traffic to the region with the lowest latency. Option A is wrong because Global Accelerator uses Anycast IPs and does not rely on DNS routing policy. Option B is wrong because CloudFront is for content delivery, not application routing.

Option D is wrong because ELB is regional and does not perform latency-based DNS routing.

128
Multi-Selecthard

Which THREE components are required to establish a site-to-site VPN connection between an on-premises network and AWS? (Choose THREE.)

Select 3 answers
A.AWS Direct Connect
B.AWS Transit Gateway
C.Virtual Private Gateway
D.Customer Gateway
E.VPN Connection
AnswersC, D, E

AWS side VPN endpoint.

Why this answer

Option B (Customer Gateway), Option C (Virtual Private Gateway), and Option D (VPN Connection) are required. Option A (Direct Connect) is a different service. Option E (Transit Gateway) is optional, not required.

129
Multi-Selecteasy

Which THREE of the following are considerations when designing a Direct Connect implementation for high availability? (Choose three.)

Select 3 answers
A.Use a single connection with high bandwidth.
B.Configure static routes to the on-premises network.
C.Use BGP to advertise the same prefixes over both connections.
D.Use two or more Direct Connect connections.
E.Connect to different Direct Connect locations.
AnswersC, D, E

Enables automatic failover.

Why this answer

Correct: A (redundant connections), C (different locations), and D (BGP routing). B is wrong because single connection cannot provide HA. E is wrong because VPN is a separate backup, not a Direct Connect design consideration.

130
MCQmedium

A company has a VPC with an IPv6 CIDR and wants to provide internet access to instances in a private subnet using IPv6. Which AWS service should be used?

A.VPC Gateway Endpoint
B.Internet Gateway
D.Egress-Only Internet Gateway
AnswerD

Egress-only internet gateway provides outbound-only IPv6 access.

Why this answer

An egress-only internet gateway allows outbound IPv6 traffic from private subnets but blocks inbound traffic.

131
MCQhard

A company has a VPC with public and private subnets in two Availability Zones. They have a NAT gateway in each AZ for outbound internet access. They recently added a third AZ and created a new private subnet. Instances in the new private subnet cannot reach the internet. The route table for the new subnet has a default route (0.0.0.0/0) pointing to a NAT gateway in the same AZ. What is the most likely cause?

A.The security group attached to the NAT gateway blocks outbound traffic
B.The route table in the new private subnet does not have a route to the NAT gateway
C.The NAT gateway in the new AZ does not have an Elastic IP address attached
D.The NAT gateway is not in a public subnet in the new AZ
AnswerC

A NAT gateway requires an Elastic IP to function; without it, outbound traffic fails.

Why this answer

Option A is correct because the NAT gateway must have an Elastic IP (EIP) to provide internet connectivity. Without an EIP, the NAT gateway cannot translate private IPs for internet access. Option B is wrong because NAT gateways are not assigned to subnets; they are placed in public subnets.

Option C is wrong because the route table is correctly configured. Option D is wrong because security group rules are for inbound/outbound traffic, but the NAT gateway itself does not have security groups.

132
Multi-Selecteasy

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. Which TWO actions should be taken to ensure high availability?

Select 2 answers
A.Use a Network Load Balancer instead of an ALB.
B.Register EC2 instances in multiple Availability Zones.
C.Place the EC2 instances in a single Availability Zone.
D.Configure the ALB as internal.
E.Configure the ALB as internet-facing.
AnswersB, E

Multi-AZ provides fault tolerance.

Why this answer

Option A is correct because the ALB must be internet-facing to receive traffic from users. Option D is correct because the EC2 instances should be in multiple AZs to survive an AZ failure. Option B is incorrect because an internal ALB is not accessible from the internet.

Option C is incorrect because a single AZ is not highly available. Option E is incorrect because a Network Load Balancer is for TCP/UDP, not HTTP.

133
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The company wants to centralize network security by inspecting all traffic between VPCs and between VPCs and on-premises. Which architecture should be used?

A.Attach all VPCs to a Transit Gateway and use route tables to send traffic through a firewall appliance in one VPC.
B.Use VPN connections between all VPCs and on-premises.
C.Use VPC peering between all VPCs and configure security groups.
D.Use Network Load Balancer to distribute traffic across VPCs.
AnswerA

Transit Gateway route tables can direct traffic to a inspection VPC.

Why this answer

Option D is correct because Transit Gateway supports appliance mode to force traffic through a security appliance VPC. A and B do not provide centralized inspection. C is manual and not scalable.

134
MCQhard

Refer to the exhibit. A network engineer is creating an IAM policy for a junior engineer who needs to set up a VPC with public and private subnets and an internet gateway. The junior engineer reports that they cannot create a VPC peering connection. Based on the policy, what is the most likely reason?

A.The policy has an explicit Deny statement for ec2:CreateVpcPeeringConnection.
B.The policy allows ec2:CreateVpc which implicitly denies peering.
C.The policy requires multi-factor authentication to create VPC peering connections.
D.The policy does not allow the ec2:CreateVpcPeeringConnection action.
AnswerA

The explicit Deny overrides any Allow and prevents the action.

Why this answer

The policy explicitly denies the ec2:CreateVpcPeeringConnection action with an Effect of Deny. Even though there is an Allow for other actions, the Deny overrides any Allow for that specific action. Option C is correct.

Options A and B are not relevant because the policy does not allow or deny those actions. Option D is incorrect because the policy does not require MFA.

135
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC in us-east-1. The VPC has two subnets: a public subnet and a private subnet. The public subnet has an internet gateway attached. The private subnet has a NAT gateway. The company's on-premises network uses the 10.0.0.0/8 IP range. The VPC CIDR is 10.1.0.0/16. The on-premises router is advertising 10.1.0.0/16 over BGP to the Direct Connect router. The company needs EC2 instances in the private subnet to initiate outbound connections to the internet for updates. The NAT gateway is in the public subnet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT gateway. However, the on-premises network team reports that they can ping the private IP of the NAT gateway (10.1.0.10) but not the private IP of an EC2 instance in the private subnet (10.1.1.50). The EC2 instance's security group allows ICMP from the on-premises IP range. The VPC's main route table has a route for 10.0.0.0/8 pointing to the virtual private gateway. The VPC is attached to a virtual private gateway. What is the most likely cause?

A.The virtual private gateway is not attached to the VPC.
B.The NAT gateway is not reachable from the on-premises network.
C.The security group on the EC2 instance is blocking ICMP from the on-premises IP range.
D.The private subnet's route table does not have a route for the on-premises CIDR (10.0.0.0/8) pointing to the virtual private gateway.
AnswerD

Without a route for the on-premises CIDR in the private subnet's route table, traffic from on-premises to the EC2 instance is not forwarded to the VGW.

Why this answer

The on-premises network can ping the NAT gateway because the NAT gateway is in the public subnet, and the route table for the public subnet likely has a route to the virtual private gateway for the on-premises CIDR. However, the EC2 instance is in the private subnet, and the private subnet's route table does not have a route for the on-premises CIDR (10.0.0.0/8) pointing to the virtual private gateway. The VPC's main route table has such a route, but the private subnet is not using the main route table; it likely has a custom route table that only has the default route to the NAT gateway.

Therefore, traffic from on-premises to the EC2 instance's private IP is not routed to the virtual private gateway. Option D is correct. Option A is incorrect because the security group allows ICMP.

Option B is incorrect because the NAT gateway is reachable. Option C is incorrect because the virtual private gateway is attached.

136
Multi-Selecteasy

A company is deploying an application across multiple VPCs using AWS Transit Gateway. They need to ensure that only specific VPCs can communicate with each other. Which TWO methods can be used to isolate traffic?

Select 2 answers
A.Use Transit Gateway Network Manager to create a network segmentation design.
B.Create separate Transit Gateway route tables for different groups of VPCs and associate the VPC attachments accordingly.
C.Configure network ACLs on the VPC subnets to allow or deny traffic.
D.Use security groups on the Transit Gateway attachments.
E.Implement VPC endpoints for inter-VPC communication.
AnswersA, B

Network Manager helps visualize and manage segmentation.

Why this answer

Option A is correct because separate route tables can control which VPCs can communicate. Option D is correct because Transit Gateway Network Manager can create segmentation. Option B is incorrect because NACLs are per subnet, not per VPC.

Option C is incorrect because security groups are instance-level. Option E is incorrect because VPC endpoints are for accessing services, not inter-VPC traffic.

137
Multi-Selectmedium

Which TWO of the following are valid methods to connect multiple VPCs in the same AWS region using AWS native services? (Choose two.)

Select 2 answers
A.Software VPN appliance
B.VPC peering
C.AWS Direct Connect
D.Amazon ClassicLink
E.AWS Transit Gateway
AnswersB, E

Native service for VPC-to-VPC connectivity.

Why this answer

Options B and D are correct. VPC peering and Transit Gateway are both native AWS services that connect VPCs in the same region. Option A is wrong because Direct Connect is for on-premises to AWS, not VPC-to-VPC.

Option C is wrong because software VPN is not a native AWS service; it's a third-party appliance. Option E is wrong because ClassicLink is for connecting EC2-Classic to VPC, not VPC-to-VPC.

138
MCQmedium

A company uses AWS Direct Connect with a private VIF to connect to a VPC. The VPC has a virtual private gateway (VGW). The on-premises network uses BGP to exchange routes with the VGW. The company wants to route traffic from the VPC to an on-premises subnet 192.168.1.0/24. The on-premises router advertises 192.168.1.0/24 over BGP. However, instances in the VPC cannot reach that subnet. The VPC route table has the local route and a route to the VGW for 0.0.0.0/0. What is the most likely cause?

A.BGP route propagation is disabled on the VPC route table
B.The 192.168.1.0/24 subnet overlaps with the VPC CIDR, causing the local route to take precedence
C.The VPC route table does not have a specific route for 192.168.1.0/24 pointing to the virtual private gateway
D.The Direct Connect virtual interface does not have the allowed prefixes configured
AnswerB

Local routes have higher priority than propagated routes.

Why this answer

The VPC route table does not have a specific route for 192.168.1.0/24 pointing to the VGW. The default route (0.0.0.0/0) goes to the VGW, but if the on-premises subnet is part of the VPC CIDR (e.g., if VPC CIDR is 192.168.0.0/16), then the local route takes precedence and traffic never goes to VGW. Since the subnet is 192.168.1.0/24, it could be within a VPC CIDR like 192.168.0.0/16.

The local route would match and traffic stays in VPC. Option B is wrong because allowed prefixes are configured in Direct Connect Gateway, not VPC route table. Option C is wrong because if the subnet is within VPC CIDR, propagation doesn't help.

Option D is wrong because the route is advertised.

139
MCQeasy

A company wants to restrict outbound traffic from a VPC to only allow HTTPS traffic to a specific list of domains. Which AWS service can be used to achieve this?

A.AWS Network Firewall
B.Security groups
C.Amazon Route 53
D.Application Load Balancer
AnswerA

Network Firewall can filter outbound traffic by domain name using stateful rules.

Why this answer

Option D is correct because Network Firewall can inspect and filter outbound traffic based on domain names. Option A is for inbound traffic distribution. Option B is for instance-level filtering.

Option C is for domain registration.

140
MCQeasy

A company needs to connect its on-premises data center to AWS using a site-to-site VPN. The on-premises firewall does not support IPsec. What alternative solution can the company use?

A.Create a VPC peering connection between the on-premises router and the VPC.
B.Use AWS Client VPN to establish a VPN connection from the on-premises network.
C.Deploy an AWS Transit Gateway and attach the on-premises network via a VPC attachment.
D.Use AWS Direct Connect to establish a dedicated physical link.
AnswerB

Client VPN can terminate on a firewall running OpenVPN.

Why this answer

Option B is correct because AWS Client VPN allows individual clients or the entire network to connect using OpenVPN-based software, which can be installed on the firewall if it supports OpenVPN. Option A is wrong because Direct Connect is a physical connection. Option C is wrong because Transit Gateway is a network transit hub, not a VPN endpoint.

Option D is wrong because VPC peering is for VPC-to-VPC connectivity.

141
Multi-Selectmedium

A company has a VPC with public and private subnets. They have a NAT gateway in a public subnet for outbound internet access from private instances. Which TWO of the following are required for the NAT gateway to function correctly?

Select 2 answers
A.The NAT gateway is deployed in a private subnet
B.A security group attached to the NAT gateway
C.A route in the public subnet's route table to an internet gateway
D.A network ACL attached to the NAT gateway's subnet that allows inbound traffic from the internet
E.An Elastic IP address assigned to the NAT gateway
AnswersC, E

The NAT gateway must be in a public subnet with internet access.

Why this answer

Option A is required because the NAT gateway needs an Elastic IP for outbound traffic. Option B is required because the public subnet must have a route to an internet gateway. Option C is not required because security groups are not attached to NAT gateways.

Option D is not required because NAT gateways are not assigned to private subnets. Option E is not required because NAT gateways do not use NACLs.

142
Multi-Selecthard

A company has a VPC with a CIDR of 10.0.0.0/16. They have two Availability Zones, each with a public and a private subnet. They want to connect their on-premises network (192.168.0.0/16) to the VPC using a site-to-site VPN. Which THREE resources are needed to establish the VPN connection? (Choose THREE.)

Select 3 answers
A.Customer Gateway
B.AWS Direct Connect
C.VPN Connection
D.AWS Transit Gateway
E.Virtual Private Gateway
AnswersA, C, E

Required to represent the on-premises router.

Why this answer

A site-to-site VPN requires a Virtual Private Gateway (VPG) on the VPC side, a Customer Gateway (CGW) representing the on-premises router, and a VPN Connection between them. Option A is wrong because a Transit Gateway is not required for a simple VPN. Option D is wrong because a Direct Connect connection is separate.

Option E is wrong because a VPC endpoint is for private access to AWS services.

143
MCQmedium

A network engineer runs the above command and sees an ENI (eni-0a1b2c3d4e5f6g7h8) with status 'in-use' but no InstanceId attached. What AWS service is most likely using this ENI?

A.A VPC endpoint (Interface type).
B.An Amazon RDS database instance.
D.An AWS Transit Gateway.
AnswerB

RDS uses managed ENIs with 'RDS-managed' description.

Why this answer

Option C is correct because RDS uses managed ENIs that appear 'in-use' without an InstanceId. Option A is wrong because NAT Gateway ENIs have specific descriptions. Option B is wrong because VPC Endpoints use ENIs with descriptions like 'VPC Endpoint'.

Option D is wrong because Transit Gateway does not use ENIs directly.

144
MCQhard

A network engineer examines the route table above. The VPC has a CIDR of 10.0.0.0/16. There is a VPC peering connection (pcx-...) to a VPC with CIDR 192.168.0.0/16. However, instances in this route table's subnet cannot communicate with the peered VPC. What is the most likely cause?

A.The route table is not associated with the subnet.
B.The VPC peering connection is in 'pending-acceptance' state.
C.The security group or network ACL in the source subnet is blocking traffic.
D.The route to the peered VPC is missing from the route table.
AnswerC

Even with correct routing, security groups/NACLs can block traffic.

Why this answer

Option D is correct because the route table shows a route to the peered VPC via pcx, so routing seems configured. The issue is likely that the security groups or NACLs in the source subnet are blocking traffic. Option A is wrong because the route exists.

Option B is wrong because the peering connection may be active; the issue is not shown. Option C is wrong because the route table is associated with the subnet (implied by the question).

145
Multi-Selectmedium

Which TWO statements about AWS Direct Connect are correct? (Select TWO.)

Select 2 answers
A.Direct Connect traffic is encrypted by default
B.Direct Connect supports multiple virtual interfaces (VIFs) over a single connection
C.Direct Connect is a managed VPN service
D.Direct Connect can be provisioned in minutes without any physical infrastructure
E.Direct Connect provides a consistent network experience with lower latency and higher bandwidth than internet-based VPN
AnswersB, E

You can have public, private, and transit VIFs.

Why this answer

Options A and C are correct. Direct Connect provides consistent network performance and supports multiple virtual interfaces. Option B is wrong because it is not encrypted by default.

Option D is wrong because it is not a VPN. Option E is wrong because it requires a dedicated connection.

146
MCQhard

A company has an AWS Direct Connect connection with a private VIF to a VPC. They also have a VPN connection as a backup. They want to use BGP attributes to prefer the Direct Connect path. On the customer router, they set a lower local preference for routes received via the VPN. However, traffic still uses the VPN. What could be the reason?

A.Local preference is not supported by AWS for BGP sessions; use AS path prepending instead
B.The weight attribute is set higher on the VPN routes
C.Bidirectional Forwarding Detection (BFD) is not enabled on the Direct Connect connection
D.The BGP MED attribute is not set on the VPN routes
AnswerA

AWS does not accept local preference; AS path prepending is used to influence outbound traffic.

Why this answer

Option D is correct because AWS does not honor local preference set by the customer; AS path prepending is the standard method. Option A is wrong because MED is used to influence inbound traffic from AWS. Option B is wrong because BFD is for fast failure detection.

Option C is wrong because weight is a Cisco-proprietary attribute not used in AWS.

147
Multi-Selecteasy

Which TWO of the following are valid methods to connect an on-premises data center to a VPC in AWS? (Choose 2.)

Select 2 answers
A.AWS Direct Connect
B.VPC endpoint
C.Transit Gateway
D.AWS Site-to-Site VPN
E.VPC peering
AnswersA, D

Direct Connect provides a dedicated private connection.

Why this answer

Options A and C are correct. AWS Site-to-Site VPN and AWS Direct Connect are the primary methods for hybrid connectivity. VPC peering (B) is for inter-VPC, not on-premises.

VPC endpoints (D) are for AWS services. Transit Gateway (E) is a hub for multiple connections but not a direct connection method itself.

148
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The VPC has a subnet that hosts an EC2 instance with a sensitive database. The company wants to add an extra layer of encryption for traffic between the on-premises network and the EC2 instance. Which solution should be used?

A.Enable TLS on the EC2 instance
B.Use an SSL certificate on the on-premises router
C.Use AWS Key Management Service (KMS) to encrypt the traffic
D.Set up an IPsec VPN tunnel over the Direct Connect private VIF
AnswerD

IPsec VPN provides encryption at the network layer over the Direct Connect connection.

Why this answer

Option D is correct because IPsec VPN over Direct Connect provides encryption over the private VIF. Option A is incorrect because Direct Connect traffic is not encrypted by default. Option B is incorrect because TLS is for application-level encryption, not network layer.

Option C is incorrect because AWS KMS is for encryption keys, not for network encryption.

149
MCQhard

A company is migrating its on-premises data center to AWS and wants to extend its Layer 2 network to AWS using AWS Outposts. The company has an existing VLAN with IP subnet 10.0.1.0/24 that hosts a legacy application requiring direct Layer 2 connectivity between on-premises servers and Outposts racks. The network engineer has installed an Outposts rack in the data center and connected it to the on-premises network via a local gateway (LGW) with a VLAN interface. The engineer has created a subnet in the Outposts VPC with CIDR 10.0.1.0/24 and launched EC2 instances. However, the on-premises servers cannot communicate with the Outposts instances. The LGW is configured correctly. Which action should the engineer take to resolve the issue?

A.Configure the LGW VLAN interface with the correct VLAN ID that matches the on-premises VLAN.
B.Create a VPC peering connection between the Outposts VPC and the on-premises network via the LGW.
C.Set up a Direct Connect private virtual interface from the on-premises router to the Outposts VPC.
D.Attach the Outposts VPC to a Transit Gateway and peer with on-premises network.
AnswerA

The VLAN ID must match for Layer 2 connectivity.

Why this answer

Option C is correct because the LGW VLAN interface must be associated with the same VLAN ID as the on-premises network to allow Layer 2 communication. Option A is incorrect because a VPC peering connection is Layer 3, not Layer 2. Option B is incorrect because Direct Connect is not needed.

Option D is incorrect because a Transit Gateway does not provide Layer 2 extension.

150
MCQeasy

A company needs to provide internet access to a VPC that has both public and private subnets. They have already created an Internet Gateway and attached it to the VPC. What else must be configured for instances in the public subnet to be reachable from the internet?

A.Launch a NAT Gateway in the public subnet.
B.Add a route to the public subnet's route table pointing 0.0.0.0/0 to the Internet Gateway.
C.Attach the VPC to an AWS Transit Gateway.
D.Establish a VPN connection to the Internet Gateway.
AnswerB

This enables traffic to flow between the subnet and the internet.

Why this answer

For internet access, the public subnet's route table must have a default route to the Internet Gateway. Additionally, the instances must have public IP addresses (auto-assign public IP or Elastic IP) and security groups/NACLs allowing inbound traffic. Option B (NAT Gateway) is for private subnets; Option C (VPN) is not needed; Option D (Transit Gateway) is not required.

← PreviousPage 2 of 6 · 434 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Implementation questions.