CCNA Network Mgmt Ops Questions

75 of 346 questions · Page 1/5 · Network Mgmt Ops topic · Answers revealed

1
MCQhard

A company has a production VPC with a public and private subnet across two Availability Zones. The public subnet hosts a Network Load Balancer (NLB) that distributes traffic to EC2 instances in the private subnet. The application experiences periodic failures where the NLB marks all targets as unhealthy for about 2 minutes, then they recover. The health checks are HTTP on port 80 with a 5-second interval, 2 consecutive successes to be healthy, and 2 consecutive failures to be unhealthy. The target group health check timeout is 5 seconds. The EC2 instances are behind an Auto Scaling group with a minimum of 2 instances per AZ. CPU utilization on the instances is stable at 40%. The NLB's CloudWatch metrics show HealthyHostCount drops to zero suddenly. The network engineer suspects a network issue. What is the most likely cause?

A.The security group for the private subnet is blocking inbound traffic from the NLB.
B.The health check timeout is equal to the interval, causing timeouts under transient network delays.
C.The NLB's cross-zone load balancing is disabled, causing all traffic to go to one AZ.
D.The route tables for the private subnets are missing a route to the NLB's subnet.
AnswerB

If timeout equals interval, any delay in response results in consecutive failures, marking the instance unhealthy. Increasing the interval or decreasing the timeout would help.

Why this answer

If the health check timeout equals the interval, a single delayed response can cause consecutive failures. Under load, if the health check request is delayed, the NLB might timeout, count a failure, and after two such timeouts, mark the instance unhealthy. The instances are not overloaded (CPU 40%), but network contention or latency could cause timeouts.

However, the most common cause is that the health check timeout is equal to the interval, meaning a missed response leads to immediate failure. The recommended practice is to set timeout less than interval to allow for retries. Option D addresses this by increasing the interval or decreasing the timeout.

2
MCQmedium

A company has deployed a centralized NAT gateway in a VPC and uses VPC Flow Logs to monitor traffic. The network team notices that traffic from an EC2 instance in a private subnet to the internet is not being logged in the flow logs. The flow logs are configured at the VPC level with the 'ALL' format. What is the most likely cause of this issue?

A.The EC2 instance is using a different VPC than the one where flow logs are configured.
B.The flow log format is set to 'ALL' which excludes NAT gateway traffic.
C.The flow logs are configured to capture only rejected traffic by default.
D.Flow logs must be created specifically for the NAT gateway's elastic network interface to capture its traffic.
AnswerD

VPC-level flow logs do not capture traffic for the NAT gateway's ENI; a separate flow log for the NAT gateway ENI is required.

Why this answer

VPC Flow Logs capture traffic at the elastic network interface (ENI) level. A centralized NAT gateway has its own ENI in the public subnet, and traffic from private instances is routed through that ENI when it reaches the internet. To log that traffic, flow logs must be created specifically for the NAT gateway's ENI, not just at the VPC level, because VPC-level flow logs capture traffic for ENIs within that VPC but do not inherently capture traffic passing through the NAT gateway's ENI unless that ENI is explicitly targeted.

Exam trap

AWS often tests the misconception that VPC-level flow logs automatically capture all traffic traversing the VPC, including traffic through intermediate appliances like NAT gateways, when in fact flow logs must be applied to each specific ENI to log its traffic.

How to eliminate wrong answers

Option A is wrong because if the EC2 instance were in a different VPC, its traffic would not be routed through the centralized NAT gateway in the original VPC at all, and the question states the traffic is not being logged, not that it fails to reach the internet. Option B is wrong because the 'ALL' format includes all traffic metadata (accepted and rejected), and it does not exclude NAT gateway traffic; the format only controls which fields are logged, not which traffic is captured. Option C is wrong because VPC Flow Logs do not have a default setting to capture only rejected traffic; they capture all traffic by default when created, and the 'ALL' format includes both accepted and rejected traffic.

3
MCQhard

A network engineer is configuring an AWS Site-to-Site VPN connection between a VPC and an on-premises network. The engineer creates a customer gateway, VPN connection, and virtual private gateway. The VPN tunnel status shows 'down'. Which configuration step is most likely missing?

A.Attach the VPN connection to the virtual private gateway
B.Enable route propagation on the virtual private gateway
C.Add a static route to the VPN connection in the route table
D.Configure the on-premises router with the correct pre-shared key and tunnel IP addresses
AnswerD

The on-premises device must have matching parameters.

Why this answer

Option C is correct because the on-premises router must have the correct tunnel interface configuration matching AWS parameters. Option A is wrong because route propagation is for dynamic routing, not tunnel establishment. Option B is wrong because the VPN connection includes the tunnel configuration.

Option D is wrong because propagation is not required for tunnel status.

4
MCQeasy

A company is using AWS Direct Connect with a private VIF. They want to monitor the BGP session status and receive alerts if the session goes down. Which AWS service should they use?

A.VPC Flow Logs
B.Amazon CloudWatch
C.AWS Config
D.AWS CloudTrail
AnswerB

Direct Connect metrics including BGP status are available in CloudWatch.

Why this answer

Amazon CloudWatch is the correct service because it can monitor the BGP session status of a Direct Connect private VIF by publishing metrics such as 'bgp_session_state' (0=down, 1=up) and 'connection_state' to CloudWatch. You can then create a CloudWatch alarm that triggers an alert (e.g., via SNS) when the BGP session state transitions to 0, providing real-time notification of a session failure.

Exam trap

The trap here is that candidates confuse network monitoring (CloudWatch metrics for BGP state) with logging (Flow Logs, CloudTrail) or configuration tracking (Config), assuming any AWS monitoring service can handle BGP session alerts, but only CloudWatch provides the specific metric and alarm functionality for Direct Connect BGP status.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol) at the VPC network interface level, not BGP session state or routing protocol status. Option C is wrong because AWS Config records resource configuration changes and evaluates compliance rules, but it does not monitor real-time BGP session health or provide metric-based alerts. Option D is wrong because AWS CloudTrail logs API calls and management events (e.g., creating a VIF), not the operational state of a BGP session between the customer router and AWS.

5
MCQhard

A network engineer is designing a multi-region application that requires low-latency traffic between EC2 instances in two different AWS Regions. The engineer needs to ensure that traffic between the instances uses the AWS global network and not the public internet. Which AWS service should be used?

A.AWS Direct Connect
B.AWS Global Accelerator
C.AWS Transit Gateway
D.VPC Peering
AnswerB

Global Accelerator uses the AWS global network to improve latency.

Why this answer

The correct answer is D because VPC Peering does not support inter-region peering unless explicitly enabled, but Global Accelerator uses the AWS global network to route traffic. However, the question asks for low-latency traffic between EC2 instances in different Regions; AWS Transit Gateway does not support inter-region peering by default, and Direct Connect is for on-premises. Option A is wrong because VPC Peering requires explicit inter-region peering and does not provide low-latency optimization.

Option B is wrong because Transit Gateway does not natively support inter-region connectivity. Option C is wrong because Direct Connect is for on-premises to AWS. Option D is correct because Global Accelerator routes traffic over the AWS global network.

6
MCQmedium

A company has a global application deployed across multiple AWS regions using Application Load Balancers (ALBs) and AWS Global Accelerator. Users in Asia report high latency. The network team wants to monitor the performance of the Global Accelerator endpoints. Which AWS service should they use to collect and analyze network metrics?

A.Amazon CloudWatch metrics for Global Accelerator
B.AWS VPC Flow Logs
C.AWS X-Ray
D.AWS CloudTrail
AnswerA

CloudWatch provides metrics like endpoint health and latency.

Why this answer

Option D is correct because CloudWatch metrics for Global Accelerator provide endpoint health and performance metrics. Option A is wrong because VPC Flow Logs capture IP traffic but not accelerator-level metrics. Option B is wrong because AWS X-Ray is for application tracing.

Option C is wrong because CloudTrail logs API calls, not performance.

7
MCQmedium

An organization has a multi-account setup using AWS Organizations. The security team wants to centrally manage and enforce security group rules across all VPCs in all accounts. Which solution should they implement?

A.Deploy a centralized network ACL in each VPC.
B.Enable VPC Flow Logs and analyze using Amazon Detective.
C.Use AWS Config rules to remediate non-compliant security groups.
D.Use AWS Firewall Manager to create common security group policies.
AnswerD

Firewall Manager centrally manages security groups across accounts.

Why this answer

Option A is correct because AWS Firewall Manager provides a centralized way to apply security group rules across accounts and VPCs in an organization. Option B is wrong because Network ACLs are stateless and not as flexible for application-level rules. Option C is wrong because AWS Config is for compliance and auditing, not enforcement.

Option D is wrong because VPC Flow Logs are for monitoring, not enforcement.

8
MCQeasy

A company has a VPC with a NAT gateway in a public subnet. The security team wants to log all outbound traffic from private subnets to the internet. Which AWS service should be used to capture this traffic?

A.VPC Flow Logs
B.AWS CloudTrail
C.Amazon S3 Access Logs
D.AWS Config
AnswerA

Flow Logs on the NAT gateway ENI capture all outbound traffic.

Why this answer

The correct answer is B because VPC Flow Logs can be enabled on the NAT gateway's elastic network interface to capture all outbound traffic. Option A is wrong because CloudTrail does not capture network traffic. Option C is wrong because AWS Config does not log traffic.

Option D is wrong because S3 Access Logs are for S3 bucket access, not NAT gateway traffic.

9
Multi-Selectmedium

Which THREE are best practices for managing network security in a multi-VPC AWS environment using AWS Transit Gateway?

Select 3 answers
A.Use separate Transit Gateway route tables for different environments (e.g., production, development).
B.Centralize internet egress traffic through a shared VPC with a NAT gateway or proxy.
C.Attach all VPCs to a single Transit Gateway route table for simplicity.
D.Enable VPC Flow Logs on all VPCs and centralize logs in a security account.
E.Use network ACLs on every subnet to filter traffic between VPCs.
AnswersA, B, D

Separate route tables enable network isolation.

Why this answer

Options A, C, and E are correct. Option B is incorrect because network ACLs are stateless and not needed if security groups are used. Option D is incorrect because a single route table would allow all VPCs to communicate, violating least privilege.

10
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They want to monitor the number of packets dropped due to route table limits. Which CloudWatch metric should they use?

A.PacketsIn
B.PacketsDroppedByRouteTable
C.BytesOut
D.BytesDroppedByRouteTable
AnswerB

This metric tracks packets dropped due to route table limits.

Why this answer

Option A is correct because Transit Gateway publishes the metric 'PacketsDroppedByRouteTable' to CloudWatch. Option B is incorrect; 'BytesOut' is a measure of traffic volume. Option C is incorrect; 'PacketsIn' is incoming packets.

Option D is incorrect; 'BytesDroppedByRouteTable' does not exist; the metric is packet-based.

11
MCQhard

A company has a global application deployed across multiple AWS Regions. Users are routed to the nearest Region using Amazon Route 53. The application uses an Application Load Balancer in each Region. The network team wants to ensure that traffic is always routed to a healthy Region in case of a Regional failure. Which Route 53 routing policy should be used?

A.Latency-based routing with health checks
B.Weighted routing
C.Simple routing
D.Failover routing
AnswerA

This routes to the region with lowest latency and fails over on health check failure.

Why this answer

Option D is correct because Latency-based routing with health checks can route to the region with the lowest latency and fail over if health checks fail. Option A is wrong because Simple routing does not support health checks. Option B is wrong because Weighted routing distributes traffic based on weights, not latency.

Option C is wrong because Failover routing is primary/backup, not latency-based.

12
MCQmedium

A company is experiencing intermittent connectivity issues between a VPC and an on-premises data center over an AWS Direct Connect connection. The network engineer checks the Direct Connect virtual interface status and sees it is 'up'. However, BGP sessions are flapping. Which action should the engineer take to diagnose the issue?

A.Verify the VLAN configuration on the customer router.
B.Enable BFD on the Direct Connect virtual interface.
C.Recreate the virtual interface with a new VLAN ID.
D.Check the BGP keepalive and hold timers on both sides.
AnswerD

Inconsistent BGP timers can cause session flapping.

Why this answer

Option B is correct because checking BGP session logs and timers helps identify flapping due to misconfigured timers or routing updates. Option A is wrong because it does not address BGP-specific issues. Option C is wrong because it involves changing routing, not diagnosing.

Option D is wrong because it is an extreme measure that may not resolve the BGP issue.

13
Multi-Selectmedium

A company has a Direct Connect connection with a private VIF to a VPC. The network engineer needs to ensure that traffic from the on-premises network to the VPC uses the Direct Connect path, while internet-bound traffic from the VPC uses an Internet Gateway. Which TWO configurations are required? (Select TWO.)

Select 2 answers
A.Add a route in the VPC route table for the Direct Connect location prefix
B.Deploy a NAT Gateway in the VPC for internet access
C.Configure the on-premises router to send all internet traffic to the VPC
D.Add a route in the VPC route table for the on-premises CIDR pointing to the virtual private gateway (VGW)
E.Add a default route (0.0.0.0/0) in the VPC route table pointing to the Internet Gateway
AnswersD, E

Directs traffic from VPC to on-premises via Direct Connect.

Why this answer

Options A and C are correct. A: The VPC route table must have a route to the on-premises CIDR via the virtual private gateway. C: The VPC route table must have a default route (0.0.0.0/0) to the Internet Gateway.

Option B is wrong because the VPC does not need a route to the Direct Connect location. Option D is wrong because the on-premises router should not have a default route to the VPC. Option E is wrong because the VPC does not need a NAT gateway for internet access if using an Internet Gateway.

14
MCQhard

A network engineer is troubleshooting high latency on an AWS Transit Gateway attachment to a VPN. The VPN tunnel is established, and traffic flows, but latency spikes are observed during peak hours. The engineer suspects packet loss. Which diagnostic step should be taken first?

A.Run a traceroute from an on-premises host to an EC2 instance.
B.Use Amazon CloudWatch metrics for the Transit Gateway attachment to check for dropped packets.
C.Verify the VPN tunnel status in the AWS Management Console.
D.Review the VPN CloudWatch metrics for tunnel data.
AnswerB

Transit Gateway provides attachment-level metrics like bytes in/out and dropped packets.

Why this answer

Option A is correct because monitoring the Transit Gateway attachment metrics can show packet loss or errors. Option B is wrong because it only checks if the tunnel is up. Option C is wrong because CloudWatch metrics for the VPN are more granular.

Option D is wrong because it does not provide real-time diagnostics.

15
MCQmedium

An EC2 instance with the attached network interface shown above is unable to reach the internet. The instance is in a public subnet with a route to an internet gateway. The security group allows outbound traffic. What is the most likely cause?

A.The source/destination check is enabled, which prevents the instance from sending traffic to the internet if it is not the source of the traffic.
B.The network interface's attachment status is 'attached', but the instance may not have a public IP address.
C.The route table for the subnet does not have a 0.0.0.0/0 route pointing to the internet gateway.
D.The security group is not associated with the network interface.
AnswerC

Although not shown in the exhibit, this is the most common cause of internet access failure for instances in public subnets. The exhibit does not contradict this.

Why this answer

The network interface has 'SourceDestCheck' set to true. This is a property that must be disabled for NAT instances or for instances that act as routers. For a normal EC2 instance that is not performing NAT or routing, source/destination check should be enabled.

However, if the instance is a NAT instance, it should be disabled. But the question says the instance is a regular instance; the issue is likely that the source/destination check is enabled, but that is normal. Wait, the issue: the instance cannot reach the internet.

Since it's in a public subnet with a public IP, source/dest check should be enabled; that is not the problem. Actually, the most likely cause is that the security group outbound rule is missing, but the question says it allows outbound. Another common issue is that the route table for the subnet doesn't have a 0.0.0.0/0 route to the IGW.

But the exhibit does not show that. The exhibit shows sourceDestCheck is true, which is correct for most instances. However, if the instance is a NAT instance, sourceDestCheck must be false.

But the question does not specify it's a NAT instance. I need to think: The instance is unable to reach the internet. The security group allows outbound.

The subnet is public with route to IGW. The instance likely has a public IP. Then what? The sourceDestCheck being true could be a problem if the instance is a NAT instance, but it's not.

Another possibility: the security group inbound rules might block return traffic? No, security groups are stateful. The answer likely is that the sourceDestCheck is true, but that is not the issue; the correct answer is something else. Let's re-read: The exhibit shows sourceDestCheck is true, and the attachment status is attached.

The question says the instance cannot reach the internet. Maybe the issue is that the network interface is not the primary? But it is attached. Possibly the route table is missing.

However, the exhibit does not show the route table. I think the intended answer is that the sourceDestCheck is enabled, which should be disabled for NAT instances, but for a regular instance, it's fine. Alternatively, the security group might be blocking outbound, but the question says it allows.

The most likely cause from the exhibit is that the security group is associated with the interface, but the outbound rules are not shown. But the question says it allows. I need to choose an option that fits.

The exhibit shows the network interface with a security group. The issue might be that the security group does not allow outbound traffic to the internet. But the question says it does.

Perhaps the exhibit is meant to show that the security group is attached, but the engineer should check the security group rules. However, the exhibit does not show the rules. I'll go with a common misconfiguration: the source/destination check is enabled, but if the instance is a NAT instance, it should be disabled.

But the question does not indicate it's a NAT instance. Another common issue: the network interface is not the primary, but the exhibit shows it's attached. I think the most likely cause from the exhibit is that the security group is incorrect.

But since the question says it allows outbound, that's not it. Perhaps the answer is that the source/destination check should be disabled for instances that need to send traffic to the internet? No, that's only for NAT instances. Let's see the options.

I'll create plausible options.

16
MCQeasy

A company has a VPC with a single public subnet. The subnet has a web server that needs to be accessible over the internet. The security group for the web server allows inbound HTTP (port 80) from 0.0.0.0/0. The network ACL for the subnet allows inbound HTTP from 0.0.0.0/0 and outbound traffic on ports 1024-65535 to 0.0.0.0/0. The internet gateway is attached to the VPC, and the route table has a route to the internet gateway for 0.0.0.0/0. The web server has a public IP address. However, users cannot access the web server. The engineer verifies that the web server is running and listening on port 80. What is the most likely cause?

A.The network ACL's outbound rule does not allow traffic from port 80 to the internet.
B.The route table for the subnet does not have a route to the internet gateway.
C.The internet gateway is not properly attached to the VPC.
D.The security group's outbound rule is blocking the HTTP response.
AnswerA

The NACL outbound rule only allows source ports 1024-65535, but the HTTP response comes from port 80, so it is blocked.

Why this answer

Although the security group allows inbound HTTP, the network ACL's inbound rule only allows HTTP. However, the network ACL is stateless, so for a user to access the web server, the inbound rule must allow the HTTP traffic, and the outbound rule must allow return traffic. The outbound rule allows ephemeral ports, which is correct.

However, the network ACL's default deny all inbound could be blocking if the rule order is wrong. But the question says the NACL allows inbound HTTP. The likely issue is that the security group is stateful and allows return traffic, but the network ACL is not stateful, and if the inbound rule does not allow the initial HTTP, it would fail.

But it does allow inbound HTTP. So the issue might be that the security group's outbound rule is blocking the return traffic? No, security group is stateful. The most common mistake is that the network ACL's inbound rule does not allow the HTTP traffic from the internet because the rule number is higher than a deny rule.

However, the question states the NACL allows inbound HTTP. Another common issue is that the web server's OS firewall is blocking. But the engineer verified the server is listening.

The likely cause is that the security group is attached to the wrong ENI or the web server is in a private subnet. But the question says public subnet. The answer: the network ACL's outbound rule might be missing the return traffic for the HTTP response.

The response uses ephemeral ports, but the outbound rule allows all outbound on ephemeral ports, so that's fine. Wait: the outbound rule allows traffic to 0.0.0.0/0 on ports 1024-65535, but the HTTP response comes from the server's port 80 to the client's ephemeral port, so the outbound traffic is from port 80 to the client's ephemeral port. The NACL outbound rule should allow traffic from the server's port 80 to the client's port.

The outbound rule only allows source port 1024-65535, not port 80. That is the issue! The outbound rule must allow traffic from the server's port (80) to the client's ephemeral port. So the missing outbound rule for port 80 causes the response to be dropped.

17
MCQeasy

A solutions architect is designing a hybrid network using AWS Transit Gateway with multiple VPN attachments. The on-premises network uses BGP dynamic routing. What is the best practice to achieve high availability and fast failover?

A.Use a single VPN connection with static routes.
B.Configure the VPN connection with a single tunnel and use static routes with a higher metric for backup.
C.Create two VPN connections from two different customer gateways to two different AWS VPN endpoints, and enable BGP on both.
D.Use only one VPN tunnel with BGP enabled.
AnswerC

This provides high availability and fast failover via BGP.

Why this answer

AWS VPN supports BGP dynamic routing, which provides automatic failover and route propagation. Using two VPN tunnels from the same customer gateway to two different AWS endpoints (e.g., two VPN connections to different Availability Zones) ensures high availability and fast failover if one tunnel goes down.

18
MCQmedium

A network engineer is troubleshooting an EC2 instance that cannot connect to S3 via a VPC endpoint. The describe-vpc-endpoints output shows the endpoint is associated with a route table but no subnets. What is the likely issue?

A.The DNS entry for the endpoint is not resolving.
B.The VPC endpoint policy denies access to S3.
C.The VPC endpoint state is not available.
D.The subnet's route table does not include a route for the S3 prefix list via the endpoint.
AnswerD

Gateway Endpoints rely on route table entries; the subnet must have the route.

Why this answer

Option B is correct because Gateway Endpoints for S3 are associated with route tables, not subnets. The instance needs a route in its subnet's route table pointing to the endpoint. If the route table associated with the endpoint is not the same as the subnet's route table, the traffic will not use the endpoint.

Option A is wrong because the endpoint state is available. Option C is wrong because endpoint policy allows all. Option D is wrong because the DNS name is present.

19
MCQhard

A company has a VPC with a Transit Gateway (TGW) connected to multiple VPCs and an on-premises network via Direct Connect. The network team wants to implement centralized inspection of all traffic between VPCs and between VPCs and on-premises. Which architecture should they use?

A.Attach a Direct Connect Gateway to the Transit Gateway and configure route propagation.
B.Use AWS Network Firewall in each VPC.
C.Create a Gateway Load Balancer (GWLB) in a dedicated inspection VPC and attach it to the Transit Gateway.
D.Deploy a third-party firewall in each VPC and use VPC peering.
AnswerC

GWLB with appliances allows centralized inspection. TGW routes traffic through the inspection VPC.

Why this answer

Centralized inspection is achieved by using a Gateway Load Balancer with appliances in a dedicated inspection VPC. Transit Gateway route tables direct traffic to the inspection VPC. AWS Network Firewall can also be used but is placed in a VPC.

Direct Connect gateway does not provide inspection.

20
MCQeasy

A network engineer is monitoring network performance and needs to collect and analyze network metrics from multiple AWS services in a centralized dashboard. Which AWS service should be used to aggregate and visualize these metrics?

A.AWS VPC Flow Logs
B.AWS CloudTrail
C.Amazon CloudWatch Dashboards
D.AWS Config
AnswerC

CloudWatch Dashboards aggregate and visualize metrics.

Why this answer

Option B is correct because CloudWatch Dashboards provide centralized visualization of metrics from various AWS services. Option A is wrong because VPC Flow Logs are for IP traffic logs, not metrics. Option C is wrong because AWS Config tracks resource configuration, not metrics.

Option D is wrong because CloudTrail logs API calls.

21
MCQeasy

A network engineer is troubleshooting high latency on an AWS Direct Connect connection. The engineer checks the CloudWatch metrics for the virtual interface and sees that 'ConnectionBpsEgress' and 'ConnectionBpsIngress' are both below 50% of the provisioned bandwidth. Which additional metric should be examined to identify potential bufferbloat?

A.CRAM (Challenge-Response Authentication Mechanism) handshake failures
B.Latency metrics from Amazon CloudWatch
C.PauseFrames (802.3x flow control frames)
D.CRC errors on the physical connection
AnswerC

High pause frames indicate congestion and bufferbloat.

Why this answer

Option A is correct because 'PauseFrames' indicates that the link is being flow-controlled due to congestion, which can cause bufferbloat. Option B is incorrect because CRAM is a security protocol. Option C is incorrect because CRC errors indicate physical layer issues.

Option D is incorrect because latency metrics are not available for Direct Connect at the virtual interface level.

22
MCQeasy

A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and AWS over a Direct Connect connection. The engineer notices that BGP sessions are flapping. What should the engineer check first?

A.Configure route propagation in the VPC route tables.
B.Verify BGP timers and ensure they match on both sides.
C.Check the virtual interface (VIF) status in the AWS console.
D.Increase the MTU on the Direct Connect link.
AnswerB

Mismatched BGP timers (hold time, keepalive) cause session flapping.

Why this answer

Option B is correct because BGP timers mismatches are a common cause of flapping. Option A is incorrect because VIF status doesn't directly cause flapping if BGP timers mismatch. Option C is incorrect because MTU issues typically cause packet loss, not flapping.

Option D is incorrect because routing policies affect route propagation, not BGP session stability.

23
MCQeasy

A company has a VPC with public and private subnets. The public subnets have a NAT gateway for outbound internet access. The private subnets route all 0.0.0.0/0 traffic to the NAT gateway. The network team wants to centrally log all outbound internet traffic from the private subnets. They enable VPC Flow Logs and publish them to Amazon S3. However, they notice that the flow logs are capturing only traffic between instances within the VPC, not the NAT gateway traffic. What should the team do to capture outbound internet traffic?

A.Enable VPC Flow Logs specifically for the NAT gateway's elastic network interface.
B.Enable VPC Flow Logs for all subnets in the VPC.
C.Use AWS CloudTrail to log NAT gateway traffic.
D.Enable VPC Flow Logs for the VPC and publish to CloudWatch Logs instead of S3.
AnswerA

Captures traffic through the NAT gateway.

Why this answer

VPC Flow Logs capture traffic at the network interface level. To capture traffic that goes through the NAT gateway, you need to enable flow logs on the NAT gateway's network interface. Option B is the correct approach.

Option A is not necessary because NAT gateway traffic is not VPC-to-VPC. Option C would capture traffic but not specifically the outbound traffic. Option D is incorrect because the issue is not with VPC Flow Logs configuration but with the resource being monitored.

24
MCQmedium

A network engineer is configuring AWS Client VPN for remote access. The engineer creates a Client VPN endpoint and associates it with a target network (subnet) in the VPC. After associating, clients can connect to the VPN but cannot access resources in the VPC. The security groups and network ACLs allow all traffic. What is the most likely issue?

A.The Client VPN endpoint is not associated with a subnet in the VPC
B.The client CIDR range overlaps with the VPC CIDR
C.The Client VPN endpoint does not have an authorization rule to allow access to the VPC CIDR
D.The Client VPN endpoint's route table does not include a route to the VPC CIDR
AnswerD

A route must be added to direct traffic to the VPC.

Why this answer

Option C is correct because the Client VPN endpoint's route table must have a route to the VPC CIDR. Without it, traffic from clients is not forwarded to the VPC. Option A is wrong because the authorization rule is for access to specific networks, not routing.

Option B is wrong because the subnet association is for the VPN endpoint itself, not routing. Option D is wrong because client CIDR is used for assigning IPs to clients, not for routing to VPC.

25
MCQmedium

A network engineer created an IAM policy for a user to manage VPC Flow Logs. The user reports they cannot create flow logs and receive an 'AccessDenied' error. What is the MOST likely reason?

A.The ec2:CreateFlowLogs action is missing.
B.The logs:CreateLogGroup resource ARN is too restrictive.
C.The logs:PutLogEvents action is missing.
D.The iam:PassRole action is missing for the flow logs role.
AnswerB

The resource ARN limits log group creation to names starting with '/aws/vpc-flow-logs/', but the user might be using a different name.

Why this answer

Option D is correct because the policy allows logs:CreateLogGroup only for a specific log group ARN, but the user might be trying to create a log group with a different name pattern. Option A is incorrect because the policy includes ec2:CreateFlowLogs. Option B is incorrect because the policy includes logs:PutLogEvents.

Option C is incorrect because the policy includes iam:PassRole for the specific role.

26
Multi-Selectmedium

Which TWO options are valid ways to monitor network traffic in an AWS environment? (Choose 2.)

Select 2 answers
A.AWS Config
B.AWS CloudTrail
C.VPC Traffic Mirroring
D.Amazon Inspector
E.VPC Flow Logs
AnswersC, E

Copies traffic for deep packet inspection.

Why this answer

VPC Traffic Mirroring (Option C) is a valid way to monitor network traffic because it captures and copies network packets from Elastic Network Interfaces (ENIs) in a VPC and forwards them to monitoring appliances for deep packet inspection, security analysis, or troubleshooting. This allows you to inspect traffic content, including payloads, without impacting the source or destination of the traffic.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with network traffic monitoring, but CloudTrail does not capture data-plane packets or payloads, making VPC Flow Logs and VPC Traffic Mirroring the only correct options for actual network traffic monitoring.

27
MCQmedium

A company uses AWS CloudWAN to build a global network connecting multiple VPCs and on-premises sites. The network team has configured a core network with a segment that includes VPCs in us-east-1 and eu-west-1. The team notices that traffic between VPCs in different regions is taking a suboptimal path, going through the internet instead of staying within the AWS global network. The team has verified that the core network attachments are correctly configured and that the route tables are propagated. What should the team do to ensure traffic stays within the AWS global network?

A.Establish a VPC peering connection between the two VPCs.
B.Set up an AWS Direct Connect gateway to route traffic between regions.
C.Ensure both VPCs are attached to the same CloudWAN segment.
D.Create a transit gateway in each region and peer them together.
AnswerC

Correct: Same segment ensures traffic stays within CloudWAN and uses AWS global backbone.

Why this answer

Option C is correct because CloudWAN uses segments and attachments; if the VPCs are not in the same segment, traffic may be routed through the internet. Option A is wrong because Transit Gateway is not needed when using CloudWAN. Option B is wrong because DX is for on-premises, not inter-region VPC traffic.

Option D is wrong because VPC peering is not part of CloudWAN architecture.

28
MCQeasy

A company is using AWS Direct Connect to connect to its VPC. The network team wants to encrypt all traffic between the on-premises data center and the VPC. Which solution provides encryption?

A.Enable MACsec on the Direct Connect connection.
B.Use an IPsec VPN over the Direct Connect virtual interface.
C.Use AWS Client VPN to connect on-premises to VPC.
D.Enable encryption on the Direct Connect virtual interface.
AnswerB

IPsec VPN over Direct Connect encrypts traffic end-to-end.

Why this answer

IPsec VPN over Direct Connect provides encryption. Direct Connect itself does not encrypt traffic. MACsec encrypts at Layer 2 but is not supported over Direct Connect.

AWS Site-to-Site VPN can be used over the internet or over Direct Connect as an IPsec tunnel.

29
MCQmedium

A network engineer is troubleshooting an AWS Lambda function that needs to create and manage ENIs in a VPC. The Lambda function is unable to create ENIs. The IAM policy attached to the Lambda execution role is shown in the exhibit. What is the issue?

A.The policy restricts the resource to a specific VPC.
B.The policy does not allow the ec2:CreateNetworkInterface action.
C.The policy does not allow the ec2:DeleteNetworkInterface action.
D.The policy is missing the ec2:AttachNetworkInterface action.
AnswerD

Lambda also needs ec2:AttachNetworkInterface to attach the ENI.

Why this answer

Option B is correct because Lambda requires permissions for ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DeleteNetworkInterface, and also ec2:AttachNetworkInterface. Option A is wrong because the actions are allowed. Option C is wrong because resource restriction is not the issue.

Option D is wrong because the policy already allows the actions.

30
MCQeasy

A network engineer is troubleshooting high latency between two EC2 instances in the same VPC but different Availability Zones. Which AWS service can provide detailed network performance metrics to identify the source of latency?

A.AWS Config
B.AWS CloudTrail
C.AWS X-Ray
D.VPC Flow Logs
AnswerC

X-Ray traces requests and shows latency between components.

Why this answer

The correct answer is A because AWS X-Ray provides end-to-end tracing of requests and can identify network latency. Option B is wrong because VPC Flow Logs only capture metadata, not latency. Option C is wrong because CloudTrail records API calls, not network performance.

Option D is wrong because AWS Config tracks configuration changes, not performance.

31
MCQmedium

A network engineer is troubleshooting an issue where an EC2 instance launched in VPC vpc-0abcd1234efgh5678 cannot resolve DNS names for other instances using their private DNS names. The VPC has DHCP options set with domain-name-servers=AmazonProvidedDNS. What is the most likely cause?

A.The VPC attribute 'enableDnsHostnames' is set to false
B.VPC Flow Logs are not enabled
C.The security group on the instances blocks DNS traffic
D.The DHCP options set is not using AmazonProvidedDNS
AnswerA

Without hostnames, instances cannot resolve private DNS names.

Why this answer

Option B is correct because the command shows that EnableDnsHostnames is false, which means instances do not get DNS hostnames. Option A is incorrect because the DHCP option set is correct. Option C is incorrect because VPC Flow Logs are for network traffic, not DNS.

Option D is incorrect because security groups do not affect DNS resolution.

32
MCQeasy

A network engineer needs to verify the routing path between two EC2 instances in different subnets within the same VPC. Which AWS tool can provide this information?

A.Amazon CloudWatch Logs
B.VPC Reachability Analyzer
C.AWS Config
D.Run traceroute from one instance to the other
AnswerB

Reachability Analyzer tests connectivity and shows the routing path.

Why this answer

Option B is correct because VPC Reachability Analyzer can test connectivity and provide routing path information. Option A is incorrect because traceroute from an instance requires SSH access. Option C is incorrect because AWS Config provides configuration history, not real-time path analysis.

Option D is incorrect because CloudWatch does not provide path analysis.

33
MCQeasy

A company is using AWS CloudFormation to deploy network infrastructure. The network team wants to ensure that all subnets created in the VPC have a tag 'Environment' with the value 'Production'. Which CloudFormation resource property should they use?

A.Use 'PropagateTags' property in the VPC.
B.Use a separate AWS::ResourceGroups::Tagging resource.
C.Use the 'Tags' property of the AWS::EC2::Subnet resource.
D.Use the 'TagSpecifications' property of the AWS::EC2::Subnet resource.
AnswerD

TagSpecifications allows specifying tags during subnet creation.

Why this answer

The 'TagSpecifications' property allows tagging resources during creation. 'Tags' is a top-level property for some resources, but for EC2 resources like subnets, 'TagSpecifications' is the correct property.

34
Multi-Selectmedium

A company has a VPC with public and private subnets. The private subnets have a route to a NAT gateway for outbound internet access. The security team wants to audit all traffic from the private subnets to the internet. Which TWO steps should be taken to capture this traffic?

Select 2 answers
A.Enable VPC Flow Logs on the internet gateway.
B.Create a VPC Flow Log for the VPC and filter by the NAT gateway's network interface.
C.Enable VPC Flow Logs on the NAT gateway's elastic network interface.
D.Set up an AWS Site-to-Site VPN to route traffic through a third-party logging appliance.
E.Enable AWS CloudTrail for the NAT gateway.
AnswersB, C

Flow logs on the NAT gateway ENI capture outbound traffic from private subnets.

Why this answer

Option A is correct because VPC Flow Logs capture traffic for the NAT gateway interface. Option D is correct because enabling flow logs on the NAT gateway captures traffic sent through it. Option B is incorrect because the internet gateway does not see traffic from private subnets.

Option C is incorrect because CloudTrail does not capture network traffic. Option E is incorrect because VPN is not used here.

35
MCQhard

A global e-commerce company is migrating to AWS and plans to use a hub-and-spoke topology with AWS Transit Gateway. The network team wants to ensure high availability for the connection between the hub VPC and the on-premises data center using AWS Direct Connect with multiple virtual interfaces (VIFs). They need to be able to fail over quickly with minimal packet loss. Which design should meet these requirements?

A.Provision one Direct Connect connection with a single private VIF, and enable BFD on the VIF to detect failures quickly.
B.Provision one Direct Connect connection with two private VIFs, and use a second Direct Connect connection as backup with a single VIF. Configure route tables to prefer the primary.
C.Provision two Direct Connect connections, each with multiple private VIFs, and attach them to the same transit gateway. Use BFD to detect failures and rely on ECMP routing across the VIFs.
D.Provision two Direct Connect connections, each with a single private VIF, and use AWS Site-to-Site VPN as a backup for each.
AnswerC

This provides active-active connectivity with fast failover via BFD, and ECMP allows load balancing across VIFs.

Why this answer

Option C is correct because it provides true high availability and fast failover by using two separate Direct Connect connections, each with multiple private VIFs, attached to the same transit gateway. BFD (Bidirectional Forwarding Detection) enables sub-second failure detection, and ECMP (Equal-Cost Multi-Path) routing across the VIFs allows active-active load balancing, minimizing packet loss during failover. This design eliminates single points of failure and meets the requirement for rapid convergence with minimal disruption.

Exam trap

The trap here is that candidates often confuse multiple VIFs on a single connection with true redundancy, failing to recognize that physical diversity requires separate Direct Connect connections, not just separate logical interfaces.

How to eliminate wrong answers

Option A is wrong because a single Direct Connect connection with one private VIF is a single point of failure; even with BFD, if the connection or physical link fails, all traffic is lost. Option B is wrong because using two VIFs on the same Direct Connect connection does not provide physical diversity; a failure of the single connection takes down both VIFs, and the backup connection with a single VIF still introduces a single point of failure at the connection level. Option D is wrong because using AWS Site-to-Site VPN as a backup introduces higher latency, lower bandwidth, and slower failover compared to a second Direct Connect connection, and it does not meet the requirement for minimal packet loss during failover.

36
MCQmedium

A company is using AWS CloudFormation to deploy a VPC with public and private subnets, an internet gateway, and a NAT gateway. The deployment fails with the error: 'Route table rtb-12345678 already has a route with destination 0.0.0.0/0'. The network engineer reviews the template and sees that the public route table has a route to the internet gateway and the private route table has a route to the NAT gateway. Both route tables are defined in the same template. What is the most likely cause of this error?

A.The internet gateway and NAT gateway cannot exist in the same VPC simultaneously.
B.The public and private route tables are the same resource due to a typo in the template.
C.The public route table already has a route to the internet gateway, and adding another default route is not allowed.
D.The NAT gateway route is missing a destination CIDR block.
AnswerB

Correct: Using the same route table ID for both routes causes duplicate route error.

Why this answer

Option B is correct because the error indicates that the same route table is being used for both routes, which happens when both resources reference the same route table ID. Option A is wrong because a route table can have multiple routes, but only one default route. Option C is wrong because the error is specific to duplicate routes, not a missing route.

Option D is wrong because internet and NAT gateways can coexist in the same VPC.

37
MCQmedium

A company has a Direct Connect connection with a private virtual interface. The on-premises network team reports that they cannot reach EC2 instances in a VPC. The VPC has a virtual private gateway attached. The route table in the VPC has a route to the on-premises CIDR via the virtual private gateway. What should the network engineer verify?

A.Verify that the Direct Connect virtual interface is in the 'available' state.
B.Verify that the VPC route table has a route to the on-premises CIDR pointing to the virtual private gateway.
C.Verify that the BGP session between the on-premises router and the VGW is established.
D.Verify that the on-premises router is advertising the VPC CIDR.
AnswerB

The VPC needs a route to send traffic to on-premises via the VGW.

Why this answer

Option B is correct because the VPC route table needs a route to the on-premises CIDR pointing to the virtual private gateway. Option A is wrong because the virtual interface must be up. Option C is wrong because BGP sessions must be established.

Option D is wrong because the on-premises router must advertise routes.

38
Multi-Selecteasy

A network engineer needs to monitor network performance between two EC2 instances in different Availability Zones. Which THREE metrics from Amazon CloudWatch should the engineer use?

Select 3 answers
A.NetworkPacketsIn
B.VolumeQueueLength
C.NetworkPacketsDropped
D.NetworkOut
E.NetworkIn
AnswersA, D, E

Measures number of incoming packets.

Why this answer

Options B, D, and E are correct for network performance monitoring. Option A is a metric for EBS volumes. Option C is not a standard metric.

39
Multi-Selecthard

A company is designing a multi-region network with Direct Connect. They have two Direct Connect connections in each region. They want to achieve the HIGHEST availability and lowest latency for cross-region traffic. Which THREE design elements should they include?

Select 3 answers
A.Configure BGP ASN prepending to influence path selection
B.Use different Direct Connect providers in each region
C.Use different Direct Connect locations within each region
D.Use multiple virtual interfaces per Direct Connect connection
E.Use the same BGP ASN for all Direct Connect connections
AnswersA, B, C

Helps control traffic flow.

Why this answer

Options A, B, and D are correct because using different providers, different locations, and BGP ASN prepending for path selection enhance availability and latency. Option C is incorrect because using the same ASN can cause issues but is not required. Option E is incorrect because one VIF per connection is sufficient.

40
Multi-Selecthard

Which TWO are requirements for using AWS Client VPN to provide secure remote access?

Select 2 answers
A.A security group must be associated with the Client VPN endpoint.
B.The Client VPN endpoint must be in a subnet with a route to the internet.
C.The client CIDR range must be within the VPC CIDR.
D.The client CIDR range must not overlap with the VPC CIDR or on-premises networks.
E.The Client VPN endpoint must use certificate-based server authentication only.
AnswersB, D

Clients need to reach the endpoint via internet.

Why this answer

Option B is correct because the Client VPN endpoint must be deployed in a subnet that has a route to the internet. This is necessary for the endpoint to establish the initial TLS handshake with client devices and to route traffic between the client and the VPC. Without internet connectivity, the endpoint cannot receive client connections or forward traffic to the internet if split-tunnel is disabled.

Exam trap

The trap here is that candidates often assume a security group is mandatory for all AWS resources, but Client VPN endpoints use authorization rules instead, and they may also incorrectly think the client CIDR must be a subset of the VPC CIDR, when in fact it must be non-overlapping.

41
MCQmedium

A company uses AWS Global Accelerator to improve performance for a global application. The application is deployed in two AWS regions behind Network Load Balancers. Users in Asia report high latency even though the accelerator should route them to the nearest endpoint. What is the most likely reason?

A.The endpoint in the closer region is marked unhealthy
B.Traffic Dial is set to 100% for the distant region
C.The accelerator is configured with on-premises endpoints
D.Client affinity is set to source IP
AnswerA

Global Accelerator routes traffic away from unhealthy endpoints.

Why this answer

Option A is correct because if the endpoints are unhealthy, Global Accelerator will route traffic to the other region. Option B is incorrect because Traffic Dial can shift traffic but does not cause high latency. Option C is incorrect because client affinity does not affect latency.

Option D is incorrect because Global Accelerator endpoints are typically in AWS, not on-premises.

42
MCQhard

A company is migrating its on-premises data center to AWS and wants to use AWS Direct Connect for private connectivity. The network team plans to advertise the company's public IP prefixes to AWS via BGP. Which AWS resource must be configured to allow advertisement of these prefixes?

A.A VPN CloudHub topology
B.A public virtual interface on the Direct Connect connection
C.A private virtual interface on the Direct Connect connection
D.A transit virtual interface on the Direct Connect connection
AnswerB

Public VIF is used to advertise public IP prefixes.

Why this answer

To advertise public IP prefixes over AWS Direct Connect, you must use a public virtual interface (VIF). A public VIF allows you to reach public AWS endpoints (such as S3, DynamoDB, or any public IP range) over the Direct Connect link, and it supports BGP peering where you can advertise your public IP prefixes to AWS. Private VIFs are only for private VPC connectivity and do not accept customer-originated public prefix advertisements.

Exam trap

The trap here is that candidates often confuse private VIFs (used for VPC connectivity) with public VIFs (used for public IP reachability), assuming that any BGP session on Direct Connect can advertise public prefixes, but only the public VIF is designed for that purpose.

How to eliminate wrong answers

Option A is wrong because a VPN CloudHub topology is used for connecting multiple VPN sites together over AWS VPN, not for advertising public IP prefixes over Direct Connect. Option C is wrong because a private virtual interface is used for connecting to a VPC via private IP addresses and does not support the advertisement of public IP prefixes. Option D is wrong because a transit virtual interface is used for connecting a Direct Connect gateway to a transit gateway, enabling connectivity to multiple VPCs, but it does not handle public prefix advertisements; that is the role of a public VIF.

43
MCQeasy

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The network engineer is troubleshooting connectivity issues and notices that the BGP session between the on-premises router and the AWS Direct Connect virtual interface is down. The engineer has verified the physical connectivity and the VLAN configuration. What should the engineer check next?

A.Ensure the virtual interface type is set to 'public'.
B.Verify that the on-premises router is advertising a CIDR block smaller than /24.
C.Confirm that the BGP ASN configured on the on-premises router matches the one provided by AWS.
D.Check the VPC CIDR range in the route table.
AnswerC

Correct: BGP ASN mismatch prevents session establishment.

Why this answer

Option C is correct because BGP session establishment depends on matching the BGP ASN on both sides. If they do not match, the session will not come up. Option A is wrong because CIDR size does not affect BGP.

Option B is wrong because the VPC CIDR is not used in the BGP peering process. Option D is wrong because the virtual interface type (private or public) is not the direct cause of BGP failure.

44
Multi-Selecthard

A company has a hybrid network with an AWS Direct Connect connection and an AWS Site-to-Site VPN as a backup. The network team notices that traffic is asymmetrically routing through both connections, causing performance issues. Which TWO steps should the team take to ensure traffic uses the primary Direct Connect and only fails over to the VPN? (Choose two.)

Select 2 answers
A.Increase the BGP MED value on the VPN connection to make it less preferred.
B.Enable VPN automatic failover using AWS VPN CloudHub.
C.Configure BGP communities on the Direct Connect to influence route preference.
D.Disable AS path prepend on the Direct Connect BGP session.
E.Advertise a more specific prefix over Direct Connect compared to the VPN.
AnswersC, E

BGP communities can be used to influence routing.

Why this answer

Option A is correct because adjusting the BGP metrics (AS path prepend or MED) on the Direct Connect side makes it preferred. Option D is correct because using a more specific prefix for the Direct Connect route attracts traffic to it. Option B is wrong because enabling VPN is not needed.

Option C is wrong because disabling AS path prepend would make Direct Connect less preferred. Option E is wrong because increasing the VPN BGP metric would make VPN less preferred, but the goal is to prefer Direct Connect.

45
MCQeasy

A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Site-to-Site VPN. The VPN tunnel status shows as UP. The on-premises network can ping the virtual private gateway (VGW) IP address, but cannot reach EC2 instances inside the VPC. What is the most likely cause?

A.The VPN tunnel is not properly configured with the correct pre-shared key.
B.The security groups on the EC2 instances are blocking inbound traffic from the on-premises network.
C.The virtual private gateway has its own security group that blocks traffic.
D.The VPC route tables do not have a route to the on-premises network pointing to the virtual private gateway.
AnswerD

Without a route back, return traffic is dropped.

Why this answer

Option B is correct because the route table for the subnets must have a route to the on-premises network via the VGW. Option A is wrong because the tunnel is UP. Option C is wrong because security groups are stateful and allow return traffic.

Option D is wrong because the VGW does not have security groups.

46
Drag & Dropmedium

Arrange the steps to configure BGP on a Cisco router for a Direct Connect private virtual interface:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First enter config mode, enable BGP, define the neighbor, advertise prefixes, then verify.

47
MCQmedium

A company is using AWS Direct Connect with a private VIF to connect to a VPC. They want to ensure high availability by having a second Direct Connect connection. Which configuration provides the most resilient setup?

A.Two Direct Connect connections from the same provider to the same Direct Connect location with separate VIFs.
B.Two Direct Connect connections from different providers to different Direct Connect locations.
C.One Direct Connect connection and one Site-to-Site VPN as backup.
D.One Direct Connect connection with two private VIFs.
AnswerB

Diverse paths provide maximum resilience.

Why this answer

Option A is correct because using two separate Direct Connect connections from different providers to different AWS locations ensures that no single point of failure (e.g., a single provider outage or location failure) can bring down connectivity. Option B is wrong because a single connection with two VIFs still has a single physical link. Option C is wrong because placing both connections in the same location still has a single location failure risk.

Option D is wrong because a VPN is lower bandwidth and less reliable than Direct Connect.

48
MCQmedium

A network engineer is monitoring network performance between an EC2 instance and an on-premises server using AWS VPN. The engineer notices intermittent packet loss. Which AWS service can provide detailed network metrics and path visualization to troubleshoot?

A.Amazon CloudWatch
B.VPC Flow Logs
C.AWS Transit Gateway Network Manager
D.AWS X-Ray
AnswerC

Network Manager provides topology and monitoring for VPN and Direct Connect.

Why this answer

AWS X-Ray is for application tracing, not network path. VPC Flow Logs provide packet metadata but not path visualization. Amazon CloudWatch can monitor VPN tunnels but not path.

AWS Transit Gateway Network Manager provides network topology and path visualization.

49
Multi-Selectmedium

A network engineer is troubleshooting a VPN connectivity issue. The VPN tunnel is up, but traffic is not passing. Which TWO AWS services should the engineer use to diagnose the problem?

Select 2 answers
A.AWS Config
B.VPC Flow Logs
C.AWS CloudTrail
D.AWS Direct Connect
E.Amazon CloudWatch
AnswersB, E

Flow Logs can show traffic flow to the VPN endpoint.

Why this answer

The correct answers are A and C. VPC Flow Logs can show if traffic is reaching the VPN endpoint, and CloudWatch provides tunnel metrics and logs. Option B is wrong because CloudTrail logs API calls, not traffic.

Option D is wrong because AWS Config tracks configuration, not traffic. Option E is wrong because Direct Connect is for dedicated connections, not VPN.

50
Multi-Selectmedium

A company is designing a multi-VPC architecture using AWS Transit Gateway. They need to ensure that traffic between VPCs is encrypted and that only specific VPCs can communicate with each other. Which two services should they use together? (Choose TWO.)

Select 2 answers
A.AWS PrivateLink
B.AWS Direct Connect
C.AWS Transit Gateway
D.AWS VPN CloudHub
E.AWS Network Firewall
AnswersC, E

Provides connectivity between VPCs.

Why this answer

AWS Transit Gateway provides transitive routing between VPCs. AWS Network Firewall can inspect and encrypt traffic. AWS PrivateLink is for service access, not transitive routing.

AWS VPN CloudHub is for VPN connections. AWS Direct Connect is for on-premises.

51
MCQhard

A company is using AWS Client VPN for remote access. Users can authenticate and establish a VPN connection, but they cannot access resources in the VPC. The Client VPN endpoint is associated with a subnet in the VPC. The security group for the Client VPN endpoint allows all traffic. What is the most likely cause?

A.There is no authorization rule to allow access to the VPC CIDR.
B.The Client VPN endpoint is not associated with the correct subnet.
C.The route table for the subnet does not have a route to the Client VPN endpoint.
D.The Client VPN endpoint's server certificate is expired.
AnswerA

Authorization rules define which networks VPN clients can access; without it, traffic is blocked.

Why this answer

Client VPN uses an authorization rule to grant access to specific networks. Without an authorization rule that allows access to the VPC CIDR, traffic from clients will be dropped.

52
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices intermittent packet loss and latency spikes during peak hours. Which action should the team take to diagnose the issue?

A.Increase the bandwidth of the Direct Connect connection
B.Enable Bidirectional Forwarding Detection (BFD) on the virtual interfaces
C.Apply a tag to the Direct Connect connection for monitoring
D.Change the private ASN on the customer router
AnswerB

BFD helps detect failures quickly, aiding diagnosis.

Why this answer

Option B is correct because enabling Bidirectional Forwarding Detection (BFD) on the virtual interfaces allows rapid detection of connectivity failures, which can help isolate whether the issue is on the AWS side or the customer side. Option A is wrong because increasing bandwidth may not resolve intermittent issues caused by routing problems. Option C is wrong because changing the private ASN does not affect performance.

Option D is wrong because tagging does not impact network performance.

53
MCQhard

A network engineer troubleshoots a VPN connection that shows 'available' state but traffic is not passing. The on-premises firewall logs show that the tunnel is established, but no traffic. The engineer checks the VPN configuration. Based on the exhibit, what is the MOST likely cause of the problem?

A.The VPN connection is not in 'available' state.
B.The VPN is configured for BGP (StaticRoutesOnly: false), but only a static route is added.
C.The outside IP addresses are not routable over the internet.
D.The inside IP addresses for the tunnels are missing.
AnswerB

With StaticRoutesOnly: false, BGP is required for route propagation; static routes are ignored.

Why this answer

Option A is correct because the VPN connection has StaticRoutesOnly set to false, meaning dynamic routing (BGP) is expected, but the route shown is a static route, which would not be used because the VPN is configured for BGP. Option B is incorrect because the VPN state is available. Option C is incorrect because the inside IP addresses are present.

Option D is incorrect because the outside IP addresses are routable.

54
MCQhard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that some VPCs cannot communicate with each other even though they are attached to the same transit gateway. What is the most likely cause?

A.The security groups on the instances are not allowing inbound traffic from the other VPCs.
B.The transit gateway route tables are missing routes to the other VPCs.
C.The VPC attachments are not in the 'available' state.
D.The VPCs' network ACLs are blocking traffic.
AnswerB

Proper routing configuration is essential for inter-VPC communication.

Why this answer

Transit Gateway uses route tables to control inter-VPC traffic. If the route tables do not have routes to the other VPCs, or if the VPCs are in different route tables that are not associated or propagated correctly, communication fails. The most common issue is that the transit gateway route tables are not properly configured with routes to the other VPC attachments.

55
MCQeasy

A network engineer needs to monitor the number of packets dropped by a VPC flow log for a specific network interface. Which Amazon CloudWatch metric should be used?

A.NetworkPacketsDropped
B.VPCFlowLogsDroppedPackets
C.ENIDroppedPackets
D.FlowLogsBytesDropped
AnswerD

This metric from the AWS/FlowLogs namespace indicates bytes dropped by flow logs.

Why this answer

VPC Flow Logs publish metrics to CloudWatch only if using the 'publish to CloudWatch Logs' option. However, the question asks about 'packets dropped' - the metric 'FlowLogsBytesDropped' is available. Option B is correct.

Options A, C, and D are not actual metrics for this purpose.

56
MCQhard

A company has a Direct Connect connection with a public VIF to access AWS public services. The on-premises network team reports that they can reach S3 but not DynamoDB. The route table on the customer router shows a default route to the public VIF. What is the most likely cause?

A.The Direct Connect connection is degraded and only supports S3 traffic.
B.The BGP session between the customer router and AWS is down.
C.The on-premises firewall is blocking outbound traffic to the DynamoDB IP ranges.
D.The VPC route table does not have a route to the DynamoDB endpoint.
AnswerC

Different AWS services have different IP ranges; firewall may block DynamoDB.

Why this answer

Option C is correct because DynamoDB uses a different set of public IP ranges than S3, and the on-premises firewall might block access to those ranges. Option A is wrong because the VPC does not affect public VIF traffic. Option B is wrong because the public VIF does not involve BGP; it uses public IPs.

Option D is wrong because the Direct Connect connection is working for S3.

57
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises router is advertising a default route (0.0.0.0/0) via BGP. The VPC has an internet gateway attached, and the route table has a default route to the internet gateway. The network team notices that traffic from on-premises to the internet is not working as expected. What is the most likely cause?

A.The BGP session is not established.
B.The on-premises router is advertising a default route, causing a routing conflict.
C.The VPC route table does not have a route to the internet gateway for the on-premises traffic.
D.The private VIF is associated with the wrong VLAN.
AnswerB

The default route from Direct Connect may override the internet gateway route, breaking internet access for on-premises traffic.

Why this answer

The on-premises router advertising a default route (0.0.0.0/0) via BGP over the private VIF causes a routing conflict because the VPC route table already has a default route pointing to the internet gateway. When traffic from on-premises destined for the internet enters the VPC, it matches the more specific BGP-learned default route and is forwarded back toward the on-premises router (or black-holed), rather than being sent to the internet gateway. This creates a routing loop or asymmetric routing, breaking internet connectivity from on-premises.

Exam trap

AWS often tests the misconception that a default route advertised via BGP over Direct Connect is harmless or that the internet gateway route will always take precedence, but in reality, the VPC route table matches the most specific route (both are /0), and the BGP-learned route over the virtual private gateway is preferred for traffic entering the VPC from on-premises, causing the conflict.

How to eliminate wrong answers

Option A is wrong because if the BGP session were not established, the on-premises router would not be advertising any routes, and the issue described (traffic not working) would be due to a lack of routing, not a conflict; the scenario explicitly states the on-premises router is advertising a default route, implying BGP is established. Option C is wrong because the VPC route table does have a default route to the internet gateway (as stated in the question), so the absence of such a route is not the cause. Option D is wrong because a private VIF associated with the wrong VLAN would prevent the VIF from functioning at Layer 2, causing complete loss of connectivity (not just internet traffic), and the question indicates that the BGP session is established and routes are being exchanged, which requires correct VLAN association.

58
MCQmedium

A company uses AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. They notice that traffic between two VPCs is taking a suboptimal path through the on-premises network instead of staying within AWS. What configuration change should be made to ensure optimal routing?

A.Enable route propagation from the VPC attachments into the Transit Gateway route table.
B.Disable cross-zone load balancing on the Transit Gateway.
C.Add static routes to the Transit Gateway route table pointing to the VPN attachment.
D.Modify the VPC route tables to add routes to the other VPC via the Transit Gateway.
AnswerA

Route propagation allows VPC routes to be exchanged, enabling direct routing.

Why this answer

Option A is correct because Transit Gateway route tables control the path; enabling route propagation from VPC attachments will add routes for direct VPC-to-VPC communication. Option B is incorrect because VPN attachments do not affect VPC-to-VPC routing. Option C is incorrect because VPC route tables do not control Transit Gateway path selection.

Option D is incorrect because cross-zone load balancing is for load balancers, not routing.

59
MCQeasy

A company is using AWS Client VPN to provide remote access to its VPC. Users report that they can connect but cannot access any resources. The VPN is configured with a security group that allows all traffic. What should the administrator check?

A.The client VPN security group inbound rules
B.The client VPN endpoint certificate
C.The client VPN route table
D.The client VPN authorization rules
AnswerD

Authorization rules define which networks clients can access.

Why this answer

Client VPN uses an authorization rule to allow access to specific networks. Without an authorization rule, even if the security group allows traffic, the VPN will not forward traffic.

60
MCQmedium

A company has a VPC with public and private subnets. The security team wants to detect and alert on any SSH traffic (port 22) that originates from the internet to any EC2 instance in the VPC. Which solution achieves this with minimal operational overhead?

A.Enable VPC Flow Logs, publish to CloudWatch Logs, and create a metric filter for SSH traffic.
B.Configure a security group rule to deny inbound SSH and enable security group logging.
C.Use AWS Config to detect security group rules that allow SSH from 0.0.0.0/0.
D.Enable Amazon GuardDuty and rely on its threat detection.
AnswerA

This approach logs traffic and alerts on SSH without manual inspection.

Why this answer

VPC Flow Logs can be published to CloudWatch Logs, and a CloudWatch Logs filter metric can detect SSH traffic. Security Groups can deny traffic but not alert. AWS Config can track configuration changes.

GuardDuty detects threats but not specifically SSH traffic alerts.

61
MCQmedium

A company has a multi-account AWS environment using AWS Transit Gateway with a centralized network account. The network team wants to ensure that only specific VPCs can communicate with each other. What is the best practice to achieve this?

A.Configure security groups in each VPC to allow traffic only from specific VPC CIDRs.
B.Use VPC peering connections between the VPCs that need to communicate.
C.Create multiple Transit Gateway route tables and associate each VPC attachment with the appropriate route table.
D.Use AWS Network Manager to create routing policies.
AnswerC

Separate route tables enable segmentation and controlled communication.

Why this answer

Option C is correct because Transit Gateway route tables with route propagation and static routes allow fine-grained control over which VPCs can communicate. Option A is wrong because Network Manager is for monitoring, not routing control. Option B is wrong because VPC peering is point-to-point and does not scale.

Option D is wrong because security groups in each VPC add complexity and do not control Transit Gateway routing.

62
MCQeasy

A network engineer needs to monitor traffic between a VPC and an on-premises network over an AWS Site-to-Site VPN. Which AWS service should be used to capture packet-level information for troubleshooting?

A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.AWS Transit Gateway Network Manager
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture IP traffic information for network interfaces.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic information for interfaces. Option A is incorrect because CloudWatch Logs can store logs but not capture packets directly. Option C is incorrect because AWS CloudTrail records API activity, not network traffic.

Option D is incorrect because Transit Gateway Network Manager provides topology and monitoring but not packet-level capture.

63
MCQmedium

A company is using AWS Site-to-Site VPN connections to connect multiple branch offices to a central VPC. The network team wants to ensure high availability and automatic failover if one VPN tunnel goes down. Which configuration should be implemented?

A.Configure a second VPN connection to the same customer gateway and use BGP with equal-cost multipath
B.Use the two tunnels provided by the VPN connection with dynamic routing (BGP)
C.Use a single tunnel and rely on AWS automatic recovery
D.Configure static routes with a higher metric for the secondary tunnel
AnswerB

Two tunnels with BGP provide automatic failover.

Why this answer

Each AWS Site-to-Site VPN connection provides two tunnels for high availability. By using dynamic routing (BGP) with both tunnels, the VPN automatically fails over to the second tunnel if the first goes down, without manual intervention. This meets the requirement for automatic failover and high availability.

Exam trap

The trap here is that candidates assume a single VPN connection with two tunnels is not enough, and they over-engineer by adding a second VPN connection or using static routes, missing that AWS's built-in dual-tunnel design with BGP already provides automatic failover.

How to eliminate wrong answers

Option A is wrong because configuring a second VPN connection to the same customer gateway with BGP and ECMP does not provide automatic failover within a single VPN connection; it adds complexity and is not the standard AWS HA design. Option C is wrong because a single tunnel lacks redundancy; AWS automatic recovery only restores a failed tunnel, but there is no failover path during the recovery period, causing downtime. Option D is wrong because static routes with a higher metric for the secondary tunnel do not support automatic failover with BGP; static routing requires manual intervention or additional scripting to detect failure and switch routes, and it does not leverage BGP's dynamic path selection.

64
Multi-Selecthard

Which THREE are best practices for designing a highly available AWS Direct Connect connection? (Choose 3.)

Select 3 answers
A.Use a single Direct Connect connection with redundant virtual interfaces
B.Use multiple Direct Connect connections to different AWS Direct Connect locations
C.Configure BGP with graceful restart and fast failover timers
D.Connect to multiple AWS Direct Connect routers in the same location
E.Use a single large Direct Connect connection instead of multiple smaller ones
AnswersB, C, D

Diverse locations provide geographical redundancy.

Why this answer

Option B is correct because using multiple Direct Connect connections to different AWS Direct Connect locations provides geographic redundancy. If one location experiences an outage, traffic can fail over to the other location, ensuring high availability. This aligns with AWS best practices for resilient hybrid networking.

Exam trap

AWS often tests the misconception that redundant virtual interfaces on a single physical connection provide high availability, but the physical link itself remains a single point of failure.

65
MCQhard

An engineer is trying to create a VPC Flow Log that delivers to a CloudWatch Logs log group in the same account. The IAM role used has the above trust policy. However, the flow log creation fails with an error. What is the most likely reason?

A.The log group does not exist yet.
B.The trust policy incorrectly specifies the service principal; it should be 'ec2.amazonaws.com'.
C.The IAM role lacks a permissions policy that grants the actions on the log group.
D.The resource ARN in the trust policy does not include the log group name.
AnswerC

The trust policy allows the service to assume the role, but the role needs a permissions policy to perform the actions.

Why this answer

The trust policy shown trusts the VPC Flow Logs service principal, but the IAM role itself must have a permissions policy that allows the actions on the log group. The exhibit only shows the trust policy; the permissions policy is missing. The error likely indicates that the role does not have the necessary permissions to perform the actions.

66
MCQmedium

A company uses AWS Direct Connect with a public VIF to access Amazon S3. The network team notices that S3 traffic is taking a suboptimal path over the internet instead of the Direct Connect. Which configuration is MOST likely missing?

A.The VPC route tables are not updated to include the Direct Connect route
B.The public VIF is not associated with the VPC
C.A Direct Connect gateway is not attached to the VPC
D.A VPC endpoint for S3 is not configured
AnswerA

The VPC needs a route pointing to the virtual private gateway for Direct Connect.

Why this answer

Option A is correct because without propagating the Direct Connect route to the VPC route tables, traffic may default to the internet. Option B is wrong because VPC endpoints are for private connectivity, but the question already uses Direct Connect. Option C is wrong because the public VIF already provides access to AWS public services.

Option D is wrong because the Direct Connect gateway is used for private VIFs, not public VIFs.

67
MCQeasy

A network engineer is troubleshooting connectivity issues between an EC2 instance in a VPC and an on-premises server over AWS Site-to-Site VPN. The VPN tunnel status is UP, and BGP is established. The engineer can ping the on-premises server's private IP from the EC2 instance, but TCP connections to a specific port (e.g., 443) are timing out. What is the most likely cause?

A.Incorrect route table entries on the on-premises router for the VPC CIDR
B.Security group or network ACL blocking inbound TCP port 443 on the EC2 instance
C.MTU mismatch on the VPN tunnel causing packet fragmentation for TCP
D.BGP prefix limits exceeded causing route table incompleteness
AnswerB

Stateful firewalls can block specific ports while allowing ICMP.

Why this answer

Option B is correct because security groups or network ACLs can block specific ports while allowing ICMP. Option A is wrong because MTU mismatch would affect all traffic. Option C is wrong because the VPN tunnel is UP, so routing issues would affect all traffic.

Option D is wrong because BGP is established, indicating proper route exchange.

68
MCQeasy

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private). An EC2 instance in the private subnet needs to download patches from the internet. The team creates a NAT gateway in the public subnet and updates the private subnet route table to route 0.0.0.0/0 to the NAT gateway. The EC2 instance still cannot reach the internet. The team confirms the NAT gateway has an elastic IP and the public subnet has an internet gateway. What is the MOST likely cause?

A.The private subnet route table does not have a route for the NAT gateway's IP.
B.The network ACL for the private subnet denies outbound traffic to the internet.
C.The public subnet does not have a route to the internet gateway.
D.The NAT gateway does not have source/destination check disabled.
AnswerB

Network ACL must allow outbound ephemeral ports and inbound return traffic.

Why this answer

The security group or network ACL of the private subnet may be blocking outbound traffic. However, a common mistake is not disabling source/destination check on the NAT gateway. But NAT gateway is a managed service, so source/destination check is automatically disabled.

Option A is correct: the private subnet's network ACL must allow outbound traffic and inbound return traffic. Option B is not needed because NAT gateway is managed. Option C is not a requirement.

Option D would be for the NAT gateway's subnet.

69
MCQeasy

A company wants to monitor network traffic between VPCs in the same AWS Region that are connected via VPC Peering. Which AWS service can provide visibility into the traffic?

A.VPC Flow Logs
B.AWS Config
C.AWS Direct Connect
D.AWS CloudTrail
AnswerA

Flow Logs on the peering connection capture traffic.

Why this answer

The correct answer is A because VPC Flow Logs can be enabled on the peering connection to capture traffic. Option B is wrong because CloudTrail does not capture network traffic. Option C is wrong because AWS Config does not provide traffic logs.

Option D is wrong because Direct Connect is for on-premises, not VPC Peering.

70
MCQmedium

A company has multiple VPCs connected via VPC peering. They want to simplify network management and reduce the number of peering connections. Which AWS service should they use?

A.AWS PrivateLink
B.AWS VPN CloudHub
C.AWS Transit Gateway
D.AWS Direct Connect Gateway
AnswerC

Transit Gateway provides hub-and-spoke connectivity.

Why this answer

Transit Gateway acts as a hub to connect multiple VPCs and on-premises networks, reducing the need for full mesh peering.

71
MCQeasy

A company has a Direct Connect connection with a private virtual interface to a VPC. The network team wants to monitor the bandwidth utilization of the Direct Connect connection. They have enabled VPC Flow Logs for the VPC, but the flow logs do not show traffic that traverses the Direct Connect. The team needs a solution to capture the bandwidth usage of the Direct Connect connection. Which solution should they implement?

A.Use CloudWatch metrics for the Direct Connect connection.
B.Enable AWS CloudTrail for the Direct Connect connection.
C.Enable VPC Flow Logs on the Direct Connect virtual interface.
D.Use AWS Config rules to monitor bandwidth.
AnswerA

CloudWatch provides Direct Connect metrics.

Why this answer

Option B is correct because Direct Connect publishes metrics to CloudWatch, including bandwidth utilization, connection state, and BGP status. VPC Flow Logs capture IP traffic within the VPC, not traffic on the Direct Connect physical connection. Option A is wrong because flow logs only capture traffic on VPC network interfaces.

Option C is wrong because AWS Config does not provide bandwidth metrics. Option D is wrong because CloudTrail logs API calls.

72
MCQhard

A network engineer is troubleshooting intermittent connectivity issues between an EC2 instance in a private subnet and an RDS database in another VPC connected via a VPC peering connection. The connection works for a few minutes and then drops. CloudWatch logs show no errors on the peering connection. What should the engineer check first?

A.The DNS resolution settings of the VPC peering connection.
B.The network ACL of the subnet where the EC2 instance resides.
C.The security group attached to the RDS database allowing traffic from the EC2 instance.
D.The route tables in both VPCs to ensure they have routes pointing to the peering connection for the respective CIDR blocks.
AnswerD

Missing or incorrect routes can cause asymmetric routing and drops.

Why this answer

Option C is correct because the most common cause of intermittent drops over VPC peering is the lack of proper route table entries in both VPCs to route traffic back to the source. Option A is wrong because security groups are stateful and do not cause intermittent drops. Option B is wrong because NACLs are stateless but would block consistently, not intermittently.

Option D is wrong because DNS resolution settings affect name resolution, not connectivity drops.

73
Multi-Selecthard

A company is using AWS Transit Gateway with multiple VPCs and Direct Connect Gateway. They want to ensure that traffic between VPCs and on-premises is encrypted. Which TWO solutions can achieve this?

Select 2 answers
A.Enable MACsec on the Direct Connect connection
B.Create a VPN attachment on the Transit Gateway and configure IPsec VPN to on-premises
C.Use Transit Gateway IPsec VPN to encrypt traffic between VPCs
D.Enable IPsec on the private virtual interface
E.Use VPC peering with encryption
AnswersA, B

MACsec encrypts at Layer 2 between customer router and AWS.

Why this answer

Options B and D are correct. A VPN attachment on the Transit Gateway encrypts traffic between the Transit Gateway and on-premises VPN device. MACsec on the Direct Connect connection encrypts traffic at Layer 2.

Option A is incorrect because IPsec over a private VIF is not possible; IPsec is used over public VIF or VPN. Option C is incorrect because Transit Gateway does not support IPsec natively. Option E is incorrect because VPC peering does not involve on-premises.

74
Multi-Selecthard

Which TWO actions are recommended to troubleshoot asymmetric routing in a VPC with multiple NAT gateways?

Select 2 answers
A.Enable source/destination check on all EC2 instances
B.Use a Network Load Balancer to distribute traffic
C.Disable VPC Flow Logs
D.Use a single NAT gateway per Availability Zone
E.Ensure route tables point to the NAT gateway in the same subnet's Availability Zone
AnswersD, E

This ensures consistent routing within an AZ.

Why this answer

Asymmetric routing occurs when traffic takes different paths. Using a single NAT gateway per AZ and ensuring route tables point to the NAT gateway in the same subnet's AZ can prevent this. Additionally, disabling source/destination check on instances that do not need it can help, but for NAT gateways, this is not configurable.

75
Multi-Selecthard

A company has a VPC with both IPv4 and IPv6 CIDR blocks. The network engineer needs to capture all traffic between the VPC and the internet. Which THREE resources must have VPC Flow Logs enabled?

Select 3 answers
A.Internet gateway
C.Subnet
D.VPC
E.Egress-only internet gateway
AnswersA, B, E

The internet gateway's ENI captures traffic to/from the internet.

Why this answer

Option B is correct because the internet gateway (igw) is the attachment point to the internet. Option D is correct because egress-only internet gateway handles IPv6 traffic. Option E is correct because the NAT gateway handles IPv4 traffic from private subnets.

Option A is incorrect because VPC itself does not have flow logs; they are on network interfaces. Option C is incorrect because subnets do not have flow logs directly.

Page 1 of 5 · 346 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Mgmt Ops questions.