CCNA Network Implementation Questions

75 of 434 questions · Page 5/6 · Network Implementation topic · Answers revealed

301
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise a specific prefix (10.0.0.0/16) to the VPC. Recently, the company deployed a new VPC with CIDR 10.0.0.0/16 in a different region and established a VPC peering connection between the two VPCs. Now, traffic from on-premises to the new VPC is being routed to the old VPC instead. How should the company resolve this issue?

A.Delete the VPC peering connection and use a VPN instead.
B.Update the on-premises router to advertise a more specific prefix for the new VPC over Direct Connect, such as 10.0.1.0/24, and ensure the new VPC's route table has a route to the on-premises network.
C.Configure the VPC peering connection to propagate routes to the Direct Connect virtual interface.
D.Disable route propagation on the VPC route tables and add static routes.
AnswerB

A more specific BGP advertisement will take precedence, directing traffic to the correct VPC.

Why this answer

Option B is correct because the BGP advertisement of 10.0.0.0/16 over Direct Connect is more specific and takes precedence over the VPC peering route. By advertising a more specific prefix (e.g., 10.0.1.0/24) for the new VPC over Direct Connect or adjusting the route propagation, traffic can be directed correctly. Option A is wrong because deleting the peering connection would break connectivity between VPCs.

Option C is wrong because VPC peering does not support transitive routing. Option D is wrong because disabling route propagation would remove all propagated routes, including the correct ones.

302
Multi-Selecthard

A company is using AWS Direct Connect to connect its on-premises network to a VPC via a private virtual interface (VIF) attached to a virtual private gateway (VGW). The company wants to add redundant connectivity using a second Direct Connect connection from a different provider. The network team proposes using a Direct Connect gateway (DXGW) with two private VIFs from different connections, each attached to the DXGW. The DXGW will be associated with the VGW. Which THREE steps are required to complete this configuration? (Choose three.)

Select 3 answers
A.Add routes to the VPC subnets' route tables pointing to the Direct Connect gateway.
B.Associate both private virtual interfaces with the same Direct Connect gateway.
C.Associate the Direct Connect gateway with the virtual private gateway.
D.Advertise the on-premises prefixes over both BGP sessions to enable active-active or failover.
E.Create a separate virtual private gateway for each Direct Connect connection.
AnswersB, C, D

Both VIFs connect to the same DXGW for redundancy.

Why this answer

Option A is correct because both VIFs must be associated with the same DXGW. Option B is correct because the DXGW must be associated with the VGW. Option D is correct because the on-premises router must advertise the same BGP prefixes over both VIFs to enable active-active or failover.

Option C is incorrect because VGWs are regional, not per-AZ. Option E is incorrect because the VPC route tables must have routes pointing to the VGW, not to the DXGW directly.

303
MCQeasy

A company wants to provide internet access to instances in a private subnet while ensuring that traffic is logged and inspected. The solution must be highly available within a single AWS Region. Which approach should the company use?

A.Deploy a NAT Gateway in each Availability Zone and configure the private subnet route tables to point to the NAT Gateway in the same AZ. Use Gateway Load Balancer endpoint for traffic inspection.
B.Launch a NAT instance in a public subnet and configure it as the default route for the private subnet.
C.Create a VPC endpoint for the internet and attach it to the private subnet.
D.Attach an Internet Gateway to the VPC and add a default route to it in the private subnet's route table.
AnswerA

NAT Gateways are highly available per AZ, and using one per AZ ensures availability. Gateway Load Balancer can inspect traffic.

Why this answer

Option C is correct because a NAT Gateway in each AZ is managed by AWS, provides high availability, and can be combined with a Gateway Load Balancer and third-party appliances for inspection and logging. Option A is wrong because a single NAT instance is not highly available. Option B is wrong because an Internet Gateway allows inbound traffic.

Option D is wrong because VPC endpoints are for private connectivity to AWS services, not internet access.

304
Multi-Selecthard

A company is setting up AWS Transit Gateway with multiple VPC attachments and an AWS Direct Connect Gateway. The company wants to control which VPCs can communicate with each other and with the on-premises network. Which THREE actions should the company take to implement this?

Select 2 answers
A.Associate the Direct Connect Gateway with the Transit Gateway.
B.Establish VPC peering connections between VPCs that need to communicate.
C.Use security groups to control traffic between VPCs.
D.Configure Transit Gateway peering attachments for inter-region connectivity.
E.Create separate Transit Gateway route tables for different groups of VPCs.
AnswersA, E

This enables on-premises connectivity through the transit gateway.

Why this answer

Option A is correct because route tables define how traffic is routed between attachments. Option C is correct because transit gateway peering attachments are used for inter-region connectivity, not intra-region. Option D is correct because the Direct Connect Gateway can be associated with the transit gateway to enable on-premises connectivity.

Option B is wrong because VPC peering is not needed with Transit Gateway. Option E is wrong because Security Groups are not used to control traffic between VPCs in Transit Gateway.

305
MCQmedium

A company has multiple VPCs in the same AWS region that need to communicate with each other and with an on-premises data center. The company currently uses VPC peering connections between each VPC pair, which has become difficult to manage as the number of VPCs grows. The company wants to simplify the network architecture and implement a hub-and-spoke model using AWS Transit Gateway. The on-premises data center is connected to AWS via a Direct Connect connection with a private VIF. The company has already created a Transit Gateway and attached all VPCs to it. They have also created a Direct Connect gateway and associated it with the Transit Gateway. The on-premises router is advertising the on-premises CIDR (10.0.0.0/8) over BGP. However, after the migration, the VPCs cannot communicate with each other, and the on-premises network cannot reach the VPCs. The VPC route tables have been updated to route all traffic to the Transit Gateway. The Transit Gateway route table has propagation enabled for all VPC attachments and the Direct Connect gateway attachment. What is the most likely missing configuration?

A.The Direct Connect gateway is not associated with the Transit Gateway.
B.The Transit Gateway route table does not have propagation enabled for the VPC attachments.
C.The VPC route tables do not have routes for the other VPCs' CIDRs and the on-premises CIDR pointing to the Transit Gateway.
D.The on-premises router is not advertising the on-premises CIDR over BGP.
AnswerC

Without explicit routes in each VPC's route table for the other VPCs and on-premises CIDRs, traffic will not be forwarded to the Transit Gateway.

Why this answer

Even though the Transit Gateway route table has propagation enabled, the VPCs might not have routes that point to the Transit Gateway for the other VPCs' CIDRs and the on-premises CIDR. The VPC route tables need explicit routes for the other VPCs' CIDRs (e.g., 10.2.0.0/16) pointing to the Transit Gateway. Alternatively, the Transit Gateway route table might not have routes for the on-premises CIDR because the Direct Connect gateway propagation might not be working if the on-premises prefixes are not being advertised correctly.

The most common issue is that the VPC route tables do not have routes for the other VPCs' CIDRs. Option A is correct. Option B is incorrect because the Transit Gateway route table has propagation enabled.

Option C is incorrect because the Direct Connect gateway association is in place. Option D is incorrect because the on-premises router is advertising the CIDR.

306
MCQmedium

A company is deploying a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group across three Availability Zones, and an Amazon RDS for MySQL database. The ALB has a target group that routes traffic to the EC2 instances on TCP port 8080. The security group for the EC2 instances allows inbound traffic from the ALB's security group on port 8080. Users report intermittent connectivity issues to the application. A network engineer reviews the VPC Flow Logs and notices that traffic from the ALB to the EC2 instances is being recorded as 'REJECT' for some requests. What is the most likely cause of this issue?

A.The network ACL associated with the EC2 instances' subnet does not have an outbound rule to allow traffic from the EC2 instances to the ALB on ephemeral ports.
B.The ALB's security group is blocking inbound traffic from the EC2 instances on the response path.
C.The ALB's target group health check is misconfigured, causing the ALB to mark instances as unhealthy and stop sending traffic.
D.The security group on the EC2 instances is stateful and automatically allows return traffic; the issue cannot be security group related.
AnswerA

The network ACL is stateless and must allow return traffic. Missing outbound rules cause REJECT.

Why this answer

Option A is correct because the network ACL is stateless and must allow both inbound and outbound traffic for ephemeral ports. If the outbound rule is missing, SYN-ACK packets from the EC2 instance to the ALB will be dropped, causing the ALB to see a timeout or reject. Option B is incorrect because target group health checks use the same security group rules; if health checks succeed, connectivity should work.

Option C is incorrect because the ALB itself does not have a security group that affects traffic to targets; it uses the target group's security group. Option D is incorrect because network ACLs are stateless and require explicit rules for return traffic; the security group stateful behavior does not override ACL rules.

307
MCQeasy

A network engineer is setting up a Direct Connect connection from an on-premises data center to AWS. The connection uses a private VIF to connect to a VPC via a Direct Connect gateway. The on-premises network is advertising a BGP prefix 10.0.0.0/16, which overlaps with the VPC CIDR 10.0.0.0/16. What is the expected behavior?

A.The VPC will automatically reassign a new CIDR to avoid the conflict.
B.The BGP session will fail to establish due to the prefix conflict.
C.The BGP session will be established, but the overlapping prefix will be ignored and not programmed into the VPC route tables.
D.The on-premises prefix will take precedence and override the VPC route.
AnswerC

AWS does not allow overlapping prefixes to be injected into VPC route tables to prevent routing conflicts.

Why this answer

Option A is correct because AWS Direct Connect with a private VIF will not accept BGP prefixes that overlap with the VPC CIDR. Option B, C, and D are incorrect as they describe behaviors that do not occur in this scenario.

308
MCQmedium

A company is implementing a hybrid network using AWS Direct Connect. They have a virtual private gateway (VGW) attached to their VPC and a Direct Connect gateway (DXGW) with a private virtual interface (VIF) to their on-premises router. They have established a BGP session between the on-premises router and the VGW. The on-premises network can reach EC2 instances in the VPC, but the VPC instances cannot reach on-premises resources. What is the most likely cause?

A.The virtual private gateway is not attached to the VPC
B.The VPC has a VPC endpoint for S3 that is causing a routing conflict
C.The VPC route tables lack a route for the on-premises CIDR pointing to the virtual private gateway
D.The BGP session is not advertising the on-premises CIDR to the VGW
AnswerC

Without a route, VPC instances do not know to send traffic to the VGW for on-premises destinations.

Why this answer

Option B is correct because the VPC route table must have a route for the on-premises CIDR pointing to the virtual private gateway. Option A is wrong because the VGW is already attached. Option C is wrong because BGP is established.

Option D is wrong because VPC endpoints are not relevant.

309
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the public subnet is configured as a NAT instance. The company wants to replace the NAT instance with a NAT gateway for better availability and maintenance. After creating a NAT gateway in the public subnet and updating the route table of the private subnet, traffic from the private subnet cannot reach the internet. What is the MOST likely cause?

A.The public subnet's route table still points to the NAT instance for internet traffic.
B.The security group attached to the NAT gateway is blocking outbound traffic.
C.The private subnet's route table has a route for 0.0.0.0/0 pointing to the NAT instance instead of the NAT gateway.
D.The NAT gateway does not have an Elastic IP address associated with it.
AnswerD

A NAT gateway requires an Elastic IP for outbound traffic.

Why this answer

The NAT gateway must have an Elastic IP to work. Option A is wrong because the route table should point to the NAT gateway. Option B is wrong because the private subnet's route table destination for 0.0.0.0/0 should be the NAT gateway.

Option D is wrong because security groups on the NAT gateway are not applicable (NAT gateway is managed).

310
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They also have a site-to-site VPN as a backup. The on-premises network advertises the same prefix via BGP over both connections. The company wants to prefer the Direct Connect path. What configuration achieves this?

A.Set the Multi-Exit Discriminator (MED) on the VPN advertisement to a lower value.
B.Prepend the AS path on the Direct Connect advertisement to make it longer.
C.Configure the Direct Connect BGP session with a higher local preference (e.g., 200) than the VPN BGP session.
D.Configure the VPN BGP session with a higher local preference than the Direct Connect session.
AnswerC

Higher local preference makes Direct Connect preferred.

Why this answer

Option A is correct because AWS assigns a local preference of 100 by default to Direct Connect routes, while VPN routes have a lower local preference (e.g., 0 or lower). Option B is wrong because AS path prepending on the Direct Connect side would make it less preferred. Option C is wrong because the MED is not commonly used in this scenario; local preference is standard.

Option D is wrong because the VPN should have higher AS path prepending to be less preferred.

311
Multi-Selecteasy

A company has a VPC with a public subnet and a private subnet. They want to allow instances in the private subnet to download patches from the internet. Which THREE components are required? (Select THREE.)

Select 3 answers
A.AWS Direct Connect connection
B.Internet Gateway attached to the VPC
C.Elastic IP address assigned to the NAT Gateway
D.Route in the private subnet's route table pointing 0.0.0.0/0 to the NAT Gateway
E.NAT Gateway deployed in the public subnet
AnswersB, D, E

The NAT Gateway uses the Internet Gateway to reach the internet.

Why this answer

For private subnet internet access, you need a NAT Gateway (or NAT instance) in a public subnet, an Internet Gateway attached to the VPC, and a route in the private subnet's route table pointing to the NAT Gateway. Option D (Elastic IP) is needed for the NAT Gateway but is part of the NAT Gateway configuration. Option E (Direct Connect) is not required.

312
MCQmedium

A company has a Direct Connect connection with a private VIF to a VPC. They also have a Site-to-Site VPN connection to the same VPC as a backup. The on-premises router is advertising the same prefixes over both connections. The company wants to ensure that traffic uses Direct Connect when available and fails over to VPN if Direct Connect goes down. Which configuration should be applied?

A.Set a higher MED value on the Direct Connect BGP advertisements.
B.Disable BGP on the VPN connection to force traffic to Direct Connect.
C.Prepend AS path on the BGP advertisements over the VPN connection to make the path less preferred.
D.Set a higher local preference on the VPN BGP advertisements.
AnswerC

AS path prepending makes the VPN path longer, so Direct Connect path (shorter AS path) is preferred.

Why this answer

To prefer Direct Connect over VPN, you should adjust the BGP attributes on the on-premises router. One common method is to prepend AS path on the VPN BGP advertisements to make the path longer, so the Direct Connect path is preferred. Option A is correct.

Option B is incorrect because decreasing the MED on Direct Connect would make it more preferred, but the question asks for a method that can be applied on-premises. Option C is incorrect because local preference is usually set on the AWS side. Option D is incorrect because disabling BGP on the VPN would remove the backup.

313
MCQmedium

A company is deploying a multi-tier web application in a VPC. The web tier must be accessible from the internet, while the application tier must only be accessible from the web tier. The database tier must only be accessible from the application tier. Which design best meets these requirements?

A.Place all tiers in public subnets and use security groups to control traffic between tiers.
B.Place the web tier in public subnets with an internet gateway, and the application and database tiers in private subnets. Use security groups to allow traffic from the web tier to the application tier, and from the application tier to the database tier.
C.Place all tiers in the same subnet and use network ACLs to restrict traffic between tiers.
D.Place the web tier in a private subnet and use a NAT gateway for outbound internet access. Place the application and database tiers in public subnets.
AnswerB

Correct design: public subnet with IGW for web, private subnets for app and DB, security groups restrict traffic.

Why this answer

Option A is correct because using public subnets for the web tier with an internet gateway and private subnets for the application and database tiers with security groups restricting traffic between tiers is the standard design. Option B is wrong because placing all tiers in public subnets exposes the application and database tiers to the internet. Option C is wrong because placement of tiers does not depend on CIDR blocks but on subnet types and route tables.

Option D is wrong because using a single security group for all tiers cannot enforce tier-to-tier access restrictions.

314
MCQeasy

A company needs to connect its on-premises network to a VPC using AWS Direct Connect. The company wants to use a single Direct Connect connection to connect to multiple VPCs in the same region. Which configuration should be used?

A.Create a private VIF for each VPC
B.Use a VPN connection to extend the Direct Connect to other VPCs
C.Use a Transit Gateway to connect the Direct Connect to multiple VPCs
D.Create a Direct Connect Gateway and associate it with multiple VPCs
AnswerD

A Direct Connect Gateway can be associated with up to 10 VPCs per region.

Why this answer

Option C is correct because a Direct Connect Gateway can be associated with multiple VPCs, allowing a single Direct Connect connection to connect to multiple VPCs. Option A is incorrect because a single VIF can only connect to a single VPC (unless using a Direct Connect Gateway). Option B is incorrect because Transit Gateway is for inter-VPC routing, not Direct Connect.

Option D is incorrect because a VPN connection is a separate service.

315
MCQeasy

A company has deployed a VPC with public and private subnets. The private subnets need outbound internet access for software updates. Which service should be used to provide this access without exposing the instances to inbound traffic?

A.Attach an Internet Gateway to the VPC and add a default route to it from the private subnets.
B.Set up a VPN connection to an on-premises network that has internet access.
C.Use a Direct Connect connection to route traffic through an on-premises internet gateway.
D.Deploy a NAT Gateway in a public subnet and add a default route to it from the private subnets.
AnswerD

NAT Gateway provides outbound-only internet access.

Why this answer

A NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet but prevents inbound traffic from the internet. Option A is wrong because an Internet Gateway alone would expose instances to inbound traffic. Option C is wrong because a VPN connection is for private connectivity.

Option D is wrong because a Direct Connect connection is for dedicated private connectivity.

316
MCQeasy

A network engineer is troubleshooting connectivity between an EC2 instance in a VPC and an on-premises server connected via AWS Site-to-Site VPN. The ping from the EC2 instance to the on-premises server fails. The VPN tunnel status shows 'UP'. Which configuration should the engineer check first?

A.Ensure the customer gateway device is configured with the correct public IP address
B.Check that the pre-shared key matches on both sides
C.Check the route table associated with the EC2 instance's subnet for a route to the on-premises network
D.Verify that the VPN tunnel is using the correct encryption algorithms
AnswerC

Without a route pointing traffic to the virtual private gateway, the VPN cannot forward packets.

Why this answer

Option C is correct because the VPN is up, so the most likely issue is that the route table for the subnet containing the EC2 instance does not have a route to the on-premises network via the virtual private gateway. Option A is wrong because the tunnel is up. Option B is wrong because the VPN is up, so the pre-shared key is correct.

Option D is wrong because the customer gateway device is on-premises, not in AWS.

317
MCQhard

A company has an AWS Direct Connect connection with a private VIF to a VPC. The VPC has multiple subnets across two Availability Zones. The company wants to use the Direct Connect connection as the primary path for all traffic from on-premises to the VPC, and use a Site-to-Site VPN as a backup. The on-premises router is configured to advertise a default route via BGP over the Direct Connect, and the VPN also advertises a default route. Which configuration ensures that the Direct Connect path is preferred over the VPN?

A.Disable route propagation from the VPN in the VPC route tables to ensure Direct Connect routes take precedence.
B.Set a higher local preference on the Direct Connect BGP session on the on-premises router.
C.Decrease the Multi-Exit Discriminator (MED) value on the Direct Connect BGP advertisements from AWS.
D.Configure AS_PATH prepending on the VPN BGP advertisements from the on-premises router to make the VPN path longer.
AnswerD

Longer AS_PATH makes the route less preferred.

Why this answer

Option C is correct because by default, BGP routes from Direct Connect have a lower MED if not set, but the VPN may also have lower metrics. The most reliable way is to prepend AS_PATH on the VPN BGP advertisements to make them less preferred. Option A is wrong because local preference is typically set on the router, not in AWS.

Option B is wrong because decreasing the MED on the Direct Connect side would make it more preferred, but it's not a standard approach; AS_PATH prepending is more straightforward. Option D is wrong because disabling route propagation on the VPN route table would prevent the VPN routes from being used at all, but does not affect the BGP path selection.

318
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to establish a site-to-site VPN connection to an on-premises network with a CIDR of 192.168.0.0/16. The VPN tunnel is up, but traffic from the VPC to on-premises is not flowing. Which of the following is the most likely cause?

A.The security groups do not allow outbound traffic.
B.The NACLs are blocking outbound traffic.
C.The VPC route table does not have a route for 192.168.0.0/16 pointing to the virtual private gateway.
D.The VPN connection is in the wrong AWS region.
AnswerC

Missing route prevents traffic from leaving VPC.

Why this answer

Option A is correct because the VPC route table must have a route pointing to the virtual private gateway for the on-premises CIDR. Without it, traffic is dropped. B, C, D are possible but less likely initial checks.

319
Multi-Selectmedium

Which TWO of the following are valid methods to connect multiple VPCs in the same AWS Region? (Choose TWO.)

Select 2 answers
A.Internet gateway
B.AWS Site-to-Site VPN
C.VPC peering
D.AWS Transit Gateway
E.AWS Direct Connect
AnswersC, D

Direct connection between two VPCs.

Why this answer

Option A (VPC Peering) and Option C (Transit Gateway) are correct. VPC Peering allows direct connectivity, and Transit Gateway supports transitive routing. Option B (VPN) is for on-premises.

Option D (Direct Connect) is for on-premises. Option E (Internet Gateway) is for internet access, not VPC to VPC.

320
MCQhard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and an IPv6 CIDR of 2001:db8:1234::/56. The company hosts a web application on IPv4-only EC2 instances in a private subnet. The application must be accessible from the internet via IPv6. The company has an internet-facing Application Load Balancer (ALB) with dual-stack IP address type. The ALB is in a public subnet. The target group is configured with IP address type IPv4. Users report that they can access the application via IPv4 but not via IPv6. The ALB security group allows inbound HTTP/HTTPS from ::/0. What is the MOST likely cause?

A.The public subnet does not have an associated IPv6 CIDR.
B.The target group is configured with IP address type IPv4, but the ALB must use IPv6 to communicate with the targets.
C.The ALB is configured as IPv4-only instead of dual-stack.
D.The private subnet's route table does not have an IPv6 route to the NAT gateway or egress-only internet gateway.
AnswerB

ALB can communicate with IPv4 targets from IPv6 clients, but the issue might be that the ALB's security group or target group health checks fail. Actually, the correct answer is that the target group type is IPv4, which is fine. The real issue is that the private subnet needs an IPv6 route to the NAT64? Let's reconsider.

Why this answer

Option C is correct because an IPv4-only target group cannot receive IPv6 traffic; the ALB would attempt to connect to targets via IPv4, but the ALB can still accept IPv6 and translate. However, the issue is that the route table for the private subnet does not have an IPv6 route to the NAT64 or egress-only internet gateway? Actually, the most likely cause is that the private subnet lacks a route for IPv6 traffic from the ALB to reach the IPv4 targets. Option A is incorrect because the ALB can terminate IPv6 and forward to IPv4.

Option B is incorrect because the ALB does not need an IPv6 address. Option D is incorrect because the ALB does not need an EIP.

321
MCQmedium

A company is setting up a Direct Connect connection to connect its on-premises data center to AWS. The connection is established, and a private virtual interface (VIF) is configured. The on-premises router can ping the VIF's Amazon side IP address, but cannot ping an EC2 instance in the VPC. The VPC has a virtual private gateway attached, and the route tables are correctly configured. What should the company check next?

A.Verify that the on-premises router is advertising the VPC CIDR to the Direct Connect router.
B.Check that the NACLs on the EC2 instance's subnet allow inbound ICMP.
C.Confirm that the private VIF is associated with the correct virtual private gateway.
D.Ensure that BGP is established and receiving routes.
AnswerA

The on-premises router must advertise the VPC CIDR for return traffic.

Why this answer

The on-premises router can ping the VIF's Amazon side IP, confirming that Layer 2 and Layer 3 connectivity over the Direct Connect link is working, and BGP is established. However, the inability to ping the EC2 instance indicates that return traffic from the VPC is not reaching the on-premises network. For return traffic to be routed correctly, the on-premises router must advertise the VPC CIDR (or a specific prefix) to the Direct Connect router via BGP; otherwise, the AWS side will not forward traffic destined for the on-premises network over the VIF.

Exam trap

The trap here is that candidates assume BGP being established (as evidenced by a successful ping to the VIF Amazon side IP) means all routing is correct, but they overlook the requirement for the on-premises router to advertise the VPC CIDR to enable return traffic.

How to eliminate wrong answers

Option B is wrong because the issue is not about inbound ICMP to the EC2 instance; the ping fails due to missing return path routing, not because of security group or NACL filtering. Option C is wrong because the private VIF is already associated with a virtual private gateway (VGW) and the VPC route tables are correctly configured, so the VIF association is not the problem. Option D is wrong because the on-premises router can ping the VIF's Amazon side IP, which proves that BGP is established and routes are being exchanged; the problem is specifically that the on-premises router is not advertising the VPC CIDR back to AWS.

322
MCQmedium

A company has set up a transit gateway with attachments to VPC-A and VPC-B. The transit gateway route table shows routes to both VPCs and a blackhole for 0.0.0.0/0. VPC-A's public subnet route table sends 10.1.0.0/16 traffic to the transit gateway. However, an EC2 instance in VPC-A's public subnet cannot reach an instance in VPC-B. What is the most likely cause?

A.VPC-B's route table does not have a route to VPC-A's CIDR via the transit gateway.
B.VPC-A's route table does not have a route to the transit gateway.
C.The transit gateway route table does not have a route for 10.0.0.0/16.
D.The blackhole route in the transit gateway is blocking traffic between VPCs.
AnswerA

For bidirectional communication, VPC-B must also have a route back to VPC-A via the transit gateway.

Why this answer

Option A is correct because for traffic to flow from VPC-A to VPC-B via a transit gateway, both VPCs must have routes in their route tables pointing to the transit gateway for the other VPC's CIDR. Since VPC-A's route table sends 10.1.0.0/16 (VPC-B's CIDR) to the transit gateway, but VPC-B's route table lacks a return route to VPC-A's CIDR via the transit gateway, the return traffic from VPC-B is dropped, causing connectivity failure.

Exam trap

AWS often tests the misconception that a transit gateway route table alone ensures bidirectional connectivity, when in fact each VPC's subnet route tables must have explicit routes for the other VPC's CIDR to enable return traffic.

How to eliminate wrong answers

Option B is wrong because VPC-A's route table already has a route to the transit gateway (it sends 10.1.0.0/16 traffic to the transit gateway), so this is not the issue. Option C is wrong because the transit gateway route table shows routes to both VPCs, and the problem is about VPC-B's missing return route, not a missing route in the transit gateway for 10.0.0.0/16. Option D is wrong because the blackhole route for 0.0.0.0/0 in the transit gateway only drops traffic destined for the internet, not traffic between VPCs, which is handled by the specific VPC routes.

323
Multi-Selecthard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network advertises the prefix 10.0.0.0/8 to AWS. The VPC has a CIDR of 10.0.0.0/16. A network engineer wants to ensure that traffic from on-premises to a specific subnet 10.0.1.0/24 in the VPC is routed via a dedicated VPN connection instead of Direct Connect for testing purposes. Which TWO actions should the engineer take?

Select 2 answers
A.Prepend the AS path on the Direct Connect BGP advertisement.
B.Advertise the specific prefix 10.0.1.0/24 from the VPN connection to the VPC.
C.Disable route propagation on the VPN connection's route table.
D.Use a BGP community to tag the Direct Connect route as no-export.
E.Set a lower MED value on the VPN route advertisement compared to Direct Connect.
AnswersB, E

A more specific prefix will be preferred over the less specific 10.0.0.0/8.

Why this answer

Option A and Option D are correct. A more specific route (10.0.1.0/24) will be preferred over the less specific 10.0.0.0/8. Additionally, setting a lower MED on the VPN route (lower is better) can influence the path selection.

Option B is wrong because disabling route propagation on the VPN would remove the VPN route. Option C is wrong because changing AS path prepend on Direct Connect would make it less preferred, but the Direct Connect may still be used. Option E is wrong because BGP communities do not apply in this context.

324
MCQeasy

A company uses AWS Site-to-Site VPN to connect its on-premises network to a VPC. The VPN connection uses static routes. Recently, the on-premises network administrator added a new subnet (10.0.3.0/24) and needs to ensure that traffic to this subnet is routed through the VPN tunnel. What must be done in the AWS VPC to enable this connectivity?

A.Update the customer gateway configuration
B.Enable route propagation on the VPN connection
C.Create a new VPN connection for the new subnet
D.Add a static route for 10.0.3.0/24 in the VPN connection's route table
AnswerD

Static routes specify which subnets are reachable via the VPN tunnel.

Why this answer

Option C is correct because static routes for the VPN connection must be updated to include the new subnet. Option A is incorrect because route propagation is for dynamic routing. Option B is incorrect because the VPN connection itself does not need to be recreated.

Option D is incorrect because the customer gateway represents the on-premises device and only needs to be updated if the device's IP or BGP ASN changes.

325
MCQmedium

A company is deploying a web application across multiple Availability Zones in a single region. They want to distribute incoming traffic evenly across all healthy EC2 instances. Which AWS service should be used as the entry point?

A.Application Load Balancer (ALB)
B.Amazon CloudFront
C.Network Load Balancer (NLB)
D.Amazon Route 53 with simple routing
AnswerA

Layer 7 load balancer with health checks.

Why this answer

Option B is correct because an Application Load Balancer distributes traffic across targets in multiple AZs and performs health checks. Option A is wrong because NLB is for TCP/UDP, not HTTP. Option C is wrong because Route 53 with simple routing does not load balance across instances.

Option D is wrong because CloudFront distributes content, not application traffic.

326
MCQhard

A company is implementing a multi-region architecture with VPCs in us-east-1 and eu-west-1. They want to connect these VPCs using a Transit Gateway and ensure that traffic between regions can be inspected by a firewall in us-east-1. Which configuration is required?

A.Establish a VPN connection between the two VPCs and route traffic through the firewall.
B.Create a Transit Gateway in each region, peer them, and configure route tables to send inter-region traffic through the inspection VPC in us-east-1.
C.Create a VPC peering connection between the two VPCs and update route tables.
D.Use a Direct Connect gateway to connect the two VPCs directly.
AnswerB

Transit Gateway peering enables cross-region connectivity, and route tables can steer traffic for inspection.

Why this answer

Option B is correct because Transit Gateway peering attachments between regions allow cross-region connectivity. To route traffic through the inspection VPC in us-east-1, the route tables in both regions must be configured accordingly. Option A is incorrect because VPC peering does not support transitive routing across regions.

Option C is incorrect because Direct Connect gateway is not designed for inter-region VPC connectivity. Option D is incorrect because VPN connections do not inherently provide inspection capability.

327
MCQmedium

A company has a Direct Connect connection with a single private virtual interface (VIF) to a virtual private gateway (VGW) attached to a VPC. The VPC CIDR is 10.0.0.0/16. The on-premises CIDR is 172.16.0.0/12. The BGP session is established, and the on-premises router is advertising the 172.16.0.0/12 route to the VGW. The VGW is configured to propagate routes to the VPC route tables. However, instances in the VPC cannot reach on-premises resources. The VPC route table shows a propagated route for 172.16.0.0/12 with a target of the VGW. What is the most likely issue?

A.The security groups for the VPC instances do not allow outbound traffic to the on-premises network
B.The VPC route table does not have a route for the on-premises CIDR
C.The on-premises router does not have a route to the VPC CIDR via the Direct Connect interface
D.The BGP session is not advertising the VPC CIDR to the on-premises router
AnswerC

Without a return route, traffic cannot reach the VPC.

Why this answer

Option C is correct because the on-premises router must also have a route back to the VPC CIDR via the Direct Connect interface. Option A is wrong because the VPC route table has the route. Option B is wrong because the BGP session is established.

Option D is wrong because security groups are stateful and outbound traffic is allowed by default.

328
MCQhard

A company is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) that are peered together. Both VPCs are in the same region. VPC-A has a CIDR of 10.0.0.0/16 and VPC-B has a CIDR of 10.0.0.0/16. The peering connection is established and the route tables are updated. However, EC2 instances in VPC-A cannot ping EC2 instances in VPC-B. What is the most likely cause?

A.The route tables do not have routes to the private IP addresses of the instances.
B.The VPCs have overlapping CIDR blocks.
C.The security groups in VPC-B do not allow inbound ICMP traffic from VPC-A.
D.The VPCs are in different regions and peering does not work across regions.
AnswerB

Overlapping CIDRs prevent proper routing in VPC peering.

Why this answer

Option C is correct. VPC peering does not support overlapping CIDR blocks. The routes cannot distinguish between the two VPCs.

Option A is wrong because security groups can allow ICMP. Option B is wrong because private IP addresses are reachable if routes exist. Option D is wrong because same region peering works.

329
Multi-Selectmedium

A company is designing a hybrid network using AWS Direct Connect and a Site-to-Site VPN as a backup. The company has two Direct Connect connections from different providers for redundancy. The company wants to use BGP to automatically fail over to the VPN if both Direct Connect connections fail. Which TWO configurations are required to achieve this?

Select 2 answers
A.Set a higher local preference on the VPN route to make it preferred over Direct Connect.
B.Configure the VPN connection with static routes instead of BGP.
C.Disable route propagation on the VPN connection's route table.
D.Adjust BGP attributes on the Direct Connect routes to be preferred over the VPN routes.
E.Use a VPN connection that supports dynamic BGP routing.
AnswersD, E

By making Direct Connect routes more preferred (e.g., higher local preference), the VPN will only be used when Direct Connect is down.

Why this answer

Option B and Option E are correct. A VPN connection uses BGP to exchange routes, and adjusting BGP attributes (like local preference) can make the VPN route less preferred than Direct Connect routes. Option A is wrong because static routes do not provide dynamic failover.

Option C is wrong because the VPN should be a backup, so it should have lower local preference. Option D is wrong because disabling route propagation on the VPN would remove its routes.

330
MCQeasy

A company has a VPC with multiple subnets. An EC2 instance in a private subnet needs to access an S3 bucket. Which AWS service should be used to allow this access without traversing the internet?

A.Transit Gateway
C.VPC Gateway Endpoint for S3
D.Internet gateway
AnswerC

Gateway Endpoint allows private access to S3.

Why this answer

Option C is correct because a VPC Gateway Endpoint for S3 allows private access. Option A is incorrect because a NAT gateway is for internet access. Option B is incorrect because an Internet Gateway is for internet access.

Option D is incorrect because a Transit Gateway is for connecting networks.

331
MCQmedium

A company is deploying a global application behind an Application Load Balancer (ALB) in AWS. They want to use AWS Global Accelerator to improve performance by directing traffic to the nearest healthy endpoint. Which configuration is required to achieve this?

A.Create an accelerator with an endpoint group that includes the ALB as an endpoint
B.Configure Route 53 health checks for the ALB and associate them with Global Accelerator
C.Configure a CloudFront distribution with the ALB as an origin and enable Global Accelerator
D.Create a Route 53 latency-based routing record set pointing to the ALB
AnswerA

Global Accelerator directs traffic to the nearest healthy endpoint in the endpoint group.

Why this answer

Option C is correct because Global Accelerator uses endpoint groups with health checks and routes traffic to the nearest healthy endpoint. Option A is wrong because Global Accelerator does not use Route 53 health checks; it has its own health checks. Option B is wrong because Global Accelerator does not use DNS-based routing like Route 53 latency records.

Option D is wrong because Global Accelerator does not use CloudFront; it is a separate service.

332
Multi-Selectmedium

A company has a VPC with public and private subnets. The public subnet has a NAT Gateway. The private subnet instances need to access an S3 bucket in the same region. Which THREE steps should the network engineer take to ensure the most cost-effective and secure access without traversing the internet?

Select 3 answers
A.Create a VPC Gateway Endpoint for S3.
B.Attach an endpoint policy that allows access to the specific S3 bucket.
C.Create a VPC Interface Endpoint for S3.
D.Update the route table for the private subnets to include a route to the S3 endpoint.
E.Create a NAT Gateway in the public subnet.
AnswersA, B, D

Gateway Endpoints are free and provide private access to S3.

Why this answer

Option A is correct because a VPC Gateway Endpoint for S3 provides private, cost-effective access to S3 without traversing the internet or requiring a NAT Gateway. It uses AWS's internal network and route table entries to direct S3 traffic through the endpoint, avoiding data transfer costs and improving security.

Exam trap

AWS often tests the misconception that Interface Endpoints are required for all AWS services, but for S3 and DynamoDB, Gateway Endpoints are the correct, cost-effective choice, and candidates may incorrectly select Interface Endpoints due to familiarity with other services.

333
MCQhard

A network engineer is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) connected via a VPC peering connection. Both VPCs have CIDR blocks: VPC-A = 10.0.0.0/16, VPC-B = 10.1.0.0/16. An EC2 instance in VPC-A (10.0.1.10) cannot ping an EC2 instance in VPC-B (10.1.1.10). Security groups and NACLs allow all traffic. The route tables are configured as follows: In VPC-A, a route to 10.1.0.0/16 via the peering connection. In VPC-B, a route to 10.0.0.0/16 via the peering connection. What is the most likely cause?

A.The VPCs have overlapping CIDR blocks.
B.Security groups are blocking ICMP traffic.
C.The route tables are missing routes to the peering connection.
D.There is an intermediate VPC or on-premises network that routes traffic incorrectly due to the lack of transitive routing.
AnswerD

VPC peering does not allow transitive routing; any intermediate hop would break connectivity.

Why this answer

VPC peering connections do not support transitive routing. Even though the route tables in VPC-A and VPC-B correctly point to each other via the peering connection, if there is an intermediate VPC or on-premises network involved in the path, traffic cannot be forwarded through that intermediate point. The ping fails because the peering connection is a direct, one-to-one link and does not allow routing through a third network.

Exam trap

The trap here is that candidates assume VPC peering supports transitive routing like a traditional router, but AWS explicitly disallows it, so even with correct routes, traffic cannot traverse an intermediate VPC.

How to eliminate wrong answers

Option A is wrong because VPC-A uses 10.0.0.0/16 and VPC-B uses 10.1.0.0/16, which are non-overlapping CIDR blocks. Option B is wrong because the question explicitly states that security groups and NACLs allow all traffic, so ICMP is not blocked. Option C is wrong because the route tables are correctly configured with routes to the peer VPC's CIDR via the peering connection, as described in the scenario.

334
MCQeasy

A company is deploying a VPC with public and private subnets. They want to allow instances in a private subnet to access the internet for software updates while preventing inbound internet traffic. Which configuration should be used?

A.Create a VPC endpoint for internet access
B.Use a transit gateway with a NAT instance
C.Attach an internet gateway to the VPC and add a route in the private subnet to the internet gateway for 0.0.0.0/0
D.Attach an internet gateway to the VPC, and create a NAT gateway in a public subnet. Add a route in the private subnet route table to the NAT gateway for 0.0.0.0/0
AnswerD

NAT gateway enables outbound internet from private subnets.

Why this answer

Option A is correct because a NAT gateway in a public subnet allows outbound internet access from private subnets while blocking inbound traffic. Option B is wrong because an internet gateway allows inbound traffic. Option C is wrong because a VPC endpoint is for specific AWS services, not general internet.

Option D is wrong because a transit gateway is for inter-VPC routing.

335
MCQeasy

A company wants to securely connect their on-premises data center to AWS using a site-to-site VPN. They have multiple branch offices that also need to connect to AWS. Which AWS service should they use to simplify the management of multiple VPN connections?

A.VPC Peering
B.AWS Direct Connect
C.AWS Transit Gateway
D.VPN CloudHub
AnswerC

Transit Gateway provides a hub-and-spoke model to connect multiple VPNs and VPCs.

Why this answer

AWS Transit Gateway acts as a hub for connecting multiple VPCs and on-premises networks, simplifying the management of multiple VPN connections. Option A (Direct Connect) is a dedicated connection but not ideal for multiple branch offices. Option B (VPC Peering) is for VPC-to-VPC connections.

Option D (VPN CloudHub) is a feature of Virtual Private Gateway but is less scalable than Transit Gateway.

336
MCQmedium

A network engineer is troubleshooting connectivity issues. The route table shows a blackhole route for 10.0.0.0/8 pointing to a VPC endpoint (vpce-12345678). What is the most likely cause of the blackhole state?

A.The VPC endpoint (vpce-12345678) has been deleted.
B.The VPC CIDR 10.0.0.0/16 is overlapping with the endpoint route.
C.The route table does not have a route to the internet.
D.The internet gateway is not attached to the VPC.
AnswerA

A deleted endpoint results in a blackhole route.

Why this answer

Option B is correct because a blackhole route for a VPC endpoint typically indicates the endpoint has been deleted or is in a failed state. A is incorrect because the VPC CIDR is more specific. C is irrelevant.

D is incorrect because blackhole doesn't indicate no route.

337
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They notice that the BGP session is flapping every few minutes. The network team confirms that the customer router and AWS router are configured correctly. What is the MOST likely cause of the BGP flapping?

A.The BGP community string is not set correctly
B.MTU mismatch between the customer router and the AWS Direct Connect endpoint
C.Incorrect BGP ASN configuration on the virtual interface
D.Bidirectional Forwarding Detection (BFD) is not enabled
AnswerB

Packet drops cause BGP session instability.

Why this answer

Option A is correct because if the maximum transmission unit (MTU) is mismatched, large packets may be dropped, causing BGP to reset. Option B is wrong because a single mismatch in ASN would prevent the session from establishing. Option C is wrong because BFD does not cause flapping; it detects failures faster.

Option D is wrong because community strings are not used in BGP peering.

338
MCQmedium

A company has a VPC with public and private subnets. They have a web server in the public subnet that needs to make API calls to Amazon S3. The web server has a public IP. What is the MOST secure way to allow the web server to access S3 without traversing the internet?

A.Create a Gateway VPC Endpoint for S3 and add a route in the public subnet's route table to S3 via the endpoint
B.Place a forward proxy server in the public subnet and configure the web server to use it for S3
C.Create an Interface VPC Endpoint for S3 in the public subnet
D.Set up a NAT Gateway in the same subnet and route S3 traffic through it
AnswerA

Correct; Gateway Endpoint provides private access to S3 without internet.

Why this answer

Option C is correct because a Gateway VPC Endpoint for S3 allows private access to S3 without internet traffic, and it is free and highly available. Option A is wrong because a NAT Gateway is used for outbound internet access, but it still uses the internet. Option B is wrong because an Interface VPC Endpoint for S3 is also private but more expensive than Gateway Endpoint.

Option D is wrong because a proxy server adds complexity and is not the most secure or simple solution.

339
MCQmedium

A company is troubleshooting connectivity issues between an on-premises network and a VPC connected via AWS VPN CloudHub. The on-premises network uses multiple customer gateways (CGWs) connected to a single virtual private gateway (VGW). The company wants to ensure that all traffic from the VPC to on-premises is routed through a specific CGW. Which configuration should be used?

A.Adjust the BGP local preference on the preferred CGW to a higher value
B.Remove the other CGWs from the VGW
C.Modify the VPN tunnel option to prefer the specific tunnel
D.Configure a static route in the VPC route table pointing to the VGW with a more specific prefix for the on-premises network
AnswerD

Static routes take precedence over BGP routes.

Why this answer

Option A is correct because using a more specific prefix in the static route forces traffic through that CGW. Option B is wrong because BGP metrics influence path selection but are not deterministic. Option C is wrong because VPN tunnel options affect encryption, not routing.

Option D is wrong because multiple CGWs per VGW is possible with CloudHub.

340
MCQmedium

A company is setting up a new VPC with a CIDR block of 10.0.0.0/16. They need to create subnets for different tiers: public (web servers), private (application servers), and database (RDS). They want to maximize the number of available IP addresses while ensuring each subnet has at least 256 IP addresses. Which subnet design meets these requirements?

A.Create six /24 subnets (256 IPs each) across two Availability Zones (three per AZ).
B.Create three /25 subnets (128 IPs each) in one Availability Zone.
C.Create six /26 subnets (64 IPs each) across two Availability Zones.
D.Create three /24 subnets (256 IPs each) in one Availability Zone.
AnswerA

/24 provides 256 IPs, and using two AZs provides high availability.

Why this answer

Using /24 subnets (256 IPs each) across three tiers in two AZs requires 6 subnets, which fits within the /16. Option A uses /25 (128 IPs) which is too small. Option B uses /24 but only one AZ, not highly available.

Option D uses /26 (64 IPs) which is too small.

341
Multi-Selecthard

Which THREE of the following are valid considerations when designing a multi-VPC architecture using AWS Transit Gateway? (Choose three.)

Select 3 answers
A.You can route internet-bound traffic from multiple VPCs through a single shared VPC with a NAT gateway.
B.Transit Gateway does not support multicast traffic.
C.You can use separate route tables to isolate traffic between different VPCs.
D.VPCs attached to the same Transit Gateway can have overlapping CIDR blocks.
E.You can attach a Direct Connect Gateway to a Transit Gateway for hybrid connectivity.
AnswersA, C, E

Centralized NAT via Transit Gateway routing.

Why this answer

Options A, D, and E are correct. A: Transit Gateway supports transitive routing, but route tables control which VPCs can communicate. B is wrong because each VPC needs a unique CIDR to avoid routing conflicts.

C is wrong because Transit Gateway supports multicast. D is correct: you can attach Direct Connect Gateway to Transit Gateway for on-premises connectivity. E is correct: you can centralize internet access via a NAT gateway in a shared VPC.

342
MCQhard

A company has multiple VPCs connected via a transit gateway. Each VPC has a security group that allows traffic from the other VPCs' CIDR blocks. The security group rules are getting complex. How can the company simplify security group management while maintaining the same level of security?

A.Use managed prefix lists in security group rules.
B.Use VPC endpoints for inter-VPC communication.
C.Deploy AWS Network Firewall to centralize rules.
D.Replace security groups with network ACLs.
AnswerA

Prefix lists simplify by grouping CIDRs.

Why this answer

Option D is correct because using prefix lists allows referencing a CIDR collection in security group rules. Option A is wrong because NACLs are stateless and less granular. Option B is wrong because VPC endpoints are for AWS services.

Option C is wrong because Network Firewall adds complexity.

343
MCQeasy

A company has a VPC with a public subnet hosting a web server. They want to make the web server accessible over the internet. The web server has a public IP address. The public subnet route table has a default route (0.0.0.0/0) to an internet gateway. The security group for the web server allows inbound HTTP (port 80) from 0.0.0.0/0. However, external users cannot access the web server. What is the most likely cause?

A.The internet gateway is not attached to the VPC
B.The web server is not listening on port 80
C.The route table for the public subnet does not have a route to the internet gateway
D.The network ACL for the public subnet is blocking inbound HTTP traffic
AnswerA

Internet gateway must be attached for public traffic.

Why this answer

The internet gateway must be attached to the VPC. If it is not attached, traffic cannot flow. Option B (NACL) could be blocking but default NACL allows all traffic.

Option C (web server not listening) is possible but less likely than IGW attachment. Option D (route table) is already correct.

344
MCQmedium

A company uses AWS Global Accelerator to improve performance for a web application hosted on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The Global Accelerator has an endpoint group in the us-east-1 Region with the ALB as an endpoint. Users in Asia report high latency. The company creates a new endpoint group in ap-southeast-1 and adds the same ALB (which is still in us-east-1). However, users in Asia still experience high latency. What should the network engineer do to reduce latency for Asian users?

A.Change the endpoint in ap-southeast-1 to use the same ALB but with a cross-Region VPC peering
B.Configure Global Accelerator to use weighted routing to direct more traffic to ap-southeast-1
C.Add an additional ALB in ap-southeast-1 and add it as an endpoint in the ap-southeast-1 endpoint group
D.Use Lambda@Edge to cache content at CloudFront edge locations in Asia
AnswerC

Deploying locally reduces latency.

Why this answer

Global Accelerator uses anycast IPs and routes traffic to the nearest endpoint group. But if the ALB is only in us-east-1, traffic from Asia will still go to us-east-1. To reduce latency, the company needs to deploy the application in ap-southeast-1 and add a local ALB as an endpoint.

Options A and C do not address the physical distance. Option D is incorrect because Global Accelerator endpoints can be ALBs, but cross-Region ALB is not supported (endpoint group and endpoint must be in same Region).

345
MCQeasy

A company needs to establish a dedicated, low-latency, and consistent network connection from their on-premises data center to AWS. Which AWS service should they use?

A.AWS Site-to-Site VPN
B.AWS VPN CloudHub
C.VPC peering
D.AWS Direct Connect
AnswerD

Direct Connect provides a dedicated, private, low-latency connection.

Why this answer

Option B is correct because AWS Direct Connect provides a dedicated private connection. Option A is wrong because Site-to-Site VPN uses the internet and is less consistent. Option C is wrong because VPC peering is for VPC-to-VPC.

Option D is wrong because VPN CloudHub is for connecting multiple on-premises sites.

346
MCQhard

A company uses AWS Client VPN for remote access. Users report intermittent disconnections. The network engineer notices that the Client VPN endpoint is associated with a single subnet. What change should be made to improve reliability?

A.Split the client CIDR into smaller ranges for each Availability Zone.
B.Associate the Client VPN endpoint with subnets in at least two Availability Zones.
C.Create multiple route tables for the same subnet.
D.Increase the subnet CIDR size to accommodate more clients.
AnswerB

Provides redundancy if one AZ fails.

Why this answer

Option C is correct because associating the Client VPN endpoint with subnets in multiple AZs provides high availability. Option A is wrong because increasing subnet size does not improve availability. Option B is wrong because multiple route tables are not needed; Client VPN uses one route table per subnet association.

Option D is wrong because splitting the CIDR does not add redundancy.

347
Multi-Selectmedium

A network engineer is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect and a VPN connection as a backup. The on-premises network uses BGP to advertise routes to AWS. Which of the following are best practices for this setup? (Choose TWO.)

Select 2 answers
A.Advertise the same routes over both connections with identical BGP attributes.
B.Use different BGP ASNs for the Direct Connect and VPN connections.
C.Use the VPN connection as the primary path and Direct Connect as the backup.
D.Use the same BGP ASN for both the Direct Connect and VPN connections.
E.Configure BGP attributes to ensure that the Direct Connect path is preferred over the VPN path.
AnswersB, E

Different ASNs prevent routing loops and allow proper path selection.

Why this answer

Option B is correct because using different BGP ASNs for the Direct Connect and VPN connections prevents BGP from treating the two connections as a single eBGP session, which would cause routing loops or suboptimal path selection. This separation allows AWS to distinguish between the two paths and apply independent routing policies. Option E is correct because configuring BGP attributes (such as AS path prepending or MED) on the Direct Connect path ensures it is preferred over the VPN backup, aligning with the design goal of using Direct Connect as the primary link.

Exam trap

The trap here is that candidates often think using the same BGP ASN simplifies configuration, but in a dual-connection design, it actually breaks path independence and can cause routing instability or suboptimal failover behavior.

348
MCQeasy

A company has a VPC with multiple subnets. They want to monitor all network traffic entering and leaving the VPC for security analysis. Which AWS service should they use?

A.AWS CloudTrail
B.AWS Config
C.Amazon GuardDuty
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture network traffic metadata.

Why this answer

Option D is correct. VPC Flow Logs capture IP traffic information. Option A is wrong because CloudTrail logs API calls.

Option B is wrong because Config records resource changes. Option C is wrong because GuardDuty is a threat detection service that uses flow logs but does not capture traffic itself.

349
MCQeasy

A company is deploying a hybrid network architecture with an AWS Site-to-Site VPN connection between its on-premises network and a VPC. The on-premises network uses BGP to advertise routes to the VPN connection. After the VPN is established, the on-premises network cannot reach EC2 instances in the VPC. The VPC route table has a route for the on-premises CIDR block pointing to the VPN gateway. What is the most likely cause of this issue?

A.The VPN connection is not using the correct pre-shared key.
B.The security group attached to the EC2 instances does not allow inbound traffic from the on-premises CIDR.
C.The on-premises network is advertising a default route (0.0.0.0/0) via BGP, which is overriding the VPC's local route.
D.The VPC's network ACLs are blocking inbound traffic from the on-premises network.
AnswerC

BGP route propagation can cause the VPC route table to learn a default route from on-premises, which may cause traffic destined for the VPC CIDR to be sent back to the VPN gateway instead of staying local.

Why this answer

When the on-premises network advertises a default route (0.0.0.0/0) via BGP over the VPN connection, the VPC propagates that route into its route tables (if route propagation is enabled). This default route can override the VPC's local route for the on-premises CIDR, causing traffic destined for the on-premises network to be sent back out the VPN gateway instead of being delivered locally, effectively breaking connectivity to EC2 instances.

Exam trap

The trap here is that candidates often focus on security group or NACL misconfigurations, but the real issue is a routing conflict caused by BGP advertising a default route that overrides the VPC's local route, a classic hybrid networking pitfall.

How to eliminate wrong answers

Option A is wrong because an incorrect pre-shared key would prevent the VPN tunnel from establishing at all, but the question states the VPN is established. Option B is wrong because security groups are stateful and, by default, allow all outbound traffic; the issue is about inbound traffic not reaching the instances, but the root cause is a routing problem, not a firewall rule. Option D is wrong because network ACLs are stateless and, by default, allow all inbound and outbound traffic unless explicitly modified; the question does not indicate any custom NACL changes, so they are not blocking traffic.

350
MCQmedium

A company has a VPC with two subnets: a public subnet with a NAT Gateway and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance has a security group that allows all outbound traffic. The private subnet's route table has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, the instance cannot reach the internet. What is the most likely issue?

A.The security group does not allow inbound traffic from the internet.
B.The NAT Gateway is deployed in a private subnet.
C.The network ACL on the private subnet blocks outbound traffic.
D.The instance's DNS resolution is not configured correctly.
AnswerB

NAT Gateway requires a public subnet with an Internet Gateway to function.

Why this answer

The NAT Gateway must be in a public subnet with an Internet Gateway attached. If the NAT Gateway is in a private subnet, it cannot access the internet. Option A (security group) allows outbound; Option B (NACL) default allows; Option D (DNS) is not the issue.

351
MCQmedium

A company is setting up a Direct Connect connection to AWS. The on-premises router is configured with a BGP ASN of 65000. The AWS side uses a public ASN of 64512. Which configuration change is required for BGP peering to establish?

A.Increase the eBGP multihop TTL to 2.
B.Configure the BGP peer with a public ASN on the customer side.
C.Enable BGP authentication with MD5 password.
D.Change the customer ASN to a value in the 64512-65534 range.
AnswerD

Direct Connect requires private ASNs for the customer side.

Why this answer

Option D is correct because Direct Connect requires private ASNs (64512-65534) for the customer side; 65000 is private. Option A is wrong because public ASNs are not required. Option B is wrong because MD5 is optional.

Option C is wrong because eBGP multihop is not needed for directly connected routers.

352
MCQeasy

A company is setting up AWS Client VPN to allow remote employees to access resources in a VPC. The VPC has a CIDR block of 10.0.0.0/16. The Client VPN endpoint is associated with a subnet 10.0.1.0/24. The company wants to assign client IP addresses from a different CIDR range than the VPC to avoid overlap. Which client CIDR range should the company specify?

A.172.16.0.0/12
B.10.0.0.0/16
C.10.0.0.0/8
D.192.168.0.0/16
AnswerD

Non-overlapping private range.

Why this answer

Option B is correct because the client CIDR range must be different from the VPC CIDR and any connected networks. 192.168.0.0/16 is a valid private range that does not overlap with 10.0.0.0/16. Option A overlaps with the VPC CIDR. Option C is a public range, not recommended.

Option D overlaps with the VPC CIDR.

353
MCQmedium

A company is setting up an AWS Site-to-Site VPN connection between its on-premises network and a VPC. The VPC has a virtual private gateway (VGW) attached, and the VPN connection uses two tunnels for redundancy. The on-premises customer gateway (CGW) is configured with the public IP address of the on-premises VPN device. The VPN tunnels are up and BGP sessions are established. However, the company cannot ping an EC2 instance in the VPC from an on-premises server. The security group for the EC2 instance allows ICMP from the on-premises network CIDR. What is the MOST likely cause of the issue?

A.The route tables of the VPC subnets do not have a route for the on-premises CIDR pointing to the virtual private gateway.
B.The customer gateway is configured with an incorrect private IP address.
C.The VPN connection's security group is blocking ICMP traffic.
D.The BGP session is not advertising the on-premises routes to the VGW.
AnswerA

Without a route, traffic from VPC to on-premises is dropped.

Why this answer

Option A is correct because the VPC subnet route tables must have a route pointing to the VGW for the on-premises CIDR. Option B is incorrect because BGP is established. Option C is incorrect because the CGW is configured correctly.

Option D is incorrect because the VPN connection does not have a security group.

354
Multi-Selecthard

A company is using AWS Direct Connect with a private VIF to connect its on-premises network to a VPC. The VPC has a CIDR 10.0.0.0/16. The on-premises network uses 192.168.0.0/16. The company wants to enable communication between on-premises and the VPC, and also allow the VPC to access the internet via an internet gateway. Which TWO of the following configurations are necessary?

Select 2 answers
A.A route in the on-premises router for the VPC CIDR (10.0.0.0/16) pointing to the AWS Direct Connect router.
B.A route in the VPC route table for 0.0.0.0/0 pointing to the internet gateway.
C.A route in the VPC route table for 0.0.0.0/0 pointing to the virtual private gateway.
D.A route in the VPC route table for the on-premises CIDR (192.168.0.0/16) pointing to the internet gateway.
E.A route in the VPC route table for the on-premises CIDR (192.168.0.0/16) pointing to the virtual private gateway.
AnswersB, E

Required for VPC internet access.

Why this answer

Option A is correct because the VPC route table must have a route for 192.168.0.0/16 pointing to the virtual private gateway (VGW) to route traffic to on-premises. Option D is correct because the VPC route table must have a route for 0.0.0.0/0 pointing to the internet gateway for outbound internet access. Option B is not necessary because the VGW is automatically attached.

Option C is not necessary because the on-premises router must have routes to the VPC CIDR, not the internet gateway. Option E is not necessary because the VGW already handles routing.

355
MCQmedium

A company is implementing a network for a three-tier application in a VPC. They need to ensure that the web tier can communicate with the application tier, but the application tier cannot initiate connections to the web tier. Which configuration should be used?

A.Use network ACLs on the application tier subnets to allow inbound from web tier and block outbound to web tier
B.Use a transit gateway with route tables to control traffic flow
C.Place a reverse proxy between the tiers
D.Use security groups on the application tier instances to allow inbound from the web tier security group, and do not allow inbound from application tier in the web tier security group
AnswerD

Stateful security groups allow responses and block unwanted initiation.

Why this answer

Option B is correct because a stateful firewall like security groups can allow inbound from web to app while blocking inbound from app to web. Option A is wrong because network ACLs are stateless and require separate rules for inbound and outbound, making it more complex. Option C is wrong because a reverse proxy is unnecessary.

Option D is wrong because a transit gateway is for inter-VPC routing, not for this requirement.

356
MCQhard

A company has a VPC with a CIDR block of 10.0.0.0/16. The VPC has three subnets: 10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24. An EC2 instance in subnet 10.0.1.0/24 needs to send traffic to an on-premises server at 10.0.0.5/32 via a VPN connection. The VPC route table has a route to the VPN gateway for 10.0.0.0/8. What is the expected behavior?

A.Traffic to 10.0.0.5 is sent to the internet gateway.
B.Traffic to 10.0.0.5 is routed through the VPN gateway.
C.Traffic to 10.0.0.5 stays within the VPC.
D.Traffic to 10.0.0.5 is dropped because there is no matching route.
AnswerC

The VPC's local route matches 10.0.0.5.

Why this answer

Option C is correct because the VPC has a more specific route (10.0.0.0/16) for local traffic, which takes precedence over the VPN route (10.0.0.0/8) due to longest prefix match. Traffic from the EC2 instance to 10.0.0.5 is within the VPC CIDR, so it stays local.

357
MCQhard

A company has a Direct Connect connection with a private VIF connected to a VPC. The company wants to add a second Direct Connect connection for redundancy. They plan to use BGP AS_PATH prepending to influence traffic steering so that the primary connection is preferred for inbound traffic. The on-premises router advertises the same prefix over both connections. The company configures BGP on the primary VIF with AS_PATH prepending (prepend two AS numbers). However, after configuration, inbound traffic still uses both paths equally. What is the most likely cause?

A.The secondary VIF is not configured with BGP authentication.
B.AS_PATH prepending on the AWS side only affects outbound traffic, not inbound traffic.
C.The BGP hold time timer is set too low, causing the primary connection to flap.
D.The company did not set the MED attribute on the primary VIF.
E.The company configured the prepending on the virtual private gateway instead of the Direct Connect gateway.
AnswerB

AS_PATH prepending on AWS side makes the path longer for outbound traffic from AWS to on-premises. To affect inbound traffic, prepending must be done on the on-premises router.

Why this answer

B is correct because AS_PATH prepending on the AWS side (the VIF) affects the AS_PATH attribute of routes advertised by AWS to the on-premises router. For inbound traffic (traffic coming from on-premises into AWS), the on-premises router makes the routing decision based on the BGP attributes it receives from AWS. Prepending on the AWS side makes the path through the primary VIF look longer to the on-premises router, so the on-premises router should prefer the secondary VIF.

However, if the on-premises router is not honoring the prepended AS_PATH (e.g., due to local preference or other policies), or if the prepending is not actually being applied to the correct direction, traffic may still be balanced. The key point is that AS_PATH prepending on the AWS side influences outbound traffic from AWS, not inbound traffic to AWS; inbound traffic steering is controlled by the on-premises router's BGP decision process.

Exam trap

AWS often tests the misconception that AS_PATH prepending on the AWS side directly controls inbound traffic from on-premises, when in fact it only influences the BGP decision on the on-premises router by making the path appear longer; the actual inbound traffic flow depends on the on-premises router's BGP best path selection and any local policies applied there.

How to eliminate wrong answers

Option A is wrong because BGP authentication (MD5) does not influence path selection or traffic steering; it only secures the BGP session. Option C is wrong because a low BGP hold time timer would cause the session to reset or flap, but the question states the primary connection is stable and traffic is still using both paths equally, not that it is flapping. Option D is wrong because the MED (Multi-Exit Discriminator) attribute is used to influence inbound traffic from a neighboring AS, but it is not the standard method for path selection when AS_PATH prepending is already configured; moreover, the issue is that prepending is not affecting inbound traffic as expected, not that MED is missing.

Option E is wrong because the prepending is configured on the VIF (the BGP session), not on the virtual private gateway or Direct Connect gateway; the VIF is the correct place to apply AS_PATH prepending for the BGP session with the on-premises router.

358
MCQhard

A network engineer is troubleshooting connectivity between two VPCs that are peered. The route tables are correct, and security groups allow traffic. However, ICMP ping fails. What is the most likely cause?

A.The route tables are not propagated
B.VPC peering does not support ICMP
C.The VPCs are in different regions
D.The security groups are blocking ICMP
AnswerB

VPC peering does not support ICMP; use TCP or UDP for connectivity tests.

Why this answer

VPC peering does not support ICMP; it only supports TCP and UDP traffic.

359
MCQeasy

A network engineer is troubleshooting connectivity from an EC2 instance in a private subnet to an S3 bucket. The VPC has a VPC endpoint for S3 configured. The instance can access the internet via a NAT Gateway. Which configuration is MOST likely causing the connection to S3 to fail?

A.The S3 VPC endpoint is in a different Availability Zone than the instance.
B.The route table for the private subnet is missing a route to the S3 VPC endpoint.
C.The S3 bucket policy does not allow access from the VPC endpoint.
D.The EC2 instance does not have a public IP address.
AnswerB

Without a route to the endpoint, traffic goes via NAT Gateway, which may be blocked.

Why this answer

If a VPC endpoint for S3 is configured, traffic to S3 should use the endpoint and not go through the NAT Gateway. If the route table for the private subnet does not have a route to the S3 endpoint, traffic will go through the NAT Gateway, which may have security group restrictions or other issues. Option A is wrong because S3 endpoints do not use IAM roles for network connectivity.

Option C is wrong because VPC endpoints do not require a public IP. Option D is wrong because S3 endpoints work across AZs.

360
MCQmedium

A company has deployed a web application across multiple AWS Regions using Application Load Balancers (ALBs) and EC2 instances. They want to use AWS Global Accelerator to improve performance and provide a fixed entry point. The Global Accelerator is configured with endpoints pointing to the ALBs. However, users are experiencing intermittent failures. What is the most likely cause?

A.Client IP address preservation is enabled on the Global Accelerator for cross-Region endpoints.
B.Global Accelerator does not support multiple endpoints in different Regions.
C.The ALBs are not configured with health checks.
D.The Global Accelerator is not configured for IPv6 traffic.
AnswerA

When using cross-region endpoints, client IP address preservation must be disabled, otherwise traffic fails.

Why this answer

When client IP address preservation is enabled on Global Accelerator for cross-Region endpoints, the accelerator preserves the original client IP address in the packets sent to the Application Load Balancers. However, ALBs are layer-7 load balancers that require traffic to originate from the Global Accelerator's static IP addresses, not the client's IP, for proper routing and health check responses. This mismatch causes the ALBs to reject or mishandle traffic, leading to intermittent failures.

Exam trap

AWS often tests the misconception that client IP preservation is always beneficial, but the trap here is that enabling it for ALB endpoints in cross-Region setups breaks the expected traffic flow because ALBs require the source IP to be the Global Accelerator's IPs, not the client's.

How to eliminate wrong answers

Option B is wrong because Global Accelerator explicitly supports multiple endpoints in different Regions, allowing traffic to be routed to the closest healthy endpoint. Option C is wrong because health checks are configured on the Global Accelerator itself, not on the ALBs; ALBs have their own health checks, but the absence of ALB health checks would not cause intermittent failures from Global Accelerator. Option D is wrong because Global Accelerator supports both IPv4 and IPv6 traffic, and the question does not indicate any IPv6-related issue; the failure is unrelated to IP version support.

361
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. The VPC has a public subnet 10.0.1.0/24 and a private subnet 10.0.2.0/24. An EC2 instance in the private subnet needs to download patches from the internet. Which configuration is required to provide outbound internet access to the private instance while preventing inbound internet traffic?

A.Attach an Internet Gateway to the private subnet and add a default route to the Internet Gateway in the private route table
B.Assign an Elastic IP to the private instance and update the security group to allow outbound traffic
C.Add an Internet Gateway to the VPC and create a route in the private subnet to 0.0.0.0/0 via the Internet Gateway
D.Deploy a NAT Gateway in the public subnet and add a default route in the private subnet route table pointing to the NAT Gateway
AnswerD

NAT Gateway enables outbound-only internet access for private instances.

Why this answer

Option C is correct because a NAT Gateway in the public subnet with a route in the private subnet route table pointing to the NAT Gateway provides outbound internet access. Option A is wrong because an Internet Gateway attached to the private subnet would allow inbound traffic. Option B is wrong because an EIP on the private instance directly exposes it.

Option D is wrong because an Internet Gateway alone does not provide outbound access without a route to it.

362
Multi-Selecthard

A company is configuring a site-to-site VPN connection between its on-premises network and AWS. The VPN tunnel is up, but traffic is not passing. The company has verified that routes are correct on both sides. Which TWO actions should the company take to troubleshoot the issue?

Select 2 answers
A.Verify that the virtual private gateway is attached to the VPC.
B.Ensure that the on-premises firewall is configured to allow IPSec traffic.
C.Check the security group rules for the EC2 instances in the VPC.
D.Verify that the VPN tunnel is using the correct encryption algorithm.
E.Check the network ACLs for the subnets.
AnswersC, E

Security groups can block traffic.

Why this answer

Options A and D are correct because checking security group and NACL rules is essential for traffic flow. B is irrelevant as tunnel is up. C is not applicable.

E is already done.

363
MCQeasy

A network engineer is designing a hybrid network using AWS Direct Connect. The company requires high availability and wants to use a single AWS Direct Connect location with two connections from different customer routers. Which solution meets the high availability requirement?

A.Use a single AWS Direct Connect connection with multiple VLANs
B.Use a single AWS Direct Connect connection with two BGP sessions
C.Use two AWS Direct Connect connections from the same location, each connected to a different customer router, and configure BGP sessions over both connections
D.Use a single AWS Direct Connect connection with Bidirectional Forwarding Detection (BFD) enabled
AnswerC

Two connections from different routers provide router-level redundancy.

Why this answer

Option A is correct because using two connections (primary and backup) from different customer routers to the same Direct Connect location provides redundancy at the router level. Option B is wrong because a single connection is a single point of failure. Option C is wrong because multiple VLANs on one connection do not provide physical redundancy.

Option D is wrong because BFD does not provide physical redundancy.

364
Multi-Selecthard

A network engineer is designing a highly available VPN connectivity between an on-premises data center and AWS. The company has two AWS Direct Connect connections terminated on two different AWS Direct Connect locations for redundancy. The company wants to use AWS Site-to-Site VPN as a backup for Direct Connect. The VPN connections will terminate on a single Virtual Private Gateway (VGW) attached to a VPC. The on-premises network has two customer gateways (CGWs) each with a unique BGP ASN. Which TWO actions should the engineer take to ensure automatic failover and load balancing? (Choose two.)

Select 2 answers
A.Configure the VPN connections to use BGP dynamic routing.
B.Set up a CloudWatch alarm to trigger an AWS Lambda function that changes route table entries upon VPN failure.
C.Configure the VPN connections to use static routes with equal cost multipath (ECMP).
D.Use a single customer gateway with two separate tunnels to the virtual private gateway.
E.Create two VPN connections, each from a different customer gateway to the same virtual private gateway.
AnswersA, E

BGP allows automatic route propagation and failover.

Why this answer

Option A is correct because using BGP dynamic routing on both VPN tunnels allows automatic failover and load balancing. Option C is correct because creating a VPN connection from each CGW to the same VGW provides two separate tunnels. Option B is incorrect because static routes do not provide automatic failover.

Option D is incorrect because a single CGW creates a single point of failure. Option E is incorrect because the VPN is backup; using BGP on both tunnels handles failover without cloudwatch alarms.

365
MCQmedium

A network engineer is troubleshooting high latency between two EC2 instances in the same VPC but in different Availability Zones. The instances are in the same security group and have proper rules. Which configuration is most likely causing the latency?

A.The instances are using jumbo frames.
B.The instances are in a cluster placement group.
C.The instances have Enhanced Networking enabled.
D.The instances are in different Availability Zones.
AnswerD

Inter-AZ traffic has higher latency.

Why this answer

The primary cause of higher latency between EC2 instances in different Availability Zones is the physical distance and the additional network hops required to traverse the AZ boundary. Even within the same VPC, traffic between AZs must pass through AWS's regional network infrastructure, which introduces a baseline latency of 1-2 milliseconds, whereas instances in the same AZ can communicate with sub-millisecond latency. The question explicitly states the instances are in different AZs, making this the most likely source of the latency issue.

Exam trap

The trap here is that candidates often assume all instances in the same VPC have identical latency regardless of AZ placement, overlooking the fundamental physical and network architecture differences between intra-AZ and inter-AZ communication.

How to eliminate wrong answers

Option A is wrong because jumbo frames (MTU 9001) reduce latency by enabling larger payloads per packet, decreasing overhead and improving throughput; they do not cause high latency. Option B is wrong because a cluster placement group is designed to provide the lowest possible latency and maximum packet-per-second performance by placing instances in a single AZ, so using it would reduce, not cause, latency. Option C is wrong because Enhanced Networking (using SR-IOV or ENA) provides higher bandwidth, lower jitter, and lower per-packet latency; it is a performance optimization, not a source of latency.

366
MCQhard

A network engineer is troubleshooting connectivity issues between two VPCs connected via a VPC peering connection. The VPCs are in different AWS accounts and regions. The engineer can ping the private IP of an instance in the peered VPC from one side, but not from the other. What is the most likely cause?

A.Route tables in one VPC do not have a route to the peered VPC CIDR
B.The security group in the peered VPC is blocking ICMP traffic
C.The VPC CIDR blocks overlap
D.The VPC peering connection is in a 'pending-acceptance' state
AnswerA

A missing route in one VPC prevents return traffic, causing one-way connectivity.

Why this answer

Option D is correct because VPC peering connections must have matching route tables in both VPCs to allow bidirectional traffic. The ability to ping from one side but not the other indicates a missing route in one VPC's route table. Options A and B are irrelevant because the peering connection exists and works in one direction.

Option C is for security groups, which would affect both directions equally.

367
MCQeasy

A company wants to allow an EC2 instance in a private subnet to download files from an S3 bucket without traversing the internet. Which AWS service should be used?

A.Establish an AWS Direct Connect connection to the VPC.
B.Attach an internet gateway and route through a NAT gateway.
C.Create a VPC Interface Endpoint for S3.
D.Create a VPC Gateway Endpoint for S3.
AnswerD

Gateway Endpoint provides private connectivity to S3 without internet.

Why this answer

Option D is correct because a VPC Gateway Endpoint for S3 allows private connectivity to S3 without internet. Option A is wrong because NAT gateway uses internet. Option B is wrong because Direct Connect is for on-premises.

Option C is wrong because S3 does not support VPC Interface Endpoint by default; Gateway Endpoint is used for S3.

368
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and has enabled VPC Flow Logs to capture all traffic. The logs show that an EC2 instance (10.0.1.10) is sending outbound traffic to an external IP (203.0.113.50) on port 443, but the traffic is being rejected. The instance's security group allows outbound HTTPS to 0.0.0.0/0, and the subnet's NACL allows outbound traffic on port 443. The VPC has an internet gateway attached, and the route table directs 0.0.0.0/0 to the internet gateway. What is the most likely cause of the rejection?

A.The NACL inbound rules are blocking the return traffic.
B.The security group does not allow inbound HTTPS traffic.
C.The internet gateway is not attached to the VPC.
D.The route table does not have a route to the internet gateway.
AnswerA

NACLs are stateless and require explicit inbound rules for return traffic.

Why this answer

The outbound traffic from the EC2 instance is allowed by the security group and NACL outbound rules, but the return traffic (responses from 203.0.113.50:443 back to 10.0.1.10) must also be permitted by the subnet's NACL inbound rules. Since the NACL is stateless, it requires explicit inbound rules for ephemeral ports (typically 1024-65535) to allow the return traffic. If those inbound rules are missing, the return packets are dropped, causing the outbound traffic to appear as rejected in VPC Flow Logs.

Exam trap

AWS often tests the distinction between stateful security groups and stateless NACLs, specifically that NACLs require explicit inbound rules for return traffic while security groups automatically allow it.

How to eliminate wrong answers

Option B is wrong because the security group is stateful, so inbound HTTPS rules are not required for return traffic; the stateful nature of security groups automatically allows response traffic for outbound connections. Option C is wrong because the question explicitly states the VPC has an internet gateway attached. Option D is wrong because the route table directs 0.0.0.0/0 to the internet gateway, so the route is correctly configured.

369
MCQmedium

A company has a VPC with public and private subnets. They have a NAT gateway in a public subnet. They want to provide internet access to instances in private subnets. The NAT gateway is configured with an Elastic IP. The private instances still cannot access the internet. The route table for the private subnets has a default route (0.0.0.0/0) pointing to the NAT gateway. What is missing?

A.The network ACL for the private subnet allows outbound traffic
B.The private subnet route table is missing a route to the NAT gateway
C.The security group for the instances allows outbound traffic
D.The route table for the public subnet where the NAT gateway resides does not have a default route to an internet gateway
AnswerD

The NAT gateway needs internet access itself to forward traffic.

Why this answer

Option C is correct because the NAT gateway must be in a public subnet with a route table that has a default route to an internet gateway. Option A is wrong because NACLs are usually permissive. Option B is wrong because security groups are stateful.

Option D is wrong because the default route is already set.

370
MCQeasy

A company is deploying a new application in a VPC with public and private subnets. The application servers in the private subnets need to access the internet to download patches. Which configuration meets this requirement without allowing inbound internet traffic?

A.Attach an internet gateway to the private subnets and configure route tables accordingly.
B.Create a NAT gateway in a public subnet and add a route to the NAT gateway from the private subnets' route tables.
C.Establish a site-to-site VPN connection to an on-premises internet gateway.
D.Configure a VPC endpoint for the internet in the private subnets.
AnswerB

A NAT gateway allows outbound internet traffic from private subnets while preventing unsolicited inbound connections.

Why this answer

Option B is correct because a NAT gateway in a public subnet provides outbound internet access for instances in private subnets while blocking unsolicited inbound connections. Option A is wrong because an internet gateway attached to the private subnet would allow inbound traffic. Option C is wrong because a VPC endpoint is for private connectivity to AWS services, not general internet.

Option D is wrong because a VPN connection is for private connectivity to a remote network, not internet access.

371
MCQmedium

A security team wants to block traffic from a specific IP address (203.0.113.5) from reaching an EC2 instance. The instance is in a public subnet with a security group that allows all traffic from the internet. A network ACL is associated with the subnet. The team adds a DENY rule for the IP in the network ACL. However, traffic from that IP still reaches the instance. What is the most likely reason?

A.The network ACL has an ALLOW rule with a lower rule number that matches the IP, so the DENY rule is never evaluated.
B.The security group allows traffic from the IP, overriding the network ACL.
C.The network ACL is applied to the wrong subnet.
D.The internet gateway is ignoring the network ACL.
AnswerA

Network ACLs are processed in rule number order; the first matching rule is applied.

Why this answer

Option D is correct because network ACLs are stateless and require both inbound and outbound rules to allow return traffic. The DENY rule on inbound will block incoming traffic, but if the ACL also has an inbound ALLOW rule for the IP, the DENY rule might be evaluated after the ALLOW rule if the rule numbers are ordered incorrectly. However, the question states they added a DENY rule; if the ALLOW rule has a lower rule number, it will be evaluated first.

Option A is wrong because security groups are stateful, but they do not override network ACLs. Option B is wrong because network ACLs apply to the subnet, not the instance. Option C is wrong because the internet gateway operates at layer 3 and does not filter by IP.

372
MCQhard

A company has a VPC with CIDR 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An Application Load Balancer (ALB) is deployed in the public subnet, and EC2 instances are in the private subnet. The ALB has a target group pointing to the EC2 instances. The security group for the EC2 instances allows traffic from the ALB's security group on port 80. The network ACL for the private subnet allows inbound traffic on port 80 from the public subnet CIDR (10.0.1.0/24) and allows outbound ephemeral ports. However, the ALB health checks are failing with 503 errors. The network engineer checks the ALB logs and sees that TCP connections are established but HTTP requests are timing out. What is the most likely cause?

A.The network ACL for the private subnet does not allow inbound traffic from the ALB's security group.
B.The security group for the ALB does not allow outbound traffic to the targets.
C.The ALB health check is configured to use HTTPS but the target only listens on HTTP.
D.The route table for the private subnet does not have a route to the ALB's subnet.
AnswerC

This would cause the health check to fail with a timeout or non-200 response, resulting in 503.

Why this answer

Option D is correct. The network ACL for the private subnet only allows inbound traffic from the public subnet CIDR (10.0.1.0/24). However, the ALB sends health checks from its private IP addresses, which are in the public subnet CIDR, so that should be fine.

But the real issue is that the ALB also sends traffic to the targets using its own IP addresses, which are in the public subnet CIDR, so inbound is allowed. However, the outbound rule for the private subnet's network ACL must allow outbound traffic from the targets back to the ALB. The network ACL allows outbound ephemeral ports (1024-65535), but the ALB health check response uses the source port of the ALB (which is ephemeral) and the destination port on the target is 80.

The response from the target goes back to the ALB's IP and port. The outbound rule in the network ACL should allow traffic to the ALB's subnet (10.0.1.0/24) on ephemeral ports. But the question says the network ACL allows outbound ephemeral ports without specifying destination.

Actually, the outbound rule allows all ephemeral ports to anywhere? It says 'allows outbound ephemeral ports' - typically that means outbound to 0.0.0.0/0 on ephemeral ports. That should be fine. Wait, the issue might be that the network ACL is stateless and the outbound rule must allow the return traffic.

The health check request comes from the ALB to the target on port 80. The target responds to the ALB's IP and source port. The outbound rule must allow traffic from the target to the ALB's IP on the ALB's source port (which is ephemeral).

If the outbound rule allows all outbound ephemeral ports to 0.0.0.0/0, it should work. So why is it failing? Perhaps the ALB is using a different source IP? Actually, ALB health checks can originate from the ALB's private IP addresses. The network ACL for the private subnet has an inbound rule allowing port 80 from 10.0.1.0/24.

That's correct. The outbound rule allows ephemeral ports to 0.0.0.0/0. That should allow the response.

But maybe the outbound rule is too restrictive? Alternatively, the security group for the EC2 instances might not allow the response? But security groups are stateful, so if inbound is allowed, outbound is automatically allowed. So security group is fine. The most likely cause is that the network ACL inbound rule only allows from the public subnet CIDR, but the ALB might be using a different IP? No.

Another possibility: the health check is sent from the ALB's nodes which are in the public subnet, but the public subnet CIDR is 10.0.1.0/24, so that's fine. Option D says 'The network ACL for the private subnet does not allow inbound traffic from the ALB's security group.' That is incorrect because network ACLs cannot reference security groups. So the correct answer is actually that the network ACL inbound rule should allow from the ALB's security group? No.

Let's re-evaluate. The most common issue is that the network ACL is stateless and the outbound rule must allow the response. But the question says the outbound rule allows ephemeral ports.

That should be fine. Perhaps the health check is using HTTPS but only port 80 is allowed? The question says port 80. Option B says 'The ALB health check is configured to use HTTPS but the target only listens on HTTP.' That could cause a timeout.

But the question says the TCP connection is established, so the port is open. However, if the health check expects a 200 OK and the target returns something else, it could cause a 503. Option A says 'The security group for the ALB does not allow outbound traffic to the targets.' But security groups are stateful, so if inbound is allowed, outbound is allowed.

Option C says 'The route table for the private subnet does not have a route to the ALB's subnet.' That would cause no connectivity at all. Actually, the most likely cause is that the health check is using a different port or protocol. But given the options, Option D is the trick: network ACLs cannot reference security groups, so that statement is false, making it a distractor.

The correct answer is not listed? Wait, the question is a PBQ with 4 options. Let's list them: A: The security group for the ALB does not allow outbound traffic to the targets. B: The ALB health check is configured to use HTTPS but the target only listens on HTTP.

C: The route table for the private subnet does not have a route to the ALB's subnet. D: The network ACL for the private subnet does not allow inbound traffic from the ALB's security group. Option D is impossible because network ACLs don't support security groups.

So D is wrong. Option A is unlikely because security groups are stateful. Option C would cause complete failure, not just health check.

Option B is plausible: if health check expects HTTPS but target only has HTTP, the health check will get a timeout or non-200 response, causing 503. So the correct answer is B.

373
MCQeasy

A company is designing a network for a highly available application across multiple AWS regions. The application requires low-latency communication between regions and uses IP addresses that cannot change. Which AWS service should be used to connect the VPCs in different regions?

A.AWS Direct Connect
B.VPC Endpoints
C.VPC Peering
D.Internet Gateway
AnswerC

VPC peering supports inter-region connectivity.

Why this answer

Option A is correct because VPC peering provides low-latency, private connectivity between VPCs in different regions. B is intra-region only. C is for on-premises.

D is for internet-facing.

374
MCQmedium

A company is deploying a multi-tier web application on AWS. The web tier runs on EC2 instances behind an Application Load Balancer (ALB), and the application tier runs on EC2 instances that connect to an RDS MySQL Multi-AZ DB instance. The application tier must be isolated from the internet and only accessible from the web tier. Which network implementation meets these requirements with the LEAST administrative overhead?

A.Place the web tier in a public subnet and the application tier in a private subnet, and configure security groups to allow inbound traffic to the application tier only from the web tier's security group.
B.Create two VPCs: one for the web tier with a public subnet, and one for the application tier with a private subnet, and connect them using VPC peering.
C.Place the web tier in a public subnet and the application tier in a private subnet with a NAT gateway for outbound access, and use security groups to allow traffic from the web tier.
D.Place both tiers in the same public subnet, and use a network ACL to restrict traffic from the web tier to the application tier.
AnswerA

This achieves isolation with minimal overhead.

Why this answer

Option C is correct because placing the web tier in a public subnet and the application tier in a private subnet with security groups allowing traffic only from the web tier is the standard design for multi-tier web applications with minimal overhead. Option A is wrong because using a network ACL alone would not isolate the application tier from the internet; a private subnet is needed. Option B is wrong because a NAT gateway is unnecessary for outbound access from the application tier (not required) and adds cost.

Option D is wrong because using a different VPC and VPC peering adds complexity.

375
MCQeasy

A company wants to ensure that traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the network engineer do to meet this requirement?

A.Create an AWS Site-to-Site VPN between the VPCs and disable the VPC peering connection.
B.Use TLS or IPsec at the application layer between instances.
C.Replace the VPC peering connection with a Transit Gateway and enable VPN encryption.
D.Enable encryption on the VPC peering connection.
AnswerB

Application-layer encryption provides encryption over the peering connection.

Why this answer

Option B is correct because VPC peering connections do not support native encryption of traffic. To meet the requirement for encryption in transit between two VPCs connected via a VPC peering connection, you must implement encryption at the application layer using TLS or IPsec between the instances. This ensures that traffic is encrypted end-to-end, independent of the underlying network path.

Exam trap

The trap here is that candidates often assume VPC peering connections are inherently encrypted because they use the AWS private network, but AWS does not encrypt traffic over VPC peering; encryption must be implemented at the application or instance layer.

How to eliminate wrong answers

Option A is wrong because creating an AWS Site-to-Site VPN between the VPCs would require a virtual private gateway and a customer gateway in each VPC, which is not supported for VPC-to-VPC connections without a Transit Gateway or a third-party appliance; additionally, disabling the VPC peering connection is unnecessary and does not solve the encryption requirement. Option C is wrong because replacing the VPC peering connection with a Transit Gateway does not inherently enable VPN encryption; you would need to attach VPN attachments to the Transit Gateway, which adds complexity and cost, and the question specifically states the VPCs are already connected via a VPC peering connection. Option D is wrong because VPC peering connections do not support enabling encryption natively; there is no toggle or setting to encrypt traffic over a VPC peering connection.

← PreviousPage 5 of 6 · 434 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Implementation questions.