CCNA Network Implementation Questions

59 of 434 questions · Page 6/6 · Network Implementation topic · Answers revealed

376
MCQeasy

A company is setting up a Direct Connect connection between its on-premises data center and AWS. The company wants to use a single virtual interface (VIF) to access multiple VPCs in the same AWS Region. Which AWS service should be used to achieve this?

A.Direct Connect gateway
B.VPC peering connection
C.AWS VPN CloudHub
D.Transit VPC
AnswerA

A Direct Connect gateway enables a single virtual interface to connect to multiple VPCs.

Why this answer

A Direct Connect gateway allows you to associate a single virtual interface with multiple VPCs in the same region or across regions. Option A is incorrect because a VPC peering connection does not use Direct Connect. Option C is incorrect because a VPN connection is a different service.

Option D is incorrect because a Transit VPC is an architectural pattern, not a service.

377
Multi-Selecthard

Which TWO of the following are best practices for securing a VPC with AWS Network Firewall? (Choose two.)

Select 2 answers
A.Deploy firewall endpoints in at least two Availability Zones for high availability.
B.Use only stateless rules to minimize processing overhead.
C.Configure stateful rule groups to inspect traffic at the application layer.
D.Use Network Firewall only for outbound traffic filtering.
E.Deploy the firewall in the same subnet as the workload for low latency.
AnswersA, C

Ensures resilience.

Why this answer

Correct: B (deploy in multiple AZs for HA) and D (use stateful rules for traffic inspection). A is wrong because it should be in a dedicated subnet. C is wrong because stateless rules are not the primary use case.

E is wrong because Network Firewall supports both stateful and stateless.

378
MCQmedium

A company is deploying a multi-tier web application in a VPC with public and private subnets. The web servers in the public subnets must be able to initiate outbound connections to the internet for software updates, but must not be directly accessible from the internet. Which configuration meets these requirements?

A.Deploy a NAT instance in a private subnet and add a default route to the NAT instance in the private subnet's route table.
B.Deploy an Application Load Balancer (ALB) in a public subnet and route outbound traffic through the ALB.
C.Attach an Internet Gateway to the VPC and add a default route to the Internet Gateway in the public subnet's route table.
D.Deploy a NAT Gateway in a public subnet and add a default route to the NAT Gateway in the private subnet's route table.
AnswerD

A NAT Gateway in a public subnet enables instances in private subnets to initiate outbound traffic to the internet while remaining inaccessible from the internet.

Why this answer

Option D is correct because a NAT Gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet while remaining unreachable from the internet. Option A is wrong because an Internet Gateway alone would allow inbound traffic. Option B is wrong because a NAT Instance in a private subnet cannot reach the internet.

Option C is wrong because an ALB does not provide outbound internet access.

379
Multi-Selectmedium

A company is designing a highly available network in AWS. They have two Direct Connect connections from different providers to two different AWS Direct Connect locations. They want to use BGP as the routing protocol. Which TWO actions should be taken to ensure high availability?

Select 2 answers
A.Use the same BGP community values for both connections
B.Advertise the same on-premises prefixes over both connections with different AS_PATH prepend values
C.Enable jumbo frames on both connections
D.Configure multiple virtual interfaces on a single Direct Connect connection
E.Configure separate BGP sessions for each Direct Connect connection
AnswersB, E

Allows path selection and failover.

Why this answer

Options A and B are correct because using separate BGP sessions and advertising the same prefixes with different AS_PATH prepending provides path selection and redundancy. Option C is wrong because same community values do not help with path selection. Option D is wrong because only one VIF per connection is needed.

Option E is wrong because jumbo frames do not affect availability.

380
MCQhard

A company is deploying a multi-region application using two AWS Regions. They want to use an AWS Transit Gateway to interconnect VPCs within each region, and they need to interconnect the Transit Gateways across regions. Which is the most scalable and reliable approach?

A.Use Transit Gateway peering attachments between the Transit Gateways in each region.
B.Create a VPC peering connection between VPCs in different regions and attach them to the Transit Gateways.
C.Use AWS Site-to-Site VPN connections between the Transit Gateways in each region.
D.Set up a Direct Connect gateway with virtual interfaces in each region and propagate routes.
AnswerA

Transit Gateway peering is the native, scalable, and reliable method to interconnect Transit Gateways across regions.

Why this answer

AWS Transit Gateway supports inter-region peering, which is the recommended method for connecting Transit Gateways across regions. Option A is correct. Option B is incorrect because VPC peering does not natively interconnect Transit Gateways.

Option C is incorrect because Direct Connect can connect on-premises to multiple regions but is not designed primarily for interconnecting Transit Gateways. Option D is incorrect because VPN connections add complexity and lower throughput compared to Transit Gateway peering.

381
MCQhard

An EC2 instance with the attached IAM role is unable to download objects from an S3 bucket. The instance is in a VPC with CIDR 10.0.0.0/16. The S3 bucket policy allows access from the VPC. What is the most likely reason for the failure?

A.The IAM policy does not include an Allow for the s3:GetObject action.
B.The condition aws:SourceIp does not match the source IP of the request because the traffic is routed through a VPC Gateway Endpoint.
C.The S3 bucket policy has an explicit deny for the IAM role.
D.The IAM role does not have permission to list the bucket, which is required for the download operation.
AnswerD

Many SDK clients perform a ListObjects call first, which is not allowed by the policy, causing the download to fail.

Why this answer

Option B is correct because the condition aws:SourceIp compares the source IP of the request, but when using a VPC Gateway Endpoint, the source IP is the private IP of the instance, which is within 10.0.0.0/16, so that should work. However, the condition is problematic because the aws:SourceIp condition is not effective when the request comes through a VPC endpoint; the source IP is the endpoint's private IP, not the instance's IP. Actually, the correct answer is that the condition is not met because the source IP is the endpoint's IP, not the instance's.

But wait, for Gateway Endpoint, the source IP is the instance's private IP. Let me reconsider: For Gateway Endpoints, the source IP is preserved as the instance's private IP. So the condition should be met.

The issue might be that the bucket policy also needs to allow access. However, the question states the bucket policy allows access from the VPC. Possibly the IAM policy's condition is using aws:SourceIp which works, but maybe the instance is not using the endpoint? Actually, the most likely reason is that the IAM policy does not authorize the s3:ListBucket action, but the error is about download, which is GetObject.

Let me think: The policy allows GetObject, but the condition requires source IP in 10.0.0.0/16. If the instance is using a Gateway Endpoint, the source IP is the instance's private IP, so it should match. However, if the S3 bucket policy denies access from outside the VPC, or if the instance does not have a route to the endpoint, it might fail.

But the exhibit shows IAM policy, so the issue is likely the IAM policy itself. Option D is correct because the IAM policy lacks permission for s3:ListBucket, but that is not needed for downloading a specific object if you know the key. However, many S3 operations require ListBucket for the console or SDK.

But the question says 'unable to download objects', which could be due to the condition not matching. Actually, I think the correct answer is that the aws:SourceIp condition is not effective because the traffic goes through the VPC endpoint, and the source IP seen by S3 is the endpoint's private IP, which is not the instance's IP. For Gateway Endpoints, the source IP is the instance's private IP.

So that should work. Wait, there is a nuance: For Gateway Endpoints, the source IP is the instance's private IP, so the condition should work. But if the VPC endpoint is not used, the traffic goes through the internet and the source IP is the public IP, which would not match.

However, the question implies the instance is in the VPC. I think the most plausible cause is that the IAM role does not have permission to access the bucket because the condition is not satisfied. But since the instance is in the VPC, its private IP is within the range.

So maybe the issue is that the S3 bucket policy is not allowing the IAM role. Option A is incorrect because the bucket policy is not shown. Option C is incorrect because there is no explicit deny.

Option B is the most likely: the condition does not match because the source IP is not the instance's IP when using a VPC endpoint? Actually, I recall that for Gateway Endpoints, the source IP is the instance's private IP. So the condition should work. Let me think again: The correct answer is D because the IAM policy only allows GetObject, but the SDK might first call ListObjects, which is denied.

That is a common issue. So Option D.

382
MCQhard

A company is designing a network architecture for a critical application that requires high availability and low latency. The application will be deployed on EC2 instances in an Auto Scaling group across three Availability Zones in a single region. The instances will communicate with an Amazon RDS database. Which configuration will provide the MOST resilient and performant network connectivity?

A.Launch a single RDS instance in a public subnet and use Route 53 latency-based routing to direct traffic.
B.Use a Network Load Balancer in front of the RDS instance to distribute connections across Availability Zones.
C.Place the RDS instance in a single Availability Zone and use a read replica in another AZ for failover.
D.Create an RDS Multi-AZ cluster with one writer and two reader instances in different AZs, and use the cluster endpoint for writes and reader endpoint for reads.
AnswerD

Multi-AZ cluster provides automatic failover and low-latency reads across AZs.

Why this answer

Placing RDS in a database subnet group across multiple AZs and using a cluster with Multi-AZ provides high availability and low latency by ensuring the database endpoint is always in the same AZ as the application instance when possible. Option A is wrong because a single AZ creates a single point of failure. Option B is wrong because a Network Load Balancer for RDS is not standard.

Option D is wrong because a single RDS instance in one AZ is not highly available.

383
MCQmedium

A company has a Direct Connect connection with a private virtual interface (VIF) attached to a Virtual Private Gateway (VGW) that is associated with a single VPC (10.0.0.0/16). The on-premises network uses BGP to exchange routes. The company has recently acquired another company and needs to connect to their VPC (172.16.0.0/16) in the same region. They want to use the existing Direct Connect connection to access both VPCs. The network engineer creates a Transit Gateway, attaches both VPCs, and creates a transit virtual interface (VIF) to the Transit Gateway. The engineer also deletes the private VIF. However, after the change, on-premises users cannot reach either VPC. What should the engineer do to restore connectivity?

A.Configure BGP on the on-premises router to peer with the Transit Gateway over the transit VIF.
B.Attach the VPCs to the Transit Gateway with different route tables.
C.Create a new private VIF to each VPC.
D.Enable route propagation on the Transit Gateway route tables.
AnswerA

BGP must be configured for route exchange.

Why this answer

Option D is correct because the on-premises router must be configured to establish BGP peering with the Transit Gateway over the transit VIF. Option A is incorrect because a new VPN connection is unnecessary. Option B is incorrect because the VPCs are already attached.

Option C is incorrect because route propagation must be enabled in the TGW route tables.

384
MCQhard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. They want to inspect traffic between VPCs using a centralized network virtual appliance (NVA) in a security VPC. What is the most scalable and highly available design to achieve this?

A.Place a single NVA in the Transit Gateway and route all inter-VPC traffic through it.
B.Create VPC peering connections between each VPC and the security VPC, then configure the NVAs to route traffic.
C.Attach all VPCs to a Transit Gateway, use separate route tables for inspection, and deploy NVAs behind a Gateway Load Balancer in the security VPC.
D.Use Direct Connect to connect all VPCs to a central location and route through NVAs there.
AnswerC

Transit Gateway provides transitive routing; GWLB provides HA and scale for NVAs.

Why this answer

Option B is correct because Transit Gateway route tables can be used to direct traffic to the inspection VPC for east-west traffic. Using a Gateway Load Balancer (GWLB) provides high availability and scaling for the NVAs. Option A is wrong because VPC peering does not support transitive routing.

Option C is wrong because Direct Connect is for on-premises, not VPC-to-VPC. Option D is wrong because a single NVA is a single point of failure.

385
MCQhard

A company has a VPC with public and private subnets across two Availability Zones. They have a Network Load Balancer (NLB) in the public subnets. The NLB has a target group of EC2 instances in the private subnets. The NLB is configured with TLS listeners and uses a certificate from AWS Certificate Manager (ACM). Clients connect to the NLB over the internet. Some clients report connection timeouts. The NLB access logs show that the connections are established but then hang. The target instances are healthy. The security groups for the instances allow inbound TCP/443 from the NLB's private IPs. What is the most likely cause?

A.The target group is configured with protocol TLS instead of TCP
B.Cross-zone load balancing is disabled, causing uneven distribution
C.The security group for the NLB is blocking traffic from clients
D.The NLB idle timeout is set too low
AnswerA

NLB terminates TLS and expects TCP targets.

Why this answer

NLB with TLS termination requires that the target group uses TCP protocol (not TLS) because NLB terminates TLS and forwards plain TCP to targets. If the target group is configured with TLS protocol, the NLB will attempt to initiate a TLS handshake with the targets, which may fail if targets are not expecting TLS (or if certificates mismatch). This can cause connections to hang.

Option B (cross-zone load balancing) would not cause hang. Option C (idle timeout) would cause disconnects, not hang. Option D (security group) is correct as described.

386
MCQeasy

A network engineer is troubleshooting connectivity from an on-premises network to an EC2 instance in a VPC via a Site-to-Site VPN. The VPN tunnel is up, but the engineer cannot ping the EC2 instance's private IP. What should the engineer check first?

A.The VPN connection status in the AWS console.
B.Security group inbound rules for ICMP on the EC2 instance.
C.IKE version mismatch between the VPN endpoints.
D.Route propagation and route tables in the VPC and on-premises.
AnswerD

Missing routes are a common cause.

Why this answer

Option A is correct because the route tables on the on-premises router and in the VPC must have routes for the remote networks. Option B is incorrect because the VPN tunnel being up indicates Phase 1 and 2 are likely fine. Option C is incorrect because security groups are stateful and allow ICMP if outbound is allowed.

Option D is incorrect because the VPN connection is active.

387
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The company also has a Site-to-Site VPN connection to the same VPC as a backup. During a failover test, traffic from on-premises to the VPC continues to use the Direct Connect even after it is intentionally failed. The BGP timers are set to default values. What is the most likely cause?

A.The Direct Connect route is more specific than the VPN route.
B.The VPN BGP route has a longer AS path than the Direct Connect route.
C.The VPN route has a lower local preference than the Direct Connect route.
D.The BGP session with the Direct Connect router is still established because the physical link is up, but the link is not forwarding traffic.
AnswerD

If the BGP session remains established, routes are still advertised and the Direct Connect route remains in the routing table, causing traffic to still be sent.

Why this answer

Option C is correct because even if the Direct Connect fails, the BGP session may remain established if there is still layer 2 connectivity (e.g., the physical link is up but degraded). The route will remain in the routing table until the BGP hold timer expires. Option A is wrong because longer AS path actually makes the route less preferred.

Option B is wrong because the VPN route may have a longer AS path or a different prefix length. Option D is wrong because local preference is typically set to favor Direct Connect over VPN.

388
Multi-Selecthard

A company is implementing a network segmentation strategy using AWS Transit Gateway. They have three VPCs: production, development, and shared services. They need to ensure that production and development VPCs can both access shared services, but cannot communicate with each other. Which THREE configurations are required?

Select 3 answers
A.Create a route table for the shared services VPC that allows routes to both production and development
B.Attach each VPC to the transit gateway
C.Create a separate route table for the production and development VPCs that allows only routes to shared services
D.Create a VPC peering connection between production and development
E.Use a single transit gateway route table for all attachments
AnswersA, B, C

Shared services must be able to send traffic back.

Why this answer

Option A is correct because each VPC must be attached to the transit gateway. Option B is correct because route tables must be created to control routing. Option C is correct because the shared services VPC needs a route table that allows traffic from both production and development.

Option D is wrong because VPC peering is not needed. Option E is wrong because a single route table would allow all-to-all communication.

389
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from an S3 bucket. The company wants to minimize data transfer costs and avoid traversing the internet. Which solution should be implemented?

A.Use an Interface VPC Endpoint for S3
B.Use AWS Direct Connect
C.Set up a NAT Gateway in the public subnet and route traffic through it
D.Create a Gateway VPC Endpoint for S3
AnswerD

Gateway endpoint provides private, low-cost access to S3.

Why this answer

Option C is correct because a Gateway VPC Endpoint for S3 provides private connectivity to S3 without internet access, reducing costs. Option A would use internet. Option B is for other AWS services.

Option D is for dedicated connectivity.

390
MCQmedium

A company is migrating an on-premises application to AWS. The application uses multicast for discovery. Which AWS service supports multicast traffic within a VPC?

A.AWS Transit Gateway
B.VPC peering
C.Application Load Balancer
D.Amazon CloudFront
AnswerA

Supports multicast groups and routing.

Why this answer

Option B is correct because AWS Transit Gateway supports multicast routing. Option A is wrong because VPC peering does not support multicast. Option C is wrong because Application Load Balancer is layer 7, not multicast.

Option D is wrong because CloudFront is for content delivery, not multicast within VPC.

391
MCQhard

A company has a VPC with a transit gateway (TGW) connected to multiple VPCs and an on-premises network via AWS Direct Connect. The on-premises network advertises a specific prefix 10.0.0.0/16. A VPC attachment in the same region also advertises the same prefix. The TGW route table has the on-premises route as static and the VPC route as propagated. Which route will be used for traffic destined to 10.0.0.5?

A.The propagated route from VPC
B.The static route to on-premises
C.Both routes will be used with ECMP
D.The route with the shortest AS_PATH
AnswerB

Static routes have higher precedence than propagated.

Why this answer

Option A is correct because static routes take precedence over propagated routes in a transit gateway route table. Option B is wrong because TGW does not use AS_PATH for static vs propagated. Option C is wrong because there is no longest prefix match difference.

Option D is wrong because equal-cost multipath is not applied when static and propagated routes exist.

392
Multi-Selecthard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network using AWS Direct Connect and a Site-to-Site VPN. The on-premises network advertises 10.0.0.0/8 over BGP. The company wants to ensure that traffic to the VPC's specific subnet 10.0.1.0/24 is routed via the VPN, while all other traffic to 10.0.0.0/8 uses Direct Connect. Which THREE actions should the network engineer take?

Select 3 answers
A.Set a higher BGP local preference on the VPN routes compared to Direct Connect routes for the same prefix.
B.Advertise a more specific route for 10.0.1.0/24 over the VPN BGP session.
C.Disable route propagation on the VPN connection's route table.
D.Prepend the AS path on the Direct Connect BGP advertisement for the 10.0.1.0/24 prefix to make it less preferred.
E.Delete the VPN connection and rely solely on Direct Connect.
AnswersA, B, D

Higher local preference is preferred.

Why this answer

Option A, Option B, and Option C are correct. A more specific prefix (10.0.1.0/24) is preferred over 10.0.0.0/8. Setting a higher local preference on the VPN route for 10.0.1.0/24 also ensures it is preferred.

Additionally, using an AS path prepend on Direct Connect for the specific prefix can make it less preferred. Option D is wrong because disabling propagation on VPN would remove the route. Option E is wrong because the VPN should be used for the specific subnet, not disabled.

393
MCQhard

A company has a Direct Connect connection with a private VIF connected to a VPC. The network engineer notices that traffic from on-premises to the VPC is being dropped intermittently. The on-premises router shows BGP session is up, but the VPC route table does not have the on-premises prefix. What is the most likely cause?

A.The MTU on the on-premises router is set too high.
B.The BGP session is flapping due to high latency.
C.The on-premises router is advertising a route that is more specific than the allowed prefix list on the Direct Connect gateway.
D.The on-premises router is using AS_PATH prepending.
AnswerC

The allowed prefix list on the Direct Connect gateway may not include the specific prefix, causing the route to be rejected.

Why this answer

Option C is correct because the Direct Connect gateway (DXGW) uses allowed prefix lists to control which routes are accepted from the on-premises router via BGP. If the on-premises router advertises a prefix that is more specific (e.g., /28) than the allowed prefix list (e.g., /24), the DXGW will reject the route, causing the VPC route table to lack the on-premises prefix. The BGP session remains up because the session itself is not affected, but the specific route is not installed.

Exam trap

AWS often tests the distinction between BGP session state and route acceptance, trapping candidates who assume a stable BGP session guarantees route installation, when in fact prefix filtering on the DXGW can silently drop specific routes.

How to eliminate wrong answers

Option A is wrong because MTU settings affect packet fragmentation and delivery, not BGP route advertisement or route table population; a high MTU would cause packet drops due to size mismatch, not intermittent route absence. Option B is wrong because if the BGP session were flapping due to high latency, the on-premises router would show the session as up/down, not consistently up; the question states the BGP session is up, ruling out flapping. Option D is wrong because AS_PATH prepending influences route preference and path selection, not route acceptance; it does not cause the VPC route table to miss the prefix entirely.

394
MCQeasy

A company is deploying a VPC with public and private subnets. The private subnets need outbound internet access for updates, but must not be directly reachable from the internet. Which AWS service should be used to achieve this?

A.AWS Site-to-Site VPN
B.AWS Direct Connect
C.Internet Gateway
AnswerD

NAT Gateway provides outbound internet access for private subnets while blocking inbound internet traffic.

Why this answer

Option C is correct because a NAT Gateway enables instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Options A and B are for VPN and Direct Connect, which are private connections. Option D is for inbound traffic management.

395
MCQeasy

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and needs to connect to an on-premises network using AWS Site-to-Site VPN. The on-premises network uses 10.0.0.0/8. What should be done to avoid overlapping CIDRs?

A.Configure a VPN with overlapping CIDRs, it will still work
B.Use NAT on the customer gateway to translate addresses
C.Create a new VPC with a non-overlapping CIDR and migrate resources
D.Use VPC peering to connect to on-premises
AnswerC

Changing the VPC CIDR requires recreation; a new VPC is the practical solution.

Why this answer

Overlapping CIDRs cause routing issues; the VPC CIDR must be changed to a non-overlapping range.

396
Drag & Dropmedium

Order the steps to set up a redundant Direct Connect connection with two virtual interfaces in different AWS regions:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First provision the connections, then create VIFs, configure BGP, tune routing, then test failover.

397
MCQhard

A company has a VPC with CIDR 10.0.0.0/16. They have a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). They have a Network Load Balancer (NLB) in the public subnet, and EC2 instances in the private subnet. The NLB has a target group pointing to the EC2 instances. The security group for the EC2 instances allows traffic from the NLB's private IP addresses on port 80. The network ACL for the private subnet allows inbound traffic on port 80 from the public subnet CIDR and outbound ephemeral ports to 0.0.0.0/0. However, clients connecting to the NLB experience intermittent timeouts. The network engineer checks the NLB logs and sees that connections are established but occasionally drop. The engineer also notices that the EC2 instances have a default route to a NAT Gateway in the public subnet. What is the most likely cause of the intermittent timeouts?

A.Cross-zone load balancing is disabled on the NLB.
B.The NLB health checks are failing, causing targets to be removed.
C.The EC2 instances have a default route to the NAT Gateway, causing asymmetric routing.
D.The security group for the NLB is blocking inbound traffic.
AnswerC

Return traffic goes to NAT instead of NLB, breaking the connection.

Why this answer

Option A is correct. When the NLB uses client IP preservation (default), the target instance receives traffic with the client's source IP. The target then sends the response back to the client IP.

But the target's default route points to the NAT Gateway, so the response goes to the NAT Gateway instead of directly back to the NLB. The NAT Gateway then sends the response to the internet, but the client expects the response from the NLB's IP, causing asymmetry and potential drops. Option B is wrong because health checks are independent.

Option C is wrong because disabling cross-zone load balancing does not cause timeouts. Option D is wrong because the NLB does not have security groups.

398
MCQhard

A company has a VPC with multiple subnets across three Availability Zones. They are deploying an NFS file system using Amazon EFS. They need high availability and low latency from all subnets. Which EFS deployment option meets these requirements?

A.Use EFS One Zone storage class with a single mount target in the same Availability Zone as the application.
B.Use EFS Standard storage class with Multi-AZ and create a single mount target in one Availability Zone.
C.Use EFS Standard storage class with Multi-AZ and create mount targets in each Availability Zone.
D.Use EFS One Zone storage class and create mount targets in each Availability Zone.
AnswerC

Standard storage is replicated across AZs; mount targets in each AZ provide low latency.

Why this answer

EFS One Zone storage class stores data in a single AZ, which does not provide high availability. EFS Standard with Multi-AZ is the correct choice for high availability across AZs. Option A is wrong because EFS One Zone is not highly available.

Option C is wrong because EFS Standard with Multi-AZ using mount targets in each AZ provides both high availability and low latency. Option D is wrong because EFS Standard with Multi-AZ using a single mount target would create a single point of failure.

399
MCQmedium

A company is deploying a web application across multiple Availability Zones in a VPC. The application needs to be highly available and scale based on traffic. The architecture includes an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group. The company wants to ensure that if an Availability Zone fails, the ALB can still route traffic to healthy instances in other zones. What should the network engineer implement to meet this requirement?

A.Configure a Network Load Balancer instead of an ALB, and enable cross-zone load balancing.
B.Use an ALB with a target group that contains instances from only one Availability Zone, and use Route 53 health checks.
C.Deploy one ALB in each Availability Zone and use Route 53 latency-based routing.
D.Enable cross-zone load balancing on the ALB.
AnswerD

Cross-zone load balancing allows the ALB to distribute traffic across instances in all enabled AZs, providing high availability.

Why this answer

Option D is correct because enabling cross-zone load balancing on the ALB allows it to distribute traffic across all registered targets in all enabled Availability Zones. Option A is wrong because a Network Load Balancer does not support cross-zone load balancing by default. Option B is wrong because multiple ALBs per AZ would introduce complexity and is not the simplest solution.

Option C is wrong because it does not address cross-zone load balancing.

400
MCQeasy

A company has several VPCs in the same AWS account and region. They want to centrally manage and monitor network traffic between these VPCs and also to on-premises networks. Which AWS service should they use?

A.AWS Direct Connect
B.VPC Peering
C.Transit Gateway
D.AWS VPN CloudHub
AnswerC

Transit Gateway provides a hub-and-spoke architecture for connecting multiple VPCs and on-premises networks.

Why this answer

A transit gateway acts as a central hub for routing traffic between VPCs and on-premises networks. Option B is wrong because VPC peering is point-to-point, not centralized. Option C is wrong because Direct Connect alone does not connect VPCs.

Option D is wrong because VPN CloudHub is for multiple VPN connections, not VPCs.

401
MCQhard

A company uses AWS Direct Connect with a private VIF to connect to a VPC. They have an on-premises application that needs to resolve private hosted zone names in Amazon Route 53. The on-premises DNS server forwards queries for the private domain to the VPC's DNS resolver. However, resolution fails. What is the most likely cause?

A.The private hosted zone is not associated with the VPC.
B.The VPC's DHCP option set is not configured to use the Route 53 Resolver.
C.The security group for the VPC DNS resolver is blocking inbound UDP port 53 from the on-premises network.
D.A Route 53 Resolver outbound endpoint is not configured to forward queries from on-premises to the VPC.
AnswerD

An outbound endpoint allows on-premises to forward DNS queries to Route 53 Resolver.

Why this answer

Option D is correct because the Route 53 Resolver outbound endpoint is required to forward DNS queries from on-premises to the Route 53 private hosted zones. Without it, the VPC resolver does not accept queries from external sources. Option A is wrong because the private hosted zone is associated with the VPC.

Option B is wrong because the VPC's DHCP option set typically uses the default VPC resolver (or custom), but the issue is inbound queries. Option C is wrong because security groups apply to instances, not to the VPC DNS resolver.

402
Multi-Selectmedium

A company has multiple VPCs that need to communicate with each other and with an on-premises network via AWS Transit Gateway. Which THREE of the following are valid attachment types for a transit gateway?

Select 3 answers
A.Direct Connect Gateway
B.Internet Gateway
C.Site-to-Site VPN connection
D.VPC
E.Network Load Balancer
AnswersA, C, D

Direct Connect Gateway can be associated with a transit gateway.

Why this answer

Transit gateway supports attachments to VPCs, VPN connections, and Direct Connect gateways. Option D is incorrect because an internet gateway is attached to a VPC, not to a transit gateway. Option E is incorrect because a network load balancer is not directly attached to a transit gateway.

403
Multi-Selectmedium

A company has a VPC with a CIDR of 10.0.0.0/16. They need to create subnets for a three-tier application. Which THREE subnet CIDR blocks are valid within this VPC?

Select 3 answers
A.10.0.1.0/24
B.10.0.3.0/24
C.10.0.5.0/24
D.10.1.0.0/24
E.10.0.0.0/8
AnswersA, B, C

Within 10.0.0.0/16.

Why this answer

Option A is correct because 10.0.1.0/24 is within 10.0.0.0/16. Option C is correct because 10.0.3.0/24 is within the range. Option D is correct because 10.0.5.0/24 is within the range.

Option B is incorrect because 10.1.0.0/24 is outside the VPC CIDR. Option E is incorrect because 10.0.0.0/8 is larger and overlaps but is not a subnet.

404
MCQeasy

A company is setting up a Site-to-Site VPN connection to AWS. The customer gateway device is behind a NAT device that performs address translation. Which tunnel option must be enabled to ensure the VPN tunnel establishes correctly?

A.Perfect Forward Secrecy (PFS)
B.NAT Traversal (NAT-T)
C.Dead Peer Detection (DPD)
D.IKEv2
AnswerB

Required to encapsulate IPsec in UDP to pass through NAT.

Why this answer

Option A is correct because NAT traversal (NAT-T) is required when the customer gateway is behind a NAT device to encapsulate IPsec packets in UDP. Option B is wrong because dead peer detection is for monitoring, not for NAT. Option C is wrong because perfect forward secrecy is a security feature.

Option D is wrong because IKEv2 is a protocol version, not specifically for NAT traversal.

405
MCQhard

A company is experiencing intermittent connectivity issues between its on-premises network and AWS via a Direct Connect connection. The link is up, but packet loss is observed. Which test should the network engineer perform first to isolate the issue?

A.Run a traceroute with MTR
B.Ping the virtual private gateway
C.Perform a DNS lookup
D.Run a speed test
AnswerA

MTR shows loss per hop, helping identify the problematic segment.

Why this answer

Option D is correct because MTR (my traceroute) provides detailed path analysis and packet loss at each hop. Option A is for basic connectivity. Option B is for DNS.

Option C is for throughput, not loss.

406
MCQeasy

An application running on EC2 instances in a private subnet needs to send logs to Amazon CloudWatch Logs. Which step is essential to allow this communication without traversing the internet?

A.Create a VPC Interface Endpoint for CloudWatch Logs and attach it to the subnet.
B.Create a VPC Gateway Endpoint for CloudWatch Logs and update the route table.
C.Assign a public IP to the EC2 instance and route directly to the internet.
D.Attach a NAT Gateway to the private subnet and route traffic to the internet.
AnswerB

Provides private connectivity to CloudWatch Logs.

Why this answer

Option A is correct because a VPC Gateway Endpoint for CloudWatch Logs provides private connectivity. Option B is wrong because a NAT Gateway is needed only for internet traffic. Option C is wrong because a VPC Interface Endpoint is not the only way; Gateway Endpoints are simpler for CloudWatch Logs.

Option D is wrong because an Internet Gateway is not needed.

407
MCQhard

A company has a Direct Connect connection with multiple Virtual Interfaces (VIFs) to an on-premises network. The VIFs are associated with a Direct Connect Gateway that is attached to multiple VPCs. The company is experiencing asymmetric routing and wants to ensure that traffic from on-premises to the VPCs always uses the same VIF. Which configuration should be implemented?

A.Use AS_PATH prepending on the VIFs to make one path more preferred
B.Enable Jumbo Frames on the Direct Connect connection
C.Set the Local Preference attribute on the AWS side
D.Configure BGP communities on the VIFs to influence route preference
AnswerD

BGP communities allow tagging routes to influence the on-premises router's preference.

Why this answer

Option A is correct because BGP communities can be used to influence routing decisions on the on-premises router to prefer a specific VIF. Option B is incorrect because Jumbo Frames do not affect routing. Option C is incorrect because the Local Preference attribute is set on the on-premises router, not in AWS.

Option D is incorrect because AS_PATH prepending is used to make a path less preferred, not more.

408
MCQmedium

Refer to the exhibit. A company has an S3 bucket with the bucket policy shown. An EC2 instance in a VPC with CIDR 10.0.0.0/16 tries to retrieve an object from the bucket using the S3 console, but receives an 'Access Denied' error. The instance's security group allows all outbound traffic. What is the most likely cause?

A.The EC2 instance is accessing the S3 bucket through a NAT Gateway, so the source IP is the public IP of the NAT Gateway, which does not match the condition.
B.The bucket policy does not allow the s3:GetObject action.
C.The bucket policy does not specify a principal, so it defaults to deny.
D.The condition aws:SourceIp is too restrictive and blocks all traffic.
AnswerA

The IP condition requires the source IP to be within the VPC CIDR, but via NAT the source IP is the NAT's public IP.

Why this answer

The condition aws:SourceIp evaluates the IP address of the requester. For EC2 instances accessing S3 via a VPC endpoint, the source IP is the private IP, which matches 10.0.0.0/16. However, accessing S3 via the console uses the public IP of the NAT Gateway or internet gateway, which is not in the 10.0.0.0/16 range.

Option B is wrong because the policy allows GetObject. Option C is wrong because the policy allows all principals. Option D is wrong because the bucket policy is not too restrictive; it just requires matching IP.

409
MCQmedium

A company is designing a network for a multi-tier application that includes a web tier, application tier, and database tier. The web tier must be accessible from the internet, while the application and database tiers should have no direct internet access. All tiers are in the same VPC. Which configuration meets these requirements?

A.Place all tiers in public subnets and use security group rules to restrict access to app and DB tiers
B.Place web tier in public subnets with Internet Gateway, app and DB tiers in private subnets with a NAT Gateway for outbound traffic
C.Place web tier in a public subnet and app and DB tiers in the same public subnet but with restrictive Network ACLs
D.Place all tiers in private subnets and attach an Internet Gateway to the private subnets for the web tier
AnswerB

This design provides internet access to web tier while isolating app and DB tiers.

Why this answer

Option A is correct because public subnets for web tier and private subnets for app and DB tiers with NAT Gateway for outbound access is a standard design. Option B is wrong because placing all tiers in public subnets exposes app and DB to internet. Option C is wrong because using Internet Gateway on private subnets defeats the purpose.

Option D is wrong because Network ACLs alone do not prevent internet access if routes exist.

410
Multi-Selecteasy

Which TWO of the following are valid methods to connect a VPC to an on-premises network? (Choose TWO.)

Select 2 answers
A.AWS Site-to-Site VPN
B.AWS Direct Connect
C.VPC endpoints
D.AWS Transit Gateway
E.VPC peering
AnswersA, B

Creates a secure connection over the internet.

Why this answer

Options A and D are correct. AWS Site-to-Site VPN and AWS Direct Connect are both valid methods. Option B is wrong because VPC peering is for VPC-to-VPC.

Option C is wrong because AWS Transit Gateway is a network transit hub, not a direct connection method. Option E is wrong because VPC endpoints are for accessing AWS services.

411
Multi-Selecthard

Which THREE of the following are considerations when designing a multi-account VPC architecture using AWS Transit Gateway? (Choose 3.)

Select 3 answers
A.Transit Gateway can be integrated with Direct Connect Gateway
B.Each VPC must have a unique route table
C.Transit Gateway supports cross-account VPC attachments
D.Route tables can be used to isolate VPCs from each other
E.VPCs with overlapping CIDR blocks can be attached
AnswersA, C, D

Direct Connect Gateway can connect to Transit Gateway.

Why this answer

AWS Transit Gateway acts as a central hub for interconnecting VPCs and on-premises networks. It can be integrated with Direct Connect Gateway, allowing a single Direct Connect connection to reach multiple VPCs attached to the Transit Gateway, simplifying hybrid network design and reducing operational overhead.

Exam trap

AWS often tests the misconception that each VPC must have its own route table in Transit Gateway, but in reality, multiple VPCs can share a single route table for simplified management, and overlapping CIDRs are explicitly unsupported.

412
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to ensure that traffic to S3 does not traverse the internet. Which solution should a network engineer implement?

A.Create a VPC interface endpoint for S3 and attach it to the private subnet.
B.Deploy an S3 VPN endpoint in the VPC.
C.Create a VPC gateway endpoint for S3 and add a route to the S3 prefix list via the endpoint.
D.Set up a NAT gateway in the public subnet and add a route to the S3 prefix list via the NAT gateway.
AnswerC

Gateway endpoints provide private connectivity to S3.

Why this answer

Option B is correct. A VPC gateway endpoint for S3 allows private connectivity to S3 without internet. Option A is wrong because a NAT gateway still traverses the internet.

Option C is wrong because a VPC interface endpoint for S3 is not supported (S3 uses gateway endpoints). Option D is wrong because an S3 VPN endpoint is not an AWS service.

413
MCQmedium

A company is deploying a VPC with public and private subnets across two Availability Zones. They need to ensure that instances in the private subnets can access the internet for software updates without being directly reachable from the internet. Which AWS service should they use?

A.Virtual Private Gateway
B.VPC Peering Connection
C.Internet Gateway
AnswerD

A NAT Gateway allows outbound internet traffic from private subnets while blocking inbound traffic.

Why this answer

A NAT Gateway enables instances in a private subnet to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Option A (Internet Gateway) would allow inbound traffic, option C (VPC Peering) is for connecting VPCs, and option D (VPN Gateway) is for site-to-site VPN.

414
MCQeasy

A company has multiple VPCs that need to communicate with each other using private IP addresses. The VPCs are in the same AWS account and Region. Which AWS service provides the simplest and most scalable solution?

A.VPC peering connections
B.AWS Site-to-Site VPN
C.ClassicLink
D.AWS Transit Gateway
AnswerA

Simple, direct, scalable for multiple VPCs.

Why this answer

Option A is correct because VPC peering is simple, scalable, and allows direct connections between VPCs. Option B is wrong because VPN connections are complex and costly. Option C is wrong because Transit Gateway is more complex than needed for a few VPCs.

Option D is wrong because ClassicLink is legacy and limited.

415
MCQeasy

A company is deploying a VPC with public and private subnets in two Availability Zones. They need to ensure that instances in private subnets can access the internet for software updates while remaining unreachable from the internet. Which solution meets these requirements?

A.Attach an internet gateway to the private subnets and configure route tables.
B.Deploy a NAT Gateway in a public subnet and add a route to the NAT Gateway in the private subnet route tables.
C.Use a transit gateway to connect the VPC to the internet.
D.Establish a VPN connection to an on-premises network and route traffic through it.
AnswerB

NAT Gateway enables outbound internet connectivity while preventing inbound traffic from the internet.

Why this answer

Option B is correct because a NAT Gateway deployed in a public subnet provides outbound-only internet access for instances in private subnets. The private subnet route table directs 0.0.0.0/0 traffic to the NAT Gateway, which translates the private IPs to the NAT Gateway's Elastic IP, allowing internet access while preventing any unsolicited inbound connections from the internet.

Exam trap

AWS often tests the misconception that an internet gateway can be directly associated with private subnets, but the trap here is that an internet gateway enables bidirectional traffic, so attaching it to private subnets would expose instances to inbound internet connections, violating the requirement for unreachability from the internet.

How to eliminate wrong answers

Option A is wrong because an internet gateway (IGW) must be attached to the VPC, not to subnets, and adding a route to an IGW in private subnet route tables would make those subnets effectively public, allowing inbound traffic from the internet, which violates the requirement that instances remain unreachable from the internet. Option C is wrong because a transit gateway is used for inter-VPC or hybrid connectivity, not for providing direct internet access to VPC resources; it does not replace the need for a NAT device or internet gateway for internet-bound traffic. Option D is wrong because a VPN connection to an on-premises network routes traffic through a corporate network, which may not provide direct internet access for software updates and introduces unnecessary latency and complexity; it does not satisfy the requirement for instances to access the internet directly.

416
MCQmedium

Refer to the exhibit. After deploying this CloudFormation stack, the VPC is attached to the transit gateway. However, routes are not being propagated to the transit gateway route table. What is the most likely cause?

A.The VPC attachment is not in the 'available' state.
B.The transit gateway route table propagation is not configured.
C.VPN ECMP support is enabled, preventing propagation.
D.DNS support is disabled on the transit gateway.
AnswerB

DefaultRouteTablePropagation enables automatic propagation, but the attachment does not explicitly propagate.

Why this answer

Option B is correct because the route table association is enabled but propagation is not automatic; the CloudFormation resource does not create a route table propagation. Option A is wrong because the attachment is created. Option C is wrong because DNS support is not related.

Option D is wrong because VPN ECMP is not relevant.

417
Multi-Selecthard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network with CIDR 172.16.0.0/12. They are using an AWS Transit Gateway with a VPN attachment to the on-premises network. The transit gateway route table has a static route for 172.16.0.0/12 pointing to the VPN attachment. Which THREE of the following are necessary for traffic to flow from the VPC to on-premises?

Select 3 answers
A.The VPC route tables include a route for 172.16.0.0/12 pointing to the transit gateway
B.The VPC is attached to the transit gateway
C.The transit gateway route table includes a route for 172.16.0.0/12 pointing to the VPN attachment
D.The on-premises router is advertising the 172.16.0.0/12 route over BGP
E.The VPN tunnel is configured with dynamic BGP routing
AnswersA, B, C

VPC instances need a route to send traffic to the transit gateway.

Why this answer

Option A is necessary because the VPC route table must have a route to on-premises via the transit gateway. Option B is necessary because the transit gateway route table must have the route. Option C is necessary because the VPC must be attached to the transit gateway.

Option D is not necessary because the VPN tunnel may be inside the transit gateway attachment. Option E is not necessary because BGP may not be required if static routes are used.

418
MCQmedium

A company has a VPC with public and private subnets in multiple Availability Zones. They want to deploy a NAT gateway for outbound internet access for instances in private subnets. Which of the following is the most highly available architecture?

A.Deploy one NAT gateway in each Availability Zone with a route table per AZ that points to the NAT gateway in the same AZ.
B.Deploy one NAT gateway in the first Availability Zone and route all private subnet traffic to that NAT gateway.
C.Use a single NAT instance in a public subnet with an auto scaling group and health checks.
D.Deploy two NAT gateways in the first Availability Zone and use a single route table pointing to one of them.
AnswerA

This provides per-AZ redundancy and avoids cross-AZ dependency.

Why this answer

For high availability, you should deploy a NAT gateway in each Availability Zone and route traffic from private subnets in each AZ to the NAT gateway in the same AZ. This avoids cross-AZ data transfer costs and ensures that an AZ failure does not affect other AZs. Option A is correct.

Options B and C do not provide equal HA. Option D is incorrect because a NAT instance is less reliable than a managed NAT gateway.

419
MCQmedium

A company is deploying a hybrid network architecture with an AWS Direct Connect connection. They require high availability with redundant connections to two different AWS Direct Connect locations. Which configuration meets the high availability requirement?

A.Two Direct Connect connections at two different AWS Direct Connect locations
B.One Direct Connect connection and one AWS Site-to-Site VPN as backup
C.Two virtual interfaces (VIFs) on the same Direct Connect connection
D.Two Direct Connect connections at the same AWS Direct Connect location
AnswerA

Provides physical redundancy and high availability.

Why this answer

Option C is correct because using two separate Direct Connect locations provides physical diversity and redundancy. Option A is wrong because a single location is a single point of failure. Option B is wrong because two connections at the same location lack diversity.

Option D is wrong because VPN over internet is not as reliable as dedicated connections.

420
Multi-Selecteasy

A company is setting up a site-to-site VPN connection between an on-premises network and AWS. Which TWO components are required for the VPN connection?

Select 2 answers
A.Customer gateway
B.Transit gateway
C.Virtual private gateway
D.VPN connection
E.Direct Connect connection
AnswersA, C

Represents the on-premises router.

Why this answer

Option A is correct because a virtual private gateway is the AWS-side VPN concentrator. Option B is correct because a customer gateway represents the on-premises router. Option C is wrong because a Direct Connect connection is a separate service.

Option D is wrong because a transit gateway is optional. Option E is wrong because a VPN connection is the VPN itself, not a component.

421
MCQmedium

A company has a VPC with an Application Load Balancer (ALB) that distributes traffic to EC2 instances in private subnets. The ALB needs to be accessible from the internet. The security team requires that all traffic to the ALB be inspected by AWS WAF. Which configuration meets these requirements?

A.Associate AWS WAF with the ALB and make the ALB internet-facing
B.Use a Network Load Balancer with AWS WAF attached
C.Place the ALB behind a Security Group that inspects traffic
D.Use Amazon CloudFront in front of the ALB with AWS WAF
AnswerA

ALB supports AWS WAF integration for web traffic inspection.

Why this answer

Option B is correct because AWS WAF can be integrated with an ALB to inspect HTTP/HTTPS traffic. Option A is incorrect because a Network Load Balancer does not support AWS WAF. Option C is incorrect because Security Groups are stateful firewalls but do not support WAF rules.

Option D is incorrect because CloudFront can have WAF, but it is a CDN, not a regional load balancer.

422
MCQeasy

A company is deploying a web application in a VPC with an Application Load Balancer (ALB) in front of EC2 instances. The ALB must only accept traffic from the internet and forward it to the instances. Which subnet configuration is correct for the ALB and EC2 instances?

A.ALB in private subnets, EC2 in private subnets with a NAT gateway.
B.ALB in public subnets, EC2 in private subnets.
C.ALB in public subnets, EC2 in public subnets.
D.ALB in private subnets, EC2 in public subnets.
AnswerB

Standard architecture for internet-facing ALB.

Why this answer

Option B is correct because ALBs must be in public subnets to receive internet traffic, and backend instances should be in private subnets for security. A puts both in public. C is reversed.

D puts ALB in private.

423
MCQmedium

A company is deploying a fleet of EC2 instances in private subnets. The instances need to download patches from the internet. The company wants to minimize cost and avoid managing NAT instances. The VPC has an internet gateway (IGW) attached. What should the company do?

A.Attach the IGW to the private subnet route table.
B.Deploy a NAT Gateway in a public subnet and update the private subnet route tables.
C.Create a VPC endpoint for internet access.
D.Launch a NAT instance and configure routing.
AnswerB

Managed, cost-effective, provides internet access to private instances.

Why this answer

Option C is correct because a NAT Gateway in a public subnet provides outbound internet access for private instances, is managed, and cost-effective. Option A is wrong because private subnets cannot directly use IGW. Option B is wrong because NAT instances require management.

Option D is wrong because VPC endpoints are for specific services, not general internet.

424
MCQhard

A company has a centralized inspection VPC architecture where all traffic from spoke VPCs is routed through a Transit Gateway to a centralized VPC that hosts firewall appliances (NGFW). The company needs to inspect traffic between two instances in the same spoke VPC. What is the simplest way to achieve this?

A.Deploy a Gateway Load Balancer (GWLB) in the spoke VPC and route traffic to it.
B.Use AWS Transit Gateway with VPC attachments and configure route tables to force traffic between the two instances through the inspection VPC.
C.Enable VPC peering and use route propagation to send traffic to the inspection VPC.
D.Create a VPC peering connection between the two instances' VPCs.
AnswerB

Transit Gateway can be configured with route tables that send inter-VPC traffic to the inspection VPC for firewall inspection.

Why this answer

Option B is correct because AWS Transit Gateway can route traffic between instances in the same spoke VPC by using VPC attachments and route tables to force the traffic through the centralized inspection VPC. This is achieved by configuring the spoke VPC's route table to send inter-instance traffic to the Transit Gateway, which then forwards it to the inspection VPC for firewall inspection before returning it to the destination instance. This approach avoids the need for additional appliances or complex routing within the spoke VPC itself.

Exam trap

AWS often tests the misconception that VPC peering can be used for transitive routing or that a Gateway Load Balancer alone can redirect traffic within the same VPC, but the key trap here is that candidates overlook the Transit Gateway's ability to hairpin traffic from the same spoke VPC through a central inspection VPC using proper route table configurations.

How to eliminate wrong answers

Option A is wrong because a Gateway Load Balancer (GWLB) is used for scaling and distributing traffic to third-party appliances, but it does not inherently route traffic between instances in the same VPC through a centralized inspection VPC; it would require additional routing configurations and does not leverage the existing Transit Gateway architecture. Option C is wrong because VPC peering does not support transitive routing; even with route propagation, traffic between two instances in the same spoke VPC cannot be forced through a separate inspection VPC via VPC peering, as peering connections are point-to-point and do not allow intermediate hops. Option D is wrong because creating a VPC peering connection between the two instances' VPCs is irrelevant when both instances are in the same spoke VPC, and it does not provide a path to the centralized inspection VPC.

425
MCQhard

Refer to the exhibit. A company has two VPCs (vpc-aaaaaaaa and vpc-bbbbbbbb) that are peered. The CIDR blocks are both 10.0.0.0/16. The peering connection status is 'active'. Which of the following is true about this configuration?

A.The VPCs cannot communicate because of overlapping CIDR blocks
B.The VPC peering connection will not become active due to overlapping CIDRs
C.The VPCs can communicate using the peering connection without any issues
D.DNS resolution between the VPCs will be automatically enabled
AnswerA

Overlapping CIDRs prevent proper routing.

Why this answer

Option C is correct because overlapping CIDR blocks are not supported for VPC peering; even though the status is active, the overlapping CIDRs will cause routing issues. Option A is wrong because the peering connection can be active but routing may fail. Option B is wrong because overlapping CIDRs are not supported.

Option D is wrong because DNS resolution is a separate setting.

426
MCQhard

A company has deployed a multi-account AWS environment using AWS Organizations. Each account has one or more VPCs that need to communicate with each other and with an on-premises data center via a central transit VPC. The company uses AWS Transit Gateway with a centralized network account that hosts the Transit Gateway. VPCs from other accounts are attached to the Transit Gateway via Resource Access Manager (RAM) shares. The network team notices that after attaching a new VPC from a member account, resources in that VPC cannot communicate with resources in other attached VPCs. The Transit Gateway route tables have appropriate routes, and the VPC route tables point to the Transit Gateway. What is the MOST likely cause of the issue?

A.The Transit Gateway attachment in the member account is in the 'pending acceptance' state and not yet accepted by the Transit Gateway owner.
B.The Transit Gateway route table does not have the routes from the new VPC propagated.
C.The new VPC's CIDR overlaps with an existing attachment's CIDR.
D.The member account's VPC does not have a route to the Transit Gateway in its route tables.
AnswerA

The owner must accept the attachment for it to be active.

Why this answer

Option D is correct because when sharing a Transit Gateway attachment via RAM, the owner of the Transit Gateway must accept the attachment. Option A is incorrect because the Transit Gateway is not in the member account. Option B is incorrect because route propagation is not required.

Option C is incorrect because VPC CIDR is not the issue.

427
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network using AWS Site-to-Site VPN. The on-premises network uses 10.0.0.0/8. The company wants to ensure that traffic to on-premises from VPC does not overlap with VPC's own CIDR. Which action should be taken?

A.Change the VPC CIDR to a non-overlapping range such as 172.16.0.0/16.
B.Create a more specific route in the VPC route table for the on-premises network that is within the 10.0.0.0/8 range but not overlapping with the VPC's subnets.
C.Use a NAT gateway to translate the VPC's IP addresses to a different IP range when communicating with on-premises.
D.Use AWS Transit Gateway with a network overlay to encapsulate traffic.
AnswerB

More specific routes take precedence, so traffic to specific on-premises prefixes will go via VPN even if the VPC CIDR is a superset.

Why this answer

Option A is correct because splitting the VPC into smaller subnets and using more specific routes can avoid overlap. Option B is wrong because NAT is used for internet access, not for route overlap. Option C is wrong because VPC CIDR cannot be changed without recreation.

Option D is wrong because overlay network is not a standard solution for route overlap.

428
Multi-Selecthard

Which THREE of the following are required to configure a site-to-site VPN connection between an on-premises network and an Amazon VPC? (Select THREE.)

Select 3 answers
A.A customer gateway resource representing the on-premises VPN device.
B.A public virtual interface.
C.A virtual private gateway or transit gateway attached to the VPC.
D.An AWS Direct Connect connection.
E.Two VPN tunnels for high availability.
AnswersA, C, E

Defines the on-premises endpoint.

Why this answer

A customer gateway resource is required because it represents the on-premises VPN device in AWS, providing the necessary configuration information such as the device's public IP address and BGP ASN (if dynamic routing is used) to establish the site-to-site VPN connection. Without this resource, AWS has no reference to the remote endpoint for the IPsec tunnels.

Exam trap

The trap here is that candidates often confuse the requirements for a site-to-site VPN with those for AWS Direct Connect, mistakenly selecting a public virtual interface or Direct Connect connection as necessary components when they are actually part of a separate hybrid connectivity solution.

429
MCQmedium

A company has a VPC with IPv4 and IPv6 CIDRs. They have a public subnet with an internet gateway and a private subnet with a NAT gateway. EC2 instances in the private subnet need to download updates from the internet. The instances have IPv6 addresses. The private subnet route table has a default route (::/0) pointing to an egress-only internet gateway. However, instances cannot reach IPv6 internet destinations. The egress-only internet gateway is attached to the VPC and in 'available' state. What is the most likely cause?

A.The security group for the instances is blocking outbound IPv6 traffic
B.The NAT gateway does not support IPv6
C.The instances do not have an IPv6 address assigned
D.The egress-only internet gateway is not attached to the VPC
AnswerC

Without IPv6 address, instances cannot use egress-only internet gateway.

Why this answer

Egress-only internet gateway is for outbound-only IPv6 traffic. It requires a route in the subnet route table. The route is present.

However, egress-only internet gateway does not support IPv6 traffic that originates from the private subnet if the instances have public IPv6 addresses? Actually, egress-only internet gateway works for instances with IPv6 addresses. The issue might be that the instances have IPv6 addresses but the route table for the private subnet does not have a route to the egress-only internet gateway. But the question says it does.

Another common issue: the egress-only internet gateway must be the target of the default IPv6 route. The most likely cause is that the route table for the public subnet (not private) does not have a route to the internet gateway for IPv6, but that's for public subnet. For private subnet, egress-only internet gateway is correct.

But instances may need to have IPv6 addresses assigned. Option B (NAT gateway) is for IPv4 only. Option C (security group) is not likely.

Option D (auto-assign IPv6) might be disabled.

430
MCQeasy

A company wants to connect its on-premises data center to a VPC using AWS Site-to-Site VPN. Which of the following is required to establish the VPN connection?

A.Direct Connect gateway associated with the VPC
B.Internet gateway attached to the VPC
C.Virtual private gateway attached to the VPC and a customer gateway representing the on-premises router
D.VPC endpoint for the VPN service
AnswerC

A virtual private gateway is the AWS-side VPN endpoint, and a customer gateway represents the on-premises device.

Why this answer

To establish a Site-to-Site VPN, you need a virtual private gateway (VGW) or transit gateway on the AWS side, and a customer gateway (CGW) representing the on-premises router. Option B is correct. Option A is incorrect because an internet gateway is used for public internet traffic, not VPN.

Option C is incorrect because a Direct Connect gateway is for Direct Connect connections. Option D is incorrect because a VPC endpoint is for private access to AWS services.

431
MCQmedium

A company has set up a site-to-site VPN connection between its on-premises network and AWS. The tunnel status shows 'UP' on both sides, but traffic from on-premises cannot reach EC2 instances in the VPC. What is the most likely cause?

A.The pre-shared keys are mismatched.
B.The VPC route tables do not have a route pointing to the virtual private gateway for the on-premises CIDR.
C.The VPN tunnel has been idle for too long and needs to be re-initiated.
D.The security group associated with the EC2 instances does not allow inbound traffic from the VPN gateway.
AnswerB

Without a route to the virtual private gateway, traffic from the VPC to on-premises will not be forwarded.

Why this answer

The correct answer is C because the tunnel being up indicates Layer 3 connectivity, but traffic may be blocked by VPC route tables or security group rules. Option A is incorrect because tunnel status is up. Option B is incorrect because a mismatch in pre-shared keys would prevent the tunnel from establishing.

Option D is incorrect because the VPN gateway is the target, not a route table entry.

432
MCQmedium

A company has a VPC with multiple subnets across three Availability Zones. The company wants to deploy a Network Load Balancer (NLB) to distribute TCP traffic to a fleet of EC2 instances. The NLB must preserve the source IP address of the client. Which configuration is required?

A.Enable Proxy Protocol v2 on the NLB target group.
B.Enable cross-zone load balancing on the NLB.
C.Attach a security group to the NLB that allows inbound traffic from the client IP range.
D.Create the NLB with a TCP listener and register the EC2 instances as targets in a target group.
AnswerD

NLB preserves source IP for TCP traffic when targets are instances.

Why this answer

Option A is correct because NLB preserves the source IP address by default when using TCP traffic and target group with instance targets. Option B is wrong because enabling Proxy Protocol would add a proxy header, but NLB still preserves source IP. Option C is wrong because an NLB does not use security groups.

Option D is wrong because cross-zone load balancing does not affect source IP preservation.

433
MCQhard

A company is implementing a multicast application in AWS. The application requires that multicast traffic be forwarded between Amazon EC2 instances in different VPCs. The company has set up a multicast domain using AWS Transit Gateway Connect with multicast support. The multicast group is using the IP address 239.0.1.10. The network engineer has confirmed that the EC2 instances are registered as multicast members and that the Transit Gateway multicast domain is configured correctly. However, receivers in VPC B are not receiving multicast traffic from senders in VPC A. What is the MOST likely cause of this issue?

A.The multicast group is not associated with the correct subnet in VPC A.
B.The multicast traffic has a TTL value of 1, which prevents it from leaving the source subnet.
C.The security group for the sender EC2 instances does not allow outbound UDP traffic to the multicast group address.
D.The receiver instances are not sending IGMP join messages to the multicast group.
AnswerC

Security groups control outbound traffic; if outbound rule missing, traffic is dropped.

Why this answer

Option A is correct because multicast traffic must be allowed by the source's security group outbound rules. Option B is incorrect because IGMP is not used; multicast group members are statically registered. Option C is incorrect because multicast groups are not tied to subnets.

Option D is incorrect because TTL is not the issue as hosts are in same region.

434
Multi-Selecteasy

Which TWO of the following are true about AWS VPC security groups? (Choose two.)

Select 2 answers
A.Rules are evaluated in order, and the first matching rule is applied.
B.They have an implicit deny all rule at the end.
C.They are stateful, meaning return traffic is automatically allowed regardless of outbound rules.
D.They support both allow and deny rules.
E.They can be associated with subnets.
AnswersB, C

If no rule matches, traffic is denied.

Why this answer

Options A and C are correct. Security groups are stateful (option A) and support allow rules only (option C). Option B is wrong because security groups support allow rules only, not deny rules.

Option D is wrong because security groups are applied to ENIs, not subnets. Option E is wrong because security groups are evaluated as a whole; all rules are considered before deciding.

← PreviousPage 6 of 6 · 434 questions total

Ready to test yourself?

Try a timed practice session using only Network Implementation questions.