CCNA Network Implementation Questions

75 of 434 questions · Page 4/6 · Network Implementation topic · Answers revealed

226
MCQhard

A company has a multi-account AWS Organizations setup with hundreds of VPCs across multiple regions. The network team needs to centralize outbound internet traffic through a set of inspection VPCs for security monitoring. Which solution is MOST scalable and cost-effective?

A.Use a Network Load Balancer in each VPC to distribute traffic to inspection appliances.
B.Create a Transit Gateway with a central inspection VPC that has a NAT Gateway and route all VPCs to the inspection VPC for egress.
C.Deploy a NAT Gateway in each VPC and route traffic directly to the internet.
D.Set up VPC peering between all VPCs and route traffic through a single VPC with an Internet Gateway.
AnswerB

Scalable, centralized, and cost-effective.

Why this answer

Option B is correct because AWS Transit Gateway with central VPC attachment allows routing all egress traffic through inspection VPCs, and using a single NAT Gateway per AZ in the inspection VPC is scalable and cost-effective. Option A is wrong because each VPC with its own NAT Gateway is not centralized. Option C is wrong because Network Load Balancer is not designed for internet egress.

Option D is wrong because VPC peering does not scale to hundreds of VPCs and lacks transitive routing.

227
MCQeasy

A small company has a single VPC with one public subnet and one private subnet. They have a web server in the public subnet and a database server in the private subnet. The web server needs to access the database server on port 3306 (MySQL). The network engineer has configured the security group for the database server to allow inbound TCP port 3306 from the security group of the web server. However, the web server cannot connect to the database server. The network ACL for the private subnet is the default (allows all inbound and outbound). The web server can ping the database server's private IP. What is the MOST likely cause of the connection failure?

A.The web server cannot reach the private IP of the database server because it is in a different subnet
B.The network ACL for the private subnet is blocking inbound traffic on port 3306
C.The security group for the database server is not allowing inbound traffic from the web server's security group
D.The MySQL service on the database server is not running or not listening on port 3306
AnswerD

Correct; the application layer is the most likely issue.

Why this answer

Option C is correct. The security group for the database server allows inbound from the web server's security group, which is correct. However, security groups are stateful, so the return traffic is automatically allowed.

The issue is likely that the database server is not listening on port 3306 or the MySQL service is not running. Since ping works, the network layer is fine. Option A is incorrect because NACLs are default allow.

Option B is incorrect because the security group rule is correct. Option D is incorrect because the web server is in the same VPC, so it can reach the private IP.

228
MCQeasy

A company wants to provide internet access to instances in a public subnet. Which component must be attached to the VPC and have a route to it in the subnet's route table?

A.Transit Gateway
B.Virtual Private Gateway
D.Internet Gateway
AnswerD

Internet Gateway enables internet access for public subnets.

Why this answer

Internet Gateway must be attached to the VPC and a default route pointing to it is needed for internet access.

229
MCQmedium

A company is migrating a legacy application that requires static IP addresses for its clients' firewall whitelisting. The application will be hosted on EC2 instances behind a Network Load Balancer (NLB) in a private subnet. Which approach should the company use to provide static IP addresses for outbound traffic?

A.Assign Elastic IPs to the EC2 instances
B.Use an internet-facing NLB with Elastic IPs
C.Use a VPC endpoint for the application
D.Deploy a NAT Gateway in a public subnet with an Elastic IP
AnswerD

NAT Gateway with an Elastic IP provides a static source IP for outbound traffic from private subnets.

Why this answer

Option D is correct because a NAT Gateway in a public subnet with an Elastic IP provides static IPs for outbound traffic from private instances. Option A is for inbound traffic. Option B is for internet-facing NLB.

Option C would not provide static IPs.

230
Multi-Selecteasy

A company is setting up AWS Site-to-Site VPN for connectivity between its on-premises network and AWS VPC. They want to ensure the VPN tunnel is highly available. Which THREE components should be configured? (Choose THREE.)

Select 3 answers
A.A single VPN connection with one tunnel
B.BGP dynamic routing over the VPN tunnels
C.Static routing instead of BGP
D.Two VPN tunnels per VPN connection
E.A second customer gateway device on-premises
AnswersB, D, E

Correct; BGP allows automatic failover between tunnels.

Why this answer

Options A, C, and D are correct. Option A: Two tunnels per VPN connection provide redundancy. Option C: A second customer gateway device ensures on-premises redundancy.

Option D: BGP dynamic routing allows automatic failover. Option B is incorrect because a single VPN connection with one tunnel is not highly available. Option E is incorrect because static routes do not provide dynamic failover.

231
Multi-Selectmedium

A company is designing a hybrid network using AWS Direct Connect. The company has a single 1 Gbps dedicated connection and wants to connect to multiple VPCs in the same region. Which THREE steps are necessary to achieve this connectivity?

Select 3 answers
A.Create a Direct Connect gateway.
B.Create a private virtual interface for each VPC.
C.Create a public virtual interface for each VPC.
D.Attach the VPCs to the transit gateway.
E.Create a transit virtual interface and associate it with a transit gateway.
AnswersA, D, E

A Direct Connect gateway can connect to multiple VPCs.

Why this answer

Options A, C, and D are correct because a Direct Connect gateway allows multiple VPCs, and a transit VIF with a transit gateway is the recommended approach. B is not needed. E is incorrect because a private VIF can only connect to one VPC.

232
MCQmedium

A company is deploying a new VPC with both public and private subnets. The public subnet hosts an internet-facing Application Load Balancer (ALB), and the private subnet hosts EC2 instances running a web application. The EC2 instances need to download updates from the internet, but they must not be directly accessible from the internet. Which combination of steps should a network engineer implement to meet these requirements?

A.Create a NAT Gateway in a public subnet, and add a default route (0.0.0.0/0) to the NAT Gateway in the private subnet's route table.
B.Launch a proxy server in the public subnet and configure the private instances to use it for outbound traffic.
C.Set up a VPN connection to an on-premises network and route all internet traffic through the VPN.
D.Attach an Internet Gateway to the VPC and add a default route (0.0.0.0/0) to the Internet Gateway in the private subnet's route table.
AnswerA

This allows outbound internet access while blocking inbound connections.

Why this answer

A NAT Gateway in a public subnet allows EC2 instances in private subnets to initiate outbound traffic to the internet (e.g., for updates) while preventing any unsolicited inbound connections from the internet. Adding a default route (0.0.0.0/0) to the NAT Gateway in the private subnet's route table directs all outbound internet traffic through the NAT Gateway, which translates the private IPs to the NAT Gateway's Elastic IP. This meets the requirement of internet access for downloads without direct internet accessibility.

Exam trap

AWS often tests the misconception that an Internet Gateway in a private subnet's route table provides outbound-only access, but in reality, an Internet Gateway enables bidirectional traffic, making instances publicly reachable if they have public IPs or if the route is present.

How to eliminate wrong answers

Option B is wrong because a proxy server in the public subnet is an alternative but not the simplest or most AWS-native solution; it adds management overhead and a single point of failure, whereas a NAT Gateway is fully managed and highly available. Option C is wrong because a VPN connection to an on-premises network routes traffic through the corporate network, which does not provide direct internet access for the EC2 instances unless the on-premises network itself has internet connectivity and is configured to forward traffic, adding unnecessary complexity and latency. Option D is wrong because attaching an Internet Gateway and adding a default route to it in the private subnet's route table would make the EC2 instances directly accessible from the internet (since the Internet Gateway allows bidirectional traffic), violating the requirement that they must not be directly accessible.

233
Multi-Selecteasy

Which TWO of the following are valid options for implementing network segmentation in a VPC?

Select 2 answers
A.Security Groups
B.Subnets
C.Route Tables
E.Internet Gateway
AnswersA, B

Security groups act as virtual firewalls for instances.

Why this answer

Security Groups (A) are stateful virtual firewalls that operate at the instance level (ENI), allowing you to control inbound and outbound traffic based on rules. They are a valid mechanism for network segmentation because you can assign different Security Groups to different instances or groups of instances to isolate traffic between tiers (e.g., web, app, database). Subnets (B) provide network segmentation at the VPC subnet level by dividing the VPC's IP address range into smaller segments, each associated with a specific Availability Zone and route table, enabling logical separation of resources.

Exam trap

AWS often tests the misconception that Route Tables or NAT Gateways provide segmentation, but they are routing and translation services, not access control boundaries; the trap is confusing traffic direction with traffic filtering.

234
Multi-Selecthard

Which TWO of the following are characteristics of an AWS Network Load Balancer (NLB)?

Select 2 answers
A.Supports SSL offloading
B.Supports routing based on HTTP headers
C.Preserves the source IP address of the client
D.Operates at Layer 7 of the OSI model
E.Can handle millions of requests per second
AnswersC, E

NLB preserves the client IP.

Why this answer

The correct answers are B and D. NLB operates at Layer 4, handles millions of requests per second, and preserves source IP. Option A (Layer 7) is for ALB.

Option C (HTTP header) is Layer 7. Option E (SSL offloading) is Layer 7.

235
Multi-Selectmedium

Which THREE actions are required to enable an EC2 instance in a private subnet to download software updates from the internet? (Select THREE.)

Select 3 answers
A.Allocate an Elastic IP and associate it with the NAT Gateway
B.Configure the security group to allow outbound traffic to 0.0.0.0/0
C.Create a NAT Gateway in a public subnet
D.Add a route in the private subnet route table pointing to the NAT Gateway for 0.0.0.0/0
E.Attach an Internet Gateway to the VPC
AnswersA, C, D

EIP is required for NAT Gateway to communicate with Internet Gateway.

Why this answer

Options B, C, and D are correct. A NAT Gateway in a public subnet, a route to it, and an EIP for the NAT Gateway. Option A is wrong because an Internet Gateway alone does not provide outbound access for private subnets.

Option E is wrong because security groups allow outbound by default.

236
MCQmedium

A company is implementing an AWS Client VPN endpoint to provide remote access to its VPC resources. The company's on-premises network uses a split-tunneling configuration to route only corporate traffic through the VPN. The Client VPN endpoint is associated with a single subnet in the VPC. Users report that they can connect to the Client VPN but cannot reach resources in the VPC. The Client VPN endpoint's security group allows all traffic. What is the MOST likely cause of this issue?

A.The security group associated with the Client VPN endpoint does not allow inbound traffic from the client CIDR.
B.The authorization rules do not grant access to the target subnets.
C.The route table of the subnet where the Client VPN endpoint is attached does not have a route to the VPC CIDR.
D.The Client VPN endpoint is configured with full-tunneling instead of split-tunneling.
AnswerC

Without a route, traffic from clients won't reach VPC resources.

Why this answer

Option D is correct because the subnet's route table must have a route pointing to the Client VPN endpoint for traffic to reach VPC resources. Option A is incorrect because split-tunneling does not cause this issue. Option B is incorrect because authorization rules are separate from security groups.

Option C is incorrect because the Client VPN endpoint uses its own security group.

237
MCQmedium

An organization is migrating to AWS and needs to connect multiple VPCs in different AWS regions using a hub-and-spoke topology. The hub VPC will host centralized services. Which solution is most cost-effective and provides high throughput?

A.Deploy a software VPN appliance in the hub VPC and connect each spoke VPC with VPN tunnels.
B.Create VPC peering connections between the hub VPC and each spoke VPC.
C.Establish Direct Connect connections from each VPC to a central on-premises location.
D.Set up AWS Transit Gateway with attachments to each VPC.
AnswerB

VPC peering is cost-effective and high throughput for hub-and-spoke across regions.

Why this answer

Option C is correct because VPC peering provides high throughput and is cost-effective for hub-and-spoke topologies across regions, though it requires full mesh for transitive routing. However, the hub-and-spoke model does not support transitive routing via hub, but the question asks for connecting multiple VPCs; VPC peering is cost-effective. Option A is wrong because AWS Transit Gateway is managed but not the most cost-effective for few VPCs.

Option B is wrong because Direct Connect is expensive and not needed for VPC-to-VPC. Option D is wrong because software VPN is less reliable and lower throughput.

238
Multi-Selecthard

A company is designing a multi-account AWS environment using AWS Transit Gateway. They want to centralize network management and ensure that VPCs in different accounts can communicate. Which THREE steps are required to achieve this? (Select THREE.)

Select 3 answers
A.Create a Transit Gateway in the central networking account
B.Use AWS Resource Access Manager (RAM) to share the Transit Gateway with other accounts
C.Create a separate Transit Gateway in each account and peer them together
D.Create a Transit Gateway route table and associate VPC attachments
E.Create a VPC peering connection between each VPC and the Transit Gateway
AnswersA, B, D

A central Transit Gateway is created in the networking account.

Why this answer

Options A, B, and D are correct. You need to share the Transit Gateway using Resource Access Manager (RAM), create a transit gateway route table, and associate the VPC attachments with the route table. Option C is wrong because VPC peering is not needed when using Transit Gateway.

Option E is wrong because you do not need to create a separate Transit Gateway in each account; you share a central one.

239
Multi-Selecthard

A company is migrating a legacy application to AWS. The application uses multicast traffic between servers. The company needs to support multicast in the AWS VPC. Which TWO solutions can the network engineer recommend? (Choose TWO.)

Select 2 answers
A.Deploy a third-party virtual firewall or router that supports multicast inside the VPC.
B.Use VPC endpoints for multicast support.
C.Use VPC peering connections to allow multicast traffic between VPCs.
D.Use a transit gateway with multicast domain configuration.
E.Use AWS Direct Connect to extend the on-premises multicast domain.
AnswersA, D

Virtual appliances can handle multicast routing.

Why this answer

Options A and D are correct. Option A uses a transit gateway with multicast support. Option D uses a third-party virtual appliance to handle multicast.

Option B is wrong because VPC peering does not support multicast. Option C is wrong because Direct Connect does not provide multicast. Option E is wrong because VPC endpoints do not support multicast.

240
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add an IPv6 CIDR block to the VPC. Which action should they take?

A.Request an IPv6 CIDR block from your regional internet registry and associate it with the VPC.
B.Enable IPv6 on the subnets directly without associating a VPC CIDR.
C.Manually assign a /56 IPv6 CIDR block to the VPC.
D.Associate an Amazon-provided IPv6 CIDR block with the VPC.
AnswerD

Amazon provides a /56 block from their pool.

Why this answer

Option C is correct because AWS provides an Amazon-provided IPv6 CIDR block that is automatically assigned. Option A is wrong because you cannot bring your own IPv6 GUA. Option B is wrong because you cannot directly assign a /56; AWS gives a /56 block.

Option D is wrong because you must associate an IPv6 CIDR with the VPC, not just subnets.

241
MCQeasy

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. They want to add a second Direct Connect connection for redundancy. What is the MINIMUM number of virtual interfaces required to achieve active-active failover for the VPC?

A.Two transit virtual interfaces (one on each connection)
B.One private virtual interface and one transit virtual interface
C.Two private virtual interfaces (one on each connection)
D.One private virtual interface
AnswerC

Correct; two VIFs allow BGP to provide active-active failover.

Why this answer

Option B is correct because with two Direct Connect connections, you can create a private VIF on each, and using BGP and AS_PATH prepending, you can achieve active-active load balancing and failover. Option A is wrong because a single VIF cannot provide redundancy. Option C is wrong because you need two VIFs for active-active.

Option D is wrong because transit VIFs are for connecting to Direct Connect Gateway, not directly to a VPC.

242
MCQeasy

A company has a VPC with an Application Load Balancer (ALB) in front of a fleet of EC2 instances. The security group for the EC2 instances must allow traffic only from the ALB. Which source should be specified in the security group inbound rule?

A.The ALB's public IP address
B.The subnet CIDR block of the ALB's subnets
C.The ID of the ALB's security group
D.The VPC CIDR block
AnswerC

Referencing the ALB's security group as a source ensures only traffic from the ALB is allowed.

Why this answer

Option B is correct because the ALB's security group ID can be used as the source in the instance security group, allowing traffic only from the ALB. Option A is wrong because the ALB's public IPs can change; using security group IDs is more reliable. Option C is wrong because the VPC CIDR is too broad.

Option D is wrong because the subnet CIDR of the ALB is also too broad and not as secure.

243
MCQeasy

A network engineer is analyzing VPC Flow Logs for a VPC with CIDR 10.0.0.0/16. The exhibit shows a sample log entry. The engineer notices that traffic from 10.0.1.10 to 10.0.2.10 on port 443 is being accepted. However, the application team reports that the connection is failing. What is the most likely reason for the disconnect?

A.The security groups are blocking the traffic.
B.The route tables are incorrectly configured, causing packet loss.
C.The flow logs are misconfigured and not capturing all traffic.
D.The application layer is failing to establish a proper connection.
AnswerD

Flow logs only show network-level acceptance; application issues are not captured.

Why this answer

The VPC Flow Logs show that traffic from 10.0.1.10 to 10.0.2.10 on port 443 is being accepted (ACCEPT record), which indicates that the network layer (security groups, network ACLs, and routing) is permitting the traffic. Since the application team reports the connection is failing, the issue must be at a higher layer, specifically the application layer (e.g., TLS handshake failure, certificate mismatch, or the application not listening on port 443). Flow logs capture only network-layer metadata (IP, port, protocol, action) and cannot detect application-layer errors.

Exam trap

AWS often tests the distinction between network-layer acceptance (ACCEPT in flow logs) and application-layer success, trapping candidates who assume an ACCEPT record guarantees a successful connection.

How to eliminate wrong answers

Option A is wrong because if security groups were blocking the traffic, the flow log entry would show a REJECT or DROP action, not ACCEPT. Option B is wrong because incorrect route tables would cause packet loss or unreachability, which would also result in DROP or no flow log entry for the destination, not an ACCEPT record. Option C is wrong because the flow log entry is present and shows ACCEPT, indicating the logs are capturing traffic correctly; misconfiguration would result in missing or incomplete logs, not a false ACCEPT.

244
MCQhard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a VPC with a CIDR of 10.0.0.0/16 attached to the transit gateway. They also have a Direct Connect virtual interface attached to the transit gateway. The on-premises network can reach some VPCs but not the VPC with CIDR 10.0.0.0/16. The transit gateway route table has a static route for the on-premises CIDR and a route propagation from the VPC attachment. What is the most likely issue?

A.The transit gateway has reached the maximum number of attachments
B.The VPC CIDR overlaps with the on-premises CIDR
C.The transit gateway route table does not have a route to the on-premises network
D.The VPC attachment is not associated with the transit gateway route table
AnswerB

Overlapping CIDRs cause routing issues in a transit gateway.

Why this answer

Option A is correct because the VPC CIDR 10.0.0.0/16 might overlap with the on-premises CIDR, causing routing conflicts. Option B is wrong because the VPC attachment is attached and propagating. Option C is wrong because the transit gateway route table does have routes.

Option D is wrong because there is no such limit.

245
Multi-Selecteasy

A company is setting up a new VPC and needs to ensure that instances in the VPC can resolve DNS names within AWS (e.g., ec2-203-0-113-25.compute-1.amazonaws.com). Which TWO configurations are required? (Select TWO.)

Select 2 answers
A.Set the VPC's 'enableDnsSupport' attribute to true
B.Set the VPC's 'enableDnsHostnames' attribute to true
C.Configure the Amazon Route 53 Resolver to forward queries to the VPC DNS
D.Create a public hosted zone in Amazon Route 53 and associate it with the VPC
E.Create a custom DHCP option set with the domain-name-servers option set to the VPC DNS IP
AnswersA, B

This enables DNS resolution through the Amazon DNS server.

Why this answer

Options A and B are correct. To enable DNS resolution for private hosted zones and instance hostnames, both 'enableDnsHostnames' and 'enableDnsSupport' must be set to true. Option C is wrong because a public hosted zone is not required for private DNS resolution.

Option D is wrong because the Amazon Route 53 Resolver is not needed; the VPC provides DNS resolution. Option E is wrong because a DHCP option set with domain-name-servers is not required; the default VPC DNS is provided.

246
MCQhard

A large enterprise uses AWS Organizations with multiple accounts. The central networking account hosts a Transit Gateway with attachments from VPCs in various accounts. The enterprise uses AWS Resource Access Manager (RAM) to share the Transit Gateway with other accounts. A network engineer in a spoke account creates a VPC and attaches it to the shared Transit Gateway. The attachment shows 'available' state. However, traffic from the spoke VPC to other attached VPCs fails. The spoke VPC route table has a route to the Transit Gateway for 0.0.0.0/0. The Transit Gateway route table has routes for the spoke VPC CIDR and other VPC CIDRs. What is the most likely cause?

A.The spoke account does not have an IAM role to access the Transit Gateway
B.The spoke VPC route table does not have routes to the other VPC CIDRs
C.The Transit Gateway route table does not propagate routes from the spoke VPC attachment
D.The Transit Gateway owner has not accepted the VPC attachment
AnswerD

Shared TGW attachments must be accepted by owner.

Why this answer

When a Transit Gateway is shared via RAM, the owner account must accept the attachment request. The attachment shows 'available' but not 'associated'? Actually, for shared TGW, the owner account needs to accept the attachment. The attachment state 'available' means it's ready but not yet associated with a TGW route table in the owner's account.

The owner must associate it. Option B is wrong because the TGW route table has routes. Option C is wrong because the spoke route table has a route.

Option D is wrong because no cross-account roles are needed for attachment.

247
MCQmedium

Refer to the exhibit. A VPC endpoint for S3 is created as a Gateway endpoint. The route tables rtb-11111111 and rtb-22222222 are associated with the endpoint. An EC2 instance in a subnet associated with rtb-11111111 cannot access S3 via the endpoint. What is the most likely cause?

A.The route table rtb-11111111 does not have a route to the S3 prefix list with the target as the VPC endpoint.
B.The endpoint policy denies access to S3 from the instance's IAM role.
C.The security group on the EC2 instance does not allow outbound traffic to the S3 prefix list.
D.The VPC does not have DNS resolution enabled for the endpoint.
AnswerA

Without this route, traffic to S3 does not go through the endpoint.

Why this answer

A Gateway endpoint automatically adds a prefix list route to the route table, but the route must point to the endpoint. If the route table already has a route to S3 via an Internet Gateway or NAT, the endpoint route may not be used. However, the most common issue is that the subnet's route table does not have the prefix list route for the S3 endpoint.

The exhibit shows the endpoint is associated with the route table, but the route table itself must contain a route to the S3 prefix list (e.g., pl-12345) with the target as the endpoint. Option B (security group) is possible but less likely; Option C (DNS) is not required for Gateway endpoints; Option D (policy) is permissive.

248
Matchingmedium

Match each AWS networking monitoring or troubleshooting tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Capture IP traffic information for security and troubleshooting

Monitor network performance metrics like throughput and latency

Test network path between two resources and identify configuration issues

Copy network traffic for content inspection or security analysis

Trace requests through distributed applications, including network calls

Why these pairings

These tools help monitor and diagnose network issues.

249
Multi-Selectmedium

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) in multiple Availability Zones. Which TWO configurations are required to achieve high availability?

Select 2 answers
A.The ALB must be configured with subnets in at least two Availability Zones
B.The ALB must be internet-facing
C.At least three EC2 instances must be registered with the ALB
D.A NAT gateway must be deployed in each Availability Zone
E.Cross-zone load balancing must be enabled on the ALB
AnswersA, B

Multiple AZs provide redundancy.

Why this answer

Option A is correct because ALB must have subnets in at least two Availability Zones. Option B is correct because the ALB must be internet-facing to be accessible from the internet. Option C is wrong because cross-zone load balancing is enabled by default and not required for high availability.

Option D is wrong because a single NAT gateway is a single point of failure. Option E is wrong because a single instance per AZ is sufficient.

250
Multi-Selecteasy

Which TWO of the following are valid methods to connect an on-premises network to an Amazon VPC? (Select TWO.)

Select 2 answers
A.AWS Direct Connect
B.AWS Site-to-Site VPN
C.VPC peering connection
D.VPC endpoint
E.Internet Gateway
AnswersA, B

Provides a dedicated private connection.

Why this answer

Options A and D are correct. AWS Site-to-Site VPN and AWS Direct Connect are the primary methods for connecting on-premises networks to VPCs. Option B is incorrect because VPC peering connects VPCs, not on-premises.

Option C is incorrect because an Internet Gateway is for internet access. Option E is incorrect because VPC endpoints are for accessing AWS services privately.

251
Multi-Selecthard

A company is deploying a new VPC with public and private subnets. The VPC will host web servers in the public subnet and database servers in the private subnet. The web servers need to access the internet for updates, and the database servers need to receive traffic only from the web servers. Which THREE components are essential for this architecture?

Select 3 answers
A.NAT gateway in the public subnet
B.Network ACL for subnets
C.Internet gateway
D.VPC endpoint for S3
E.Security groups for web and database servers
AnswersA, C, E

Allows private instances to access internet.

Why this answer

Options A, C, and D are correct because an internet gateway provides internet access for public subnets, a NAT gateway provides internet access for private subnets, and security groups act as firewalls for EC2 instances. Option B is wrong because NACLs are stateless and less granular. Option E is wrong because VPC endpoint is not needed for general internet access.

252
Multi-Selecthard

A company is setting up a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel is established, but traffic is not flowing. Which THREE configuration items should be checked?

Select 3 answers
A.Route tables in the VPC and on-premises router.
B.Security group rules for the EC2 instances.
C.NAT gateway configuration in the VPC.
D.Network ACL rules for the subnets.
E.Internet gateway attachment to the VPC.
AnswersA, B, D

Routes are required for traffic forwarding.

Why this answer

Option A is correct because route tables must have routes to the remote network. Option C is correct because security group rules must allow traffic. Option E is correct because network ACLs must allow traffic.

Option B is incorrect because a NAT gateway is not required for VPN. Option D is incorrect because an internet gateway is not needed for VPN traffic.

253
MCQeasy

Refer to the exhibit. The bucket policy shown is applied to an S3 bucket. A VPC endpoint for S3 is created in a VPC with CIDR 10.0.0.0/16. An EC2 instance in the VPC tries to access an object in the bucket using the VPC endpoint. The request fails. What is the most likely reason?

A.The bucket policy does not allow s3:ListBucket.
B.The condition uses aws:SourceIp, which does not work with VPC endpoint traffic.
C.The EC2 instance does not have an IAM role that allows s3:GetObject.
D.The VPC endpoint does not have a route table associated with the instance's subnet.
AnswerB

aws:SourceIp is not applicable for VPC endpoint requests; use aws:SourceVpce instead.

Why this answer

The condition in the bucket policy uses aws:SourceIp, but when traffic goes through a VPC endpoint, the source IP is the private IP of the instance, which is not evaluated by aws:SourceIp. Instead, aws:SourceVpce should be used. Option A (IAM role) is not shown; Option B (DNS) is unlikely; Option C (route table) is not the issue.

254
MCQhard

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The on-premises network uses BGP to advertise a route for 10.0.0.0/8. The VPC CIDR is 10.1.0.0/16. The company wants to ensure that all traffic from the VPC to on-premises uses the Direct Connect connection, but if the Direct Connect fails, traffic should fail over to a VPN connection. Which configuration achieves this?

A.Create a static route in the VPC route table pointing to the VPN with a metric of 100, and let BGP propagate the Direct Connect route.
B.Configure a BGP local preference of 200 on the Direct Connect VIF and 100 on the VPN connection, and use the same ASN for both.
C.Set the MED attribute on the Direct Connect VIF to 100 and on the VPN to 200.
D.Configure AS path prepend on the Direct Connect side to advertise a longer AS path.
AnswerB

Higher local preference is preferred; thus Direct Connect will be primary and VPN backup.

Why this answer

Option A is correct because a lower BGP local preference on the VPN side makes the Direct Connect route more preferred. Option B is wrong because a higher AS path prepend on the Direct Connect side would make it less preferred. Option C is wrong because a static route with a high metric would be less preferred, not a backup.

Option D is wrong because setting a lower MED on the Direct Connect side would make it more preferred, but the question asks for failover order; the VPN should be backup, so VPN MED should be higher.

255
Multi-Selecteasy

Which TWO components are required when configuring a transit gateway to connect multiple VPCs and an on-premises network via Direct Connect? (Choose 2)

Select 2 answers
A.Internet gateway (IGW)
B.Transit Gateway association with the Direct Connect gateway
C.Virtual private gateway (VGW)
D.Customer gateway (CGW)
E.Direct Connect gateway
AnswersB, E

The Transit Gateway must be associated with the Direct Connect gateway to route traffic.

Why this answer

When using Transit Gateway with Direct Connect, you need a Direct Connect gateway, and the Transit Gateway must be associated with the Direct Connect gateway. A virtual private gateway (VGW) is not used with Transit Gateway; it is used with a VPC alone. A customer gateway is used for VPN, not Direct Connect.

An internet gateway is for public internet traffic.

256
Multi-Selecteasy

Which TWO of the following are valid methods to connect an on-premises network to an Amazon VPC over a private, dedicated connection? (Select TWO.)

Select 2 answers
A.AWS Direct Connect Gateway
B.AWS Direct Connect
C.AWS Client VPN
D.VPC Peering
E.AWS VPN CloudHub
AnswersA, B

Extends Direct Connect to multiple VPCs.

Why this answer

Options B and D are correct. AWS Direct Connect provides dedicated private connectivity. AWS VPN CloudHub uses VPN connections over the internet, not dedicated.

VPC peering is between VPCs, not on-premises. AWS Client VPN is a remote access VPN. So B and D are correct: Direct Connect and Direct Connect gateway.

257
MCQhard

A company has a large AWS environment with hundreds of VPCs connected via a Transit Gateway. The network team is implementing a new hub-and-spoke architecture where all traffic between VPCs must be inspected by a centralized firewall appliance in a shared services VPC. The firewall appliance is a third-party virtual appliance that supports VRF-like segmentation. The network engineer has configured the Transit Gateway with separate route tables for each VPC, and the shared services VPC is associated with all route tables. The firewall appliance is deployed in the shared services VPC with two ENIs: one in a 'trust' subnet and one in an 'untrust' subnet. The trust subnet is used for traffic coming from spoke VPCs, and the untrust subnet is used for traffic going to other spoke VPCs. The firewall appliance performs stateful inspection and returns traffic to the Transit Gateway via the correct ENI. However, after implementation, traffic between two spoke VPCs (VPC A and VPC B) is being dropped. The engineer verifies that the Transit Gateway route tables have static routes for each spoke VPC CIDR pointing to the shared services VPC attachment. The spoke VPCs have routes to each other's CIDR via the Transit Gateway. The firewall logs show that traffic from VPC A reaches the trust ENI, but the firewall is unable to send traffic to VPC B because it does not have a route to VPC B's CIDR. What is the most likely cause?

A.The shared services VPC attachment is not propagating routes to the Transit Gateway route tables.
B.The security group for the firewall's untrust ENI is blocking outbound traffic.
C.The Transit Gateway route table for VPC A does not have a route for VPC B's CIDR.
D.The route table for the untrust subnet does not have a route to VPC B's CIDR pointing to the Transit Gateway.
AnswerD

The untrust subnet needs a route to return traffic to the Transit Gateway. Without it, the firewall cannot send traffic to VPC B.

Why this answer

Option D is correct because the firewall's untrust subnet route table must have a route pointing to the Transit Gateway for VPC B's CIDR. The firewall receives traffic from VPC A on its trust ENI, processes it, and then sends it out the untrust ENI. Without a route in the untrust subnet's route table directing traffic for VPC B's CIDR to the Transit Gateway, the firewall cannot forward the traffic back to the Transit Gateway for delivery to VPC B, causing the drop.

Exam trap

The trap here is that candidates often focus on Transit Gateway route tables and forget that the subnet route tables within the shared services VPC must also be configured to route traffic back to the Transit Gateway, especially when using a firewall with separate ENIs for trust and untrust subnets.

How to eliminate wrong answers

Option A is wrong because the shared services VPC attachment does not need to propagate routes to the Transit Gateway route tables; the static routes in the Transit Gateway route tables already point to the shared services VPC attachment for spoke-to-spoke traffic. Option B is wrong because the security group for the firewall's untrust ENI would block traffic at the firewall level, but the issue is that the firewall cannot send traffic due to a missing route, not that traffic is blocked by a security group. Option C is wrong because the Transit Gateway route table for VPC A does have a route for VPC B's CIDR pointing to the shared services VPC attachment, as verified by the engineer; the problem lies in the subnet route table within the shared services VPC.

258
MCQhard

A company has a production VPC with CIDR 10.0.0.0/16. They have an internet-facing Application Load Balancer (ALB) in public subnets across two Availability Zones. The ALB distributes traffic to a fleet of EC2 instances in private subnets. The EC2 instances need to access an Amazon S3 bucket to retrieve configuration files. The company wants to minimize data transfer costs and ensure that traffic to S3 does not traverse the internet. A network engineer created a Gateway VPC Endpoint for S3 in the VPC and added a route in the public subnet route tables pointing to the endpoint. However, the EC2 instances still cannot access the S3 bucket. The security groups for the EC2 instances allow outbound HTTPS to 0.0.0.0/0. The NACLs are default (allow all). The S3 bucket policy allows access from the VPC endpoint. What is the MOST likely reason the EC2 instances cannot access S3?

A.The Gateway VPC Endpoint is in a different region than the S3 bucket
B.The security group for the EC2 instances does not allow outbound traffic to the S3 prefix list
C.The S3 bucket policy does not include a condition for the VPC endpoint
D.The route to the Gateway VPC Endpoint was added only to public subnets, not to private subnets
AnswerD

Correct; the route must be in the private subnet route table for EC2 instances to use the endpoint.

Why this answer

Option A is correct. The Gateway VPC Endpoint is only accessible from within the VPC, but the route to the endpoint must be added to the route tables of the subnets where the EC2 instances reside. The engineer added the route only to public subnet route tables, not to the private subnet route tables.

Therefore, traffic from the EC2 instances destined to S3 uses the default route (0.0.0.0/0) which goes through the NAT Gateway or Internet Gateway, not through the endpoint. Option B is incorrect because the security group rule allows outbound HTTPS to all destinations. Option C is incorrect because the S3 bucket policy allows the VPC endpoint.

Option D is incorrect because the endpoint is in the same region as the bucket.

259
Multi-Selecteasy

Which TWO of the following are true about AWS VPC endpoints? (Choose two.)

Select 2 answers
A.Gateway Endpoints can be used to access Amazon S3 and DynamoDB.
B.Interface Endpoints are free of charge.
C.Gateway Endpoints use AWS PrivateLink.
D.Both Gateway and Interface Endpoints require a NAT gateway.
E.Interface Endpoints are powered by AWS PrivateLink.
AnswersA, E

Only S3 and DynamoDB have Gateway Endpoints.

Why this answer

Options B and D are correct. A is wrong because Gateway Endpoint does not use PrivateLink; it uses route table entries. C is wrong because Interface Endpoints are not free; you pay per hour and per GB processed.

B: Gateway Endpoints support S3 and DynamoDB. D: Interface Endpoints are powered by PrivateLink.

260
MCQeasy

A company wants to use AWS Direct Connect to establish a dedicated network connection from their on-premises data center to AWS. They need to connect to a VPC in the us-east-1 region. Which of the following is a required step in the setup process?

A.Attach a Transit Gateway to the VPC.
B.Configure CloudFront to route traffic through the Direct Connect.
C.Create a site-to-site VPN connection as a backup.
D.Create a private virtual interface and attach it to a Virtual Private Gateway.
AnswerD

This is the standard procedure for Direct Connect private VIF.

Why this answer

To establish a Direct Connect connection to a VPC, you must create a private virtual interface (VIF) and attach it to a Virtual Private Gateway (VGW) that is attached to the VPC. The private VIF carries traffic over the dedicated connection and uses BGP to exchange routes between the on-premises network and the VPC via the VGW. This is the core requirement for routing traffic from the Direct Connect link into a VPC.

Exam trap

AWS often tests the misconception that a Transit Gateway is mandatory for Direct Connect, but the correct requirement is a Virtual Private Gateway attached to the VPC, not a Transit Gateway.

How to eliminate wrong answers

Option A is wrong because a Transit Gateway is not required for a single VPC connection; it is used to interconnect multiple VPCs or VPNs, and attaching it is optional. Option B is wrong because CloudFront is a content delivery network (CDN) and does not route traffic through Direct Connect; Direct Connect is a Layer 2/3 dedicated link, not a CDN service. Option C is wrong because a site-to-site VPN is not a required step; it is an optional backup for redundancy and is not mandatory for the Direct Connect setup process.

261
Multi-Selectmedium

Which TWO of the following are requirements for establishing an AWS Direct Connect private virtual interface? (Choose two.)

Select 2 answers
A.Jumbo frames support (MTU 9001).
B.A public IP address for the VIF.
C.A public BGP ASN.
D.A BGP session between the customer router and the AWS device.
E.A VLAN ID that is unique within the Direct Connect connection.
AnswersD, E

BGP is used to exchange routes.

Why this answer

Options A and C are correct. A: You need a VLAN ID that matches on both sides. C: BGP session is required for routing.

B is wrong because you can use a private virtual interface without a public ASN; private ASNs are allowed. D is wrong because public virtual interfaces are for public services. E is wrong because Jumbo frames are optional.

262
Multi-Selecteasy

A network engineer is designing a Direct Connect solution with a public VIF and a private VIF. The private VIF will connect to a VPC via a Direct Connect Gateway. Which TWO of the following statements are correct regarding this setup? (Choose 2.)

Select 2 answers
A.The private VIF can be used without a virtual interface termination device on the customer side
B.The public VIF can be used to connect to a VPC via a Direct Connect Gateway
C.The private VIF can be used to access Amazon S3 over a private IP address
D.The Direct Connect Gateway allows the private VIF to connect to multiple VPCs in different AWS Regions
E.The public VIF can be used to access AWS public services such as Amazon S3 over Direct Connect
AnswersD, E

Direct Connect Gateway enables multi-region connectivity.

Why this answer

A public VIF provides access to AWS public services (like S3) over Direct Connect, which is more consistent and lower latency than internet. A private VIF with Direct Connect Gateway allows connections to multiple VPCs in different regions. Option B is wrong because a private VIF does not access public endpoints (that's the public VIF).

Option D is wrong because a private VIF requires a virtual interface and a router. Option E is wrong because a public VIF does not connect to VPCs.

263
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet to download software updates. The company has a NAT gateway in the public subnet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT gateway. However, the EC2 instance cannot access the internet. The network engineer verifies that the NAT gateway has an Elastic IP, the security group for the EC2 instance allows outbound HTTPS traffic, and the network ACL for the private subnet allows inbound and outbound ephemeral ports. What is the most likely cause of the issue?

A.The security group attached to the NAT gateway does not allow outbound traffic.
B.The route table for the public subnet does not have a route to an internet gateway.
C.The route table for the private subnet does not have a route to the NAT gateway.
D.The NAT gateway does not support UDP traffic.
AnswerB

The public subnet must have a default route to an internet gateway for the NAT gateway to reach the internet.

Why this answer

Option B is correct because the NAT gateway resides in the public subnet, and for it to route traffic to the internet, the public subnet's route table must have a default route pointing to an internet gateway. Without that, the NAT gateway cannot forward traffic. Option A is wrong because NAT gateways do not have security groups.

Option C is wrong because the private subnet route table is correctly configured. Option D is wrong because the NAT gateway supports UDP as well.

264
MCQeasy

A network engineer is troubleshooting connectivity between two EC2 instances in the same VPC but different subnets. The instances can ping each other's private IP addresses, but traffic on TCP port 443 fails. What is the most likely cause?

A.VPC Flow Logs misconfiguration.
B.Internet gateway not attached to the VPC.
C.Security group or network ACL rules blocking port 443.
D.Missing route in the route table.
AnswerC

Port 443 is likely blocked by a firewall rule.

Why this answer

Option C is correct because the security group or NACL is blocking port 443. Since ICMP works, the network layer is fine, but application layer port is blocked. Option A is wrong because route tables affect network layer, not port-specific.

Option B is wrong because VPC flow logs are for monitoring, not blocking. Option D is wrong because internet gateway is not involved.

265
MCQhard

A company has a VPC with public and private subnets across two Availability Zones. The private subnets require outbound internet access for updates, but must not be directly reachable from the internet. The company has a NAT gateway in each public subnet. Security team reports that instances in private subnets cannot reach the internet. Which configuration should be verified first?

A.Verify that the route table for the public subnets has a default route pointing to an internet gateway, and the private subnets' route table has a default route pointing to the NAT gateway
B.Verify that the VPC has a VPC endpoint for S3 configured
C.Verify that the network ACLs for the private subnets allow outbound traffic to 0.0.0.0/0
D.Verify that the security groups attached to the instances allow outbound HTTPS traffic
AnswerA

NAT gateway must be in a public subnet with a route to an internet gateway, and private subnets must route 0.0.0.0/0 to the NAT gateway.

Why this answer

Option C is correct because NAT gateway requires a route to an internet gateway in the route table of the public subnet where it resides, and the private subnet route table must have a default route pointing to the NAT gateway. Option A is wrong because NACLs are stateless and default NACLs allow all traffic; they are not the most likely cause. Option B is wrong because security groups are stateful and outbound traffic is allowed by default.

Option D is wrong because VPC endpoints are for specific AWS services, not general internet access.

266
MCQmedium

A network engineer is configuring an AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. The on-premises network advertises a prefix 10.0.0.0/8. One of the VPCs has a CIDR of 10.0.0.0/16. What will happen to traffic destined to 10.0.0.5 from another VPC attached to the Transit Gateway?

A.Traffic is routed to the VPC because of a more specific route
B.Traffic is dropped due to conflicting routes
C.Traffic is routed to the on-premises network because it is learned via Direct Connect
D.Traffic is load-balanced between the VPC and on-premises
AnswerA

Correct; Transit Gateway uses longest prefix match, and /16 is more specific than /8.

Why this answer

Option B is correct because Transit Gateway uses the most specific route (longest prefix match). The VPC's 10.0.0.0/16 is more specific than the on-premises 10.0.0.0/8, so traffic to 10.0.0.5 will be routed to the VPC. Option A is wrong because route propagation is not the issue; the more specific route is preferred.

Option C is wrong because the route is not dropped; it uses the VPC route. Option D is wrong because the on-premises route is less specific, so it will not be used.

267
MCQhard

A company is deploying a latency-sensitive application across multiple AWS Regions. They want to use the AWS global network to route traffic to the nearest edge location for fast content delivery. Which service should they use?

A.AWS Global Accelerator
B.Amazon Route 53
C.AWS Direct Connect
D.Amazon CloudFront
AnswerA

Global Accelerator improves performance by routing traffic over the AWS backbone to the nearest edge.

Why this answer

The correct answer is A because AWS Global Accelerator uses the AWS global network to direct traffic to the optimal endpoint, improving latency. Option B (CloudFront) is a CDN for caching static content. Option C (Route 53) is a DNS service.

Option D (Direct Connect) is for dedicated connections.

268
Multi-Selectmedium

A company is setting up a site-to-site VPN connection between an on-premises network and AWS. The VPN uses two tunnels for high availability. The network engineer needs to ensure that if one tunnel goes down, traffic automatically fails over to the other tunnel. Which THREE steps should the engineer perform? (Choose THREE.)

Select 3 answers
A.Configure static routes pointing to the VPN connection.
B.Configure BGP on both VPN tunnels.
C.Use a single customer gateway device with multiple BGP sessions.
D.Configure two customer gateway devices on-premises, each with a separate BGP session.
E.Enable route propagation on the VPC route table for the virtual private gateway.
AnswersB, D, E

BGP provides automatic failover between tunnels.

Why this answer

Options A, B, and D are correct. Using BGP allows dynamic routing and failover. Two customer gateway devices provide physical redundancy.

Enabling route propagation on the VPC route table ensures BGP routes are added. Option C is wrong because static routes do not provide automatic failover. Option E is wrong because a single customer gateway device is a single point of failure.

269
MCQeasy

A company wants to enable DNS resolution for hybrid network using Route 53 Resolver. The on-premises DNS servers are reachable via Direct Connect. The company wants to forward queries for a custom domain (example.corp) from VPC to on-premises. Which resource should be created in the VPC?

A.A VPC endpoint for Route 53 Resolver service.
B.Route 53 Resolver rule that forwards example.corp to on-premises DNS servers.
C.Route 53 Resolver inbound endpoint.
D.Route 53 Resolver outbound endpoint and associate a resolver rule.
AnswerD

An outbound endpoint forwards DNS queries from VPC to on-premises, and a rule specifies the domain.

Why this answer

Option C is correct because a Route 53 Resolver outbound endpoint forwards DNS queries from VPC to on-premises DNS servers. Option A is wrong because an inbound endpoint allows on-premises to query VPC DNS. Option B is wrong because a resolver rule is used to specify which domains to forward, but it must be associated with an endpoint.

Option D is wrong because a VPC endpoint for Route 53 Resolver is not a service; you create endpoints for the resolver service.

270
MCQhard

A company is setting up AWS Direct Connect with a 1 Gbps dedicated connection. They want redundant connectivity with automatic failover. What is the most cost-effective way to achieve this?

A.Use a single connection with multiple VLANs.
B.Use a single connection with a VPN over the same connection for redundancy.
C.Provision a second Direct Connect connection at a different location and configure BGP.
D.Provision a single Direct Connect connection and use a VPN over the internet as backup.
AnswerC

Two physical connections provide high availability with automatic failover via BGP.

Why this answer

Option B is correct because a second Direct Connect connection at a different location provides true redundancy. Option A is wrong because a single connection is a single point of failure. Option C is wrong because it adds cost without redundancy.

Option D is wrong because VPN over the same connection doesn't help if the connection fails.

271
MCQeasy

A company has a VPC with public and private subnets in two Availability Zones. The company hosts a web application on EC2 instances in the private subnets. The application needs to access an S3 bucket. What is the MOST cost-effective and secure way to provide this access?

A.Deploy a NAT Gateway in each public subnet and route traffic from private subnets through it.
B.Use AWS Transit Gateway to route traffic to S3 via a centralized VPN.
C.Attach an Internet Gateway to the VPC and assign public IPs to the EC2 instances.
D.Create a VPC Gateway Endpoint for S3 and attach it to the private subnet route tables.
AnswerD

Cost-effective and secure; no data transfer costs.

Why this answer

Option A is correct because a VPC Gateway Endpoint for S3 provides private connectivity without traversing the internet, and it is free of charge (no data transfer costs). Option B is wrong because a NAT Gateway incurs hourly charges and data processing fees. Option C is wrong because a Transit Gateway is not needed for a single VPC.

Option D is wrong because an Internet Gateway exposes traffic to the internet and would require public IPs or NAT, increasing cost and risk.

272
MCQeasy

A company needs to securely connect multiple VPCs across different AWS Regions using AWS backbone network infrastructure without traversing the public internet. The solution must be managed centrally and support transitive routing between VPCs. Which service should the company use?

A.VPC peering connections in a full mesh.
B.AWS PrivateLink and VPC Endpoints.
C.AWS Transit Gateway with inter-region peering.
D.AWS ClassicLink.
AnswerC

Transit Gateway supports transitive routing across VPCs and regions using inter-region peering.

Why this answer

Option D is correct because AWS Transit Gateway supports transitive routing between VPCs across regions and uses the AWS backbone. Option A is wrong because VPC peering does not support transitive routing. Option B is wrong because VPC endpoints are for service access.

Option C is wrong because ClassicLink is obsolete and does not support transitive routing.

273
Multi-Selecthard

Which THREE of the following are benefits of using AWS Transit Gateway over VPC peering for inter-VPC connectivity? (Choose three.)

Select 3 answers
A.Transitive routing between all attached VPCs
B.Lower latency than VPC peering
C.Support for connecting to on-premises networks via Direct Connect and VPN
D.No additional cost compared to VPC peering
E.Centralized management of network connections
AnswersA, C, E

Transit Gateway supports transitive routing; VPC peering does not.

Why this answer

Transit Gateway simplifies connectivity by acting as a hub, supports transitive routing, and can connect multiple VPCs and on-premises networks via a single gateway.

274
MCQhard

A financial services company is designing a multi-region architecture for disaster recovery. They have a primary VPC in us-east-1 and a standby VPC in us-west-2. Each VPC has its own CIDR block (10.0.0.0/16 and 10.1.0.0/16). They want to use an inter-region VPC peering connection for replication traffic. Which of the following is a required step to establish this peering connection?

A.Ensure the VPC CIDR blocks do not overlap.
B.Create a VPN attachment between the two VPCs using AWS Site-to-Site VPN.
C.The owner of each VPC must accept the peering connection request.
D.Create two separate peering connections, one for each direction of traffic.
AnswerC

Both sides must accept the peering request for it to be active.

Why this answer

For inter-region VPC peering, the owner of each VPC must accept the peering request. Option A is wrong because VPC peering does not use a VPN connection. Option B is wrong because the CIDR blocks are already non-overlapping.

Option D is wrong because the peering connection is a single entity; you do not create two separate connections.

275
MCQmedium

A company has deployed a VPC with a public subnet and a private subnet in each of two Availability Zones. They have an Application Load Balancer (ALB) in the public subnets and EC2 instances in the private subnets. The EC2 instances need to access an external API over HTTPS. What is the MOST secure way to provide this access?

A.Deploy a NAT Gateway in each public subnet and add a default route in the private subnet route tables pointing to the NAT Gateway.
B.Create a VPC endpoint for the external API service.
C.Assign public IP addresses to the EC2 instances and allow outbound traffic in the security group.
D.Set up a VPN connection to an on-premises network that has internet access.
AnswerA

NAT Gateway provides outbound-only internet access securely.

Why this answer

A NAT Gateway in a public subnet allows outbound HTTPS traffic from private instances while preventing inbound traffic. Option A is wrong because a public IP on the instances exposes them. Option C is wrong because a VPN is for private connectivity, not internet.

Option D is wrong because VPC endpoint is for specific AWS services, not external APIs.

276
Multi-Selectmedium

Which TWO of the following are valid methods to connect multiple VPCs together in a hub-and-spoke topology while maintaining centralized control? (Choose two.)

Select 2 answers
A.Create a VPN connection between each VPC and a central VPN appliance.
B.Establish VPC peering connections in a full mesh and manage routes centrally.
C.Use Direct Connect to connect VPCs.
D.Use an AWS Transit Gateway with a central VPC as the hub.
E.Use VPC Gateway Endpoints to connect VPCs.
AnswersB, D

Possible but less scalable than Transit Gateway.

Why this answer

Correct: A (Transit Gateway with central VPC) and D (VPC peering with full mesh) are valid hub-and-spoke methods. B is wrong because VPNs are not typically used for VPC-to-VPC. C is wrong because VPC endpoints are for connecting to AWS services, not VPCs.

E is wrong because Direct Connect is for on-premises, not VPC-to-VPC.

277
Multi-Selectmedium

A company is designing a VPC with a public subnet and a private subnet. The private subnet hosts an RDS database, and the public subnet hosts a web server. The web server needs to access the database. Which TWO of the following are required to allow the web server to connect to the database?

Select 2 answers
A.An inbound rule in the database's security group that allows traffic from the web server's private IP address.
B.An inbound rule in the database's security group that references the web server's security group.
C.An internet gateway attached to the VPC.
D.A route table associated with the private subnet that includes a route to the public subnet's CIDR block via the local route.
E.A NAT gateway in the public subnet.
AnswersB, D

Allows traffic from any instance with that SG.

Why this answer

Option B is correct because a security group on the database must allow inbound traffic from the web server's security group. Option D is correct because the private subnet route table does not need a route to the internet gateway, but it must have a route to the NAT gateway or VPC peering if needed, but for database access, no route to internet is needed. However, the question asks for required components.

Actually, to allow the web server to connect to the database, you need a security group rule on the database allowing the web server's security group, and you need the private subnet to have a route to the public subnet's CIDR via the local route (already present). So the correct options are B and C? Wait, let's analyze: A is not required because you can use security group IDs. B is required.

C is required because the private subnet must have a route to the public subnet's CIDR (which is local and automatically added). D is not required because internet gateway is not needed for private subnet to communicate within VPC. E is not required because NAT gateway is for internet access.

So the two correct are B and C. But C says "A route table associated with the private subnet that includes a route to the internet gateway" which is wrong. I need to correct the options.

Let me rephrase:

278
MCQeasy

A company has deployed an application in a VPC with public and private subnets across two Availability Zones. The application uses an Application Load Balancer (ALB) in the public subnets to distribute traffic to EC2 instances in the private subnets. The company wants to use AWS WAF to protect against SQL injection attacks. Where should the AWS WAF web ACL be associated?

A.The Application Load Balancer.
B.Amazon Route 53 hosted zone.
C.The security group of the EC2 instances.
D.The VPC internet gateway.
AnswerA

AWS WAF can be associated with an ALB for web traffic protection.

Why this answer

Option B is correct because AWS WAF can be associated with an ALB. Option A is wrong because AWS WAF does not directly protect Route 53. Option C is wrong because AWS WAF does not protect an internet gateway.

Option D is wrong because AWS WAF is not associated with security groups.

279
Multi-Selecteasy

Which TWO of the following are valid methods to provide outbound internet access to instances in a private subnet?

Select 2 answers
A.Use a VPC endpoint for internet access
B.Attach an internet gateway directly to the private subnet
C.Deploy a NAT instance in a public subnet and configure routing
D.Deploy a NAT gateway in a public subnet and add a route to it from the private subnet
E.Use a VPN connection to the internet
AnswersC, D

NAT instance is a legacy but valid method.

Why this answer

Option A is correct because NAT gateway provides outbound internet access. Option B is correct because NAT instance can also provide this functionality. Option C is wrong because internet gateway is attached to the VPC but requires instances to have public IPs, which is not suitable for private subnets.

Option D is wrong because VPC endpoints are for accessing AWS services only. Option E is wrong because VPN does not provide direct internet access.

280
MCQhard

A company has a VPC with CIDR 10.0.0.0/16. They have two Availability Zones (us-east-1a and us-east-1b). In each AZ, there is a public subnet (10.0.1.0/24 and 10.0.2.0/24) and a private subnet (10.0.3.0/24 and 10.0.4.0/24). A NAT Gateway is deployed in the public subnet of us-east-1a. The private route tables for both private subnets have a default route pointing to the NAT Gateway. An application team has deployed EC2 instances in the private subnets. They report that instances in us-east-1b cannot access the internet, while instances in us-east-1a can. The NAT Gateway is healthy and has an Elastic IP attached. The route tables for the public subnets have a default route to the Internet Gateway. What is the most likely cause of the issue?

A.The NAT Gateway is deployed in a private subnet
B.The route table for the public subnet in us-east-1b does not have a default route to the Internet Gateway
C.The NAT Gateway has reached the maximum number of concurrent connections
D.The NAT Gateway is in a different Availability Zone than the private subnet instances, causing cross-AZ data transfer charges
AnswerB

The NAT Gateway needs a route to the Internet Gateway in its subnet's route table to forward traffic.

Why this answer

Option B is correct because the NAT Gateway is only in us-east-1a, so traffic from us-east-1b private subnets must traverse an Availability Zone boundary. The route table for the private subnet in us-east-1b points to the NAT Gateway, but the NAT Gateway is in a different AZ. However, that is allowed.

The issue is likely the public subnet route table for us-east-1b does not have a route to the Internet Gateway, so the NAT Gateway cannot send traffic out. Option A is wrong because cross-AZ traffic is allowed. Option C is wrong because there is no such limit.

Option D is wrong because NAT Gateways are not assigned to private subnets.

281
MCQmedium

A company is using AWS Direct Connect with a private virtual interface (VIF) to connect its on-premises data center to a VPC. The VPC has a virtual private gateway (VGW) attached. The company has recently added a second VPC and wants to use the same Direct Connect connection to access both VPCs. The network engineer proposes using a Direct Connect gateway (DXGW) with two private VIFs, one for each VPC. However, the engineer wants to minimize complexity and cost. Which configuration should the engineer use to allow both VPCs to use the same Direct Connect connection?

A.Create a Direct Connect gateway and associate it with the private VIF. Then associate both VPCs' virtual private gateways with the Direct Connect gateway.
B.Create a private VIF for each VPC on the same Direct Connect connection.
C.Create a public virtual interface on the Direct Connect connection and attach both VPCs to it.
D.Create a single private VIF and attach both VPCs directly to it.
AnswerA

DXGW allows one VIF to reach multiple VPCs.

Why this answer

Option B is correct because a Direct Connect gateway can be associated with multiple VGWs from different VPCs, allowing a single private VIF to connect to multiple VPCs. Option A is incorrect because private VIF is needed, not public. Option C is incorrect because each VPC needs its own VGW.

Option D is incorrect because multiple private VIFs increase cost and complexity.

282
MCQeasy

A company is deploying a VPC with public and private subnets in two Availability Zones. The workloads in the private subnets need to access the internet for software updates. What is the MOST secure way to provide this internet access?

A.Deploy a NAT gateway in a public subnet and update the private subnets' route table to point default traffic to the NAT gateway.
B.Set up a VPN connection to an on-premises network with internet access.
C.Use a transit gateway with a VPC attachment and route internet traffic through a centralized inspection VPC.
D.Attach an internet gateway to the VPC and route the private subnets' traffic to it.
AnswerA

NAT gateway allows outbound internet access while blocking unsolicited inbound traffic.

Why this answer

Using a NAT gateway in a public subnet is the most secure approach because it allows outbound traffic while preventing inbound connections from the internet. Option A is wrong because an internet gateway attached to private subnets would expose them directly. Option C is wrong because a transit gateway is for connecting multiple VPCs, not providing internet access.

Option D is wrong because a VPN connection is for private connectivity, not internet access.

283
MCQmedium

A company is using AWS Direct Connect with a public virtual interface to access Amazon S3. The on-premises network has a firewall that only allows traffic to specific IP prefixes. What is the best practice to ensure connectivity while maintaining security?

A.Allow all traffic to the AWS region's IP range.
B.Set up a Site-to-Site VPN tunnel over Direct Connect.
C.Use a private virtual interface and connect through a VPC endpoint.
D.Use the S3 IP prefix list from AWS to create firewall rules.
AnswerD

Prefix lists provide specific S3 IP addresses.

Why this answer

Option C is correct because using the S3 public IP prefix list from AWS allows you to restrict traffic to known S3 IPs. Option A is wrong because S3 does not have a single IP. Option B is wrong because a private VIF is for VPC access, not S3.

Option D is wrong because a VPN does not replace Direct Connect.

284
Multi-Selectmedium

A company is designing a multi-region active-active application using Application Load Balancers (ALBs) and AWS Global Accelerator. Which TWO configurations are required to route traffic to the correct regional endpoint based on the client's location?

Select 2 answers
A.Define endpoint groups in Global Accelerator for each region.
B.Enable AWS Shield Advanced on the ALBs.
C.Create an AWS Global Accelerator accelerator with endpoints in both regions.
D.Configure cross-region load balancing in the ALB target groups.
E.Configure Amazon Route 53 latency-based routing to the ALBs.
AnswersA, C

Endpoint groups specify the regional endpoints and traffic distribution.

Why this answer

Option B is correct because Global Accelerator uses anycast IPs to route traffic to the nearest healthy endpoint. Option D is correct because endpoint groups in Global Accelerator define the regional endpoints and traffic distribution. Option A is wrong because Route 53 latency routing is not used with Global Accelerator.

Option C is wrong because target groups are within a region, not across regions. Option E is wrong because AWS Shield Advanced provides DDoS protection, not traffic routing.

285
MCQhard

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. The ALB is internet-facing and uses TLS termination. The application requires that client IP addresses be preserved in the backend logs. The backend instances are in private subnets behind the ALB. Which configuration will ensure client IP addresses are preserved without additional overhead?

A.Attach a VPC Endpoint to the ALB to capture client IP
B.Enable Proxy Protocol v2 on the target group
C.Replace the ALB with a Network Load Balancer (NLB)
D.Configure the ALB to pass the X-Forwarded-For header and ensure backend logs parse it
AnswerD

Correct; ALB automatically adds X-Forwarded-For header, and backend can log that to capture client IP.

Why this answer

Option C is correct because ALB preserves the client IP address by inserting the X-Forwarded-For header, and enabling Proxy Protocol on the ALB is not necessary for HTTP/HTTPS traffic. Option A is wrong because enabling Proxy Protocol on the target group adds additional overhead and is typically used for TCP traffic. Option B is wrong because using Network Load Balancer would not preserve the client IP in the same way for HTTP; NLB preserves IP by default for TCP/UDP but not for HTTP.

Option D is wrong because using a VPC Endpoint is irrelevant.

286
MCQhard

A company has deployed a web application behind an Application Load Balancer (ALB) in a VPC. The ALB is in public subnets, and the web servers are in private subnets. The ALB is configured with a target group pointing to the web servers. Users report intermittent 503 errors. The web servers are healthy according to the target group health checks. What is the most likely cause?

A.The ALB subnets do not have a route to an internet gateway
B.The target group health check interval is too long
C.The ALB is configured as internal instead of internet-facing
D.Cross-zone load balancing is disabled
AnswerA

Without a route to an internet gateway, the ALB cannot respond to client requests, causing 503 errors.

Why this answer

Option D is correct because internet-facing ALBs require a route to an internet gateway in their subnet route table to respond to clients. Option A is wrong because the ALB is internet-facing, not internal. Option B is wrong if the web servers are healthy.

Option C is wrong because cross-zone load balancing is enabled by default and not likely intermittent.

287
Multi-Selectmedium

A network engineer is troubleshooting a connectivity issue between two VPCs (VPC-A and VPC-B) that are connected via a VPC peering connection. The engineer has verified that the route tables in both VPCs have the appropriate routes. However, instances in VPC-A cannot ping instances in VPC-B. Which TWO actions should the engineer take to resolve this issue? (Choose two.)

Select 2 answers
A.Add a route in VPC-A's route table pointing to the VPC peering connection for the CIDR of VPC-B.
B.Enable DNS resolution for the VPC peering connection.
C.Verify that the network ACLs in VPC-B allow inbound ICMP traffic from VPC-A.
D.Verify that the security groups of the instances in VPC-B allow inbound ICMP traffic from the CIDR of VPC-A.
E.Configure a transit gateway to route traffic between the two VPCs.
AnswersC, D

Network ACLs are stateless and must allow both inbound and outbound traffic; if ICMP is denied, pings will fail.

Why this answer

Option C is correct because network ACLs are stateless firewalls that control inbound and outbound traffic at the subnet level. Even if the route tables are correctly configured, a network ACL in VPC-B that denies inbound ICMP traffic from VPC-A's CIDR will block ping requests. Option D is correct because security groups are stateful and must explicitly allow inbound ICMP traffic from VPC-A's CIDR; without this rule, the instances in VPC-B will drop the ping requests.

Exam trap

AWS often tests the distinction between stateless network ACLs and stateful security groups, and candidates mistakenly assume that correct route tables alone guarantee connectivity, overlooking the need to verify both firewall layers for the specific protocol (ICMP).

288
MCQhard

A company is using CloudFormation to deploy a VPC. The private subnet route table has a route to a NAT gateway. However, instances in the private subnet cannot access the internet. The NAT gateway is in a public subnet and has an attached Elastic IP. What is the most likely issue?

A.The public subnet does not have a route to the internet gateway.
B.The private subnet route table does not have a route to the NAT gateway.
C.The NAT gateway is not in the same subnet as the private instances.
D.The NAT gateway's security group is blocking traffic from the private subnet.
AnswerD

NAT gateway security groups can block traffic.

Why this answer

Option A is correct because the NAT gateway's security group must allow inbound traffic from the private subnet and outbound to the internet. B is incorrect because the route is present. C is incorrect because public subnets don't need NAT.

D is incorrect because the route points to NAT.

289
Multi-Selecthard

Which TWO of the following are required to establish a BGP session over a Direct Connect private virtual interface? (Choose TWO.)

Select 2 answers
A.A VLAN ID
B.A public IP address for the BGP peer
C.A Direct Connect gateway
D.BGP session with a customer router and AWS router
E.A VPN connection to the VPC
AnswersA, D

Each virtual interface is associated with a VLAN.

Why this answer

Options A and C are correct. A VLAN ID is required to tag the traffic on the physical connection. BGP session with Autonomous System Numbers (ASN) is required for routing.

Option B is wrong because a public IP is not used on private VIF; private IP addresses are used. Option D is wrong because a VPN connection is separate. Option E is wrong because a Direct Connect gateway is optional for connecting to multiple VPCs.

290
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to initiate outbound connections to the internet. The company has a NAT gateway in the public subnet. The NAT gateway has an Elastic IP. The private subnet route table has a default route pointing to the NAT gateway. However, the EC2 instance cannot reach the internet. What is the most likely cause?

A.The security group of the EC2 instance blocks outbound traffic.
B.The route table in the public subnet does not have a default route to the internet gateway.
C.The network ACL of the private subnet blocks inbound traffic from the NAT gateway.
D.The NAT gateway's Elastic IP is not allowed by the destination's firewall.
AnswerD

Destination may block the public IP.

Why this answer

Option D is correct because the NAT gateway's Elastic IP must be allowed by the on-premises firewall or the destination must allow traffic from that IP. Option A is incorrect because a default route exists. Option B is incorrect because security groups are stateful and allow outbound.

Option C is incorrect because NACLs are stateless but inbound rule for ephemeral ports is needed; however, the issue is more likely the NAT gateway's public IP not being allowed.

291
MCQhard

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The on-premises network uses BGP to advertise routes to the VPC. The company wants to extend this connectivity to a second VPC in the same region without creating additional Direct Connect connections. Which solution should be used?

A.Create a second Direct Connect private VIF for the second VPC.
B.Set up a Site-to-Site VPN from the on-premises network to the second VPC.
C.Create a VPC peering connection between the two VPCs.
D.Use a transit gateway and attach both VPCs and the Direct Connect private VIF.
AnswerD

Transit gateway allows multiple VPCs to share Direct Connect.

Why this answer

Option A is correct because a transit gateway can be attached to both VPCs and the Direct Connect VIF, enabling connectivity. Option B is wrong because VPC peering does not support Direct Connect. Option C is wrong because an additional VIF is not required.

Option D is wrong because VPN is not needed.

292
MCQeasy

A company is setting up an AWS Client VPN endpoint for remote access. Users report they can connect to the VPN but cannot access resources in the VPC. The VPN endpoint is associated with a subnet that has a route table with a route to an internet gateway. The security group for the VPN endpoint allows all traffic. What could be the issue?

A.The route table associated with the VPN subnet does not have a route to the VPC CIDR
B.The authorization rules for the VPN endpoint do not include the VPC CIDR
C.The security group for the VPN endpoint does not allow outbound traffic
D.The client CIDR range overlaps with the VPC CIDR
AnswerA

A route to the VPC CIDR via the VPN endpoint's network interface is required.

Why this answer

Option C is correct because the route table associated with the VPN subnet must have a route to the VPC CIDR via the VPN endpoint's network interface. Option A is wrong because authorization rules are for user access, not routing. Option B is wrong because client CIDR allocation is for VPN IPs.

Option D is wrong because security group allows all traffic.

293
MCQmedium

A company has a VPC with a CIDR of 172.16.0.0/16. The VPC has two subnets: subnet A (172.16.1.0/24) and subnet B (172.16.2.0/24). The company launches an EC2 instance in subnet A with a private IP of 172.16.1.10 and a public IP. The instance's security group allows inbound SSH from 0.0.0.0/0. The subnet A's route table has a route to an internet gateway (IGW) for 0.0.0.0/0. The network engineer can SSH into the instance from the internet. The company then attaches a second network interface (eth1) to the instance with an IP from subnet B (172.16.2.20). The engineer wants to use this interface for additional management traffic. After attaching, the engineer can no longer SSH into the instance via the original public IP. What is the MOST likely cause?

A.The operating system's routing table now uses eth1 as the default gateway, causing asymmetric routing.
B.The route table for subnet B does not have a route to the IGW.
C.The security group for eth1 blocks inbound SSH.
D.The internet gateway is not attached to subnet B.
AnswerA

Asymmetric routing can cause connection issues.

Why this answer

Option D is correct because when you attach a second ENI, the OS may change the default route, causing traffic to egress via the new interface. Option A is incorrect because the security group is already allowed. Option B is incorrect because the route table is fine.

Option C is incorrect because there is no IGW in subnet B by default.

294
MCQmedium

A company needs to connect its on-premises data center to AWS using AWS Direct Connect. The company has two redundant connections and wants to use BGP as the routing protocol. Which BGP attribute should be manipulated to influence outbound traffic from AWS to the on-premises network?

A.Set the Local Preference attribute on routes received from AWS.
B.Prepend AS_PATH on routes advertised to AWS.
C.Set the MED attribute on routes advertised to AWS.
D.Apply a BGP community tag to routes received from AWS.
AnswerB

AS_PATH prepend makes a path less preferred for outbound traffic from AWS.

Why this answer

Option C is correct because the AS_PATH prepend attribute can be used to influence outbound traffic from AWS by making one path less preferred. Option A is wrong because MED influences inbound traffic. Option B is wrong because Local Preference is used within an AS to influence outbound traffic, but it is not sent to peers.

Option D is wrong because the community attribute can be used for various routing policies but not directly for outbound traffic influence in this context.

295
MCQeasy

A network engineer created the CloudFormation stack shown. After creation, an EC2 instance launched in PublicSubnet does not have a public IP address. What is the most likely reason?

A.The VPC does not have an Internet Gateway attached
B.The subnet does not have an Internet Gateway attached
C.The subnet's route table does not have a route to a NAT Gateway
D.The instance type does not support public IP addresses
AnswerA

Without an Internet Gateway, instances cannot be assigned public IPs or reach the internet.

Why this answer

The subnet property 'MapPublicIpOnLaunch' is set to true, but the VPC does not have an Internet Gateway attached, and the subnet's route table does not have a route to an Internet Gateway. Without an Internet Gateway, public IP assignment might not work as expected, or the instance cannot reach the internet.

296
MCQhard

A global e-commerce company uses AWS CloudFront to distribute content. They have an origin behind an Application Load Balancer (ALB) in a VPC. The ALB is internet-facing and has a security group that allows inbound HTTPS traffic from CloudFront's IP ranges. Users in some regions report slow loading times. The company wants to reduce latency and improve performance. They are considering using Lambda@Edge and origin failover. However, they also notice that the ALB is receiving traffic directly from some IPs that are not CloudFront IPs, causing unnecessary load. What should a network engineer do to restrict access to the ALB to only CloudFront?

A.Update the ALB security group to allow inbound HTTPS only from the CloudFront managed prefix list
B.Use AWS WAF to block requests that do not come from CloudFront IPs
C.Configure the ALB to require a custom header (e.g., X-Origin-Verify) and validate it in the origin
D.Set up a VPC endpoint for CloudFront to route traffic privately
AnswerA

This restricts access to CloudFront IPs only.

Why this answer

The best practice is to restrict ALB security group to CloudFront managed prefix list (com.amazonaws.global.cloudfront.origin-facing). This dynamically allows CloudFront IPs. Option A (custom header) is good but not sufficient alone because attackers can mimic headers.

Option B (AWS WAF) can help but is not the primary method. Option D (restrict to specific regions) is not precise.

297
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network team notices that traffic to a particular EC2 instance is taking a suboptimal path that goes through the internet instead of Direct Connect. The EC2 instance has both a private IP and a public IP. The on-premises router is advertising the VPC's CIDR block over BGP. What is the most likely cause?

A.The private VIF is not configured to route the VPC CIDR.
B.The security group on the EC2 instance is blocking traffic from the on-premises IP range.
C.The on-premises router is not advertising the VPC CIDR to the Direct Connect router.
D.The on-premises DNS is resolving the EC2 instance's public IP address instead of its private IP address.
AnswerD

When using Direct Connect, you should use private IP addresses to ensure traffic stays on the private network.

Why this answer

If the on-premises router uses the public IP to reach the instance, traffic will go over the internet, not Direct Connect. The issue is that the on-premises DNS or routing is resolving the public IP instead of the private IP for the instance. Option B is correct.

Option A is incorrect because the private VIF is designed for private IP traffic. Option C is incorrect because security groups do not affect routing paths. Option D is incorrect because the BGP advertisement of the VPC CIDR is correct.

298
Multi-Selectmedium

A company has a VPC with multiple subnets. They want to use VPC Flow Logs to capture network traffic metadata for troubleshooting. Which TWO of the following are valid destinations for VPC Flow Logs? (Select TWO.)

Select 2 answers
A.Amazon CloudWatch Logs log group
B.Amazon Kinesis Data Firehose delivery stream
C.AWS Lambda function
D.Amazon Simple Queue Service (SQS) queue
E.Amazon S3 bucket
AnswersA, E

CloudWatch Logs is a supported destination for VPC Flow Logs.

Why this answer

Option A and Option D are correct. VPC Flow Logs can be published to Amazon S3 or Amazon CloudWatch Logs. Option B is wrong because Kinesis Data Firehose is not a direct destination; you can use CloudWatch Logs subscription filter to send to Firehose.

Option C is wrong because SQS is not a supported destination. Option E is wrong because Lambda is not a direct destination; you can use CloudWatch Logs subscription filter to invoke Lambda.

299
MCQmedium

A company has a VPC with private subnets that use a NAT gateway for outbound internet access. The NAT gateway is in a public subnet with an Elastic IP. Users report that some applications are failing to connect to external services. Network engineers confirm that the NAT gateway is in the 'available' state and the route tables have a default route (0.0.0.0/0) pointing to the NAT gateway. What is the most likely cause?

A.The security group for the private instances is blocking outbound traffic.
B.The network ACL for the public subnet is blocking inbound traffic on ephemeral ports.
C.The NAT gateway has reached its connection limit.
D.The route table for the private subnets is missing a route to the internet gateway.
AnswerB

NACL must allow inbound traffic from the internet on ephemeral ports (1024-65535) for return traffic.

Why this answer

Option C is correct because NACLs are stateless and must allow both inbound and outbound traffic for the ephemeral ports used by the NAT gateway. If the inbound rule for ephemeral ports is missing, return traffic is blocked. Option A is wrong because the route table is correct.

Option B is wrong because NAT gateway can handle multiple connections. Option D is wrong because the problem is inbound return traffic, not outbound.

300
MCQhard

A company uses AWS Direct Connect with a public VIF to access Amazon S3. They notice that traffic to S3 is taking a suboptimal path (going through the internet) instead of the Direct Connect connection. The VPC has a route table with a route for S3 prefix list via the virtual private gateway. What is the most likely cause?

A.The VPC does not have a VPC endpoint for S3
B.The public VIF is not associated with the correct Direct Connect gateway
C.The on-premises router is not advertising the S3 prefix list via BGP over the public VIF
D.The route table in the VPC does not have a route to the S3 prefix list via the virtual private gateway
AnswerC

S3 prefix must be advertised to route traffic over Direct Connect.

Why this answer

Option A is correct because Direct Connect public VIF routes are learned via BGP, and if the on-premises router does not advertise the S3 prefix, traffic may go over the internet. Option B is wrong because a private VIF is for VPC access, not public services. Option C is wrong because VPC endpoints are for private connectivity, but issue is with Direct Connect public VIF.

Option D is wrong because the route table has a route for the prefix list.

← PreviousPage 4 of 6 · 434 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Implementation questions.