CCNA Network Mgmt Ops Questions

75 of 346 questions · Page 3/5 · Network Mgmt Ops topic · Answers revealed

151
MCQeasy

A company needs to centrally manage network security policies across multiple VPCs and on-premises networks. Which AWS service provides a centralized dashboard for managing firewall rules?

A.Network ACLs
B.Security Groups
C.AWS WAF
D.AWS Network Firewall
AnswerD

AWS Network Firewall provides centralized firewall management across VPCs.

Why this answer

Option C is correct because AWS Network Firewall provides a centralized firewall management service. Option A is incorrect because AWS WAF is for web application firewall, not network-level policies. Option B is incorrect because NACLs are per-subnet and not centralized.

Option D is incorrect because Security Groups are per-ENI and not centralized.

152
MCQhard

A company is experiencing high latency for traffic between EC2 instances in the same VPC but in different Availability Zones. The network team suspects the issue is related to the placement group used. The instances are in a spread placement group. What should the network engineer do to reduce latency?

A.Change the placement group to a cluster placement group and ensure instances are in the same Availability Zone.
B.Enable enhanced networking on the instances and increase the instance size.
C.Move the instances to the same subnet within the same Availability Zone but keep the spread placement group.
D.Create a VPC peering connection between the two AZs and route traffic through it.
AnswerA

Cluster placement groups provide low latency by grouping instances in a single AZ.

Why this answer

Option A is correct because a cluster placement group is recommended for low-latency, high-throughput traffic. Option B is wrong because moving to same subnet does not guarantee low latency across AZs. Option C is wrong because VPC peering does not reduce latency for intra-VPC traffic.

Option D is wrong because increasing bandwidth does not directly reduce latency.

153
Multi-Selecthard

A company is troubleshooting connectivity issues between an on-premises network and a VPC connected via AWS Direct Connect. The network team has verified that the virtual interface (VIF) is up and BGP is established. However, traffic is not flowing. Which two configuration issues could cause this problem? (Choose TWO.)

Select 2 answers
A.The on-premises router is not advertising the on-premises CIDR prefix via BGP.
B.The AWS Direct Connect connection is not associated with the correct Direct Connect gateway.
C.The virtual interface is in a 'down' state.
D.The VPC route table does not have a route to the on-premises CIDR pointing to the Direct Connect virtual interface.
E.The security group attached to the EC2 instance blocks inbound traffic from on-premises.
AnswersA, D

If BGP does not advertise the prefix, the Direct Connect gateway will not propagate the route to the VPC.

Why this answer

Correct routes on both sides are needed. If the VPC route table does not have a route to the on-premises CIDR via the Direct Connect VIF, traffic won't flow. Similarly, if the on-premises router does not advertise the correct prefix, or if the VPC's route table lacks a route, connectivity fails.

Security group rules might block, but they are not the most likely if BGP is up. The VIF state is up, so that's not the issue.

154
Multi-Selecthard

A financial services company is deploying a multi-account environment using AWS Organizations. The security team requires that all network traffic to and from the internet must flow through a centralized inspection VPC that hosts third-party firewall appliances. The architecture uses a single AWS Transit Gateway with a centralized inspection VPC attached. Which THREE steps are necessary to enforce this architecture? (Choose THREE.)

Select 3 answers
A.Configure each VPC's route table with a default route (0.0.0.0/0) pointing to the transit gateway attachment.
B.Use AWS Organizations service control policies to prevent direct internet access from spoke VPCs.
C.Deploy VPC Gateway Endpoints for S3 and DynamoDB in each spoke VPC.
D.In the inspection VPC, route traffic from the transit gateway to the firewall appliances, then back to the transit gateway for egress.
E.Create separate transit gateway route tables for the inspection VPC and spoke VPCs, and propagate routes appropriately.
AnswersA, D, E

Correct: This sends all internet traffic to the transit gateway.

Why this answer

Option A is correct because all VPCs need default routes pointing to the transit gateway for internet-bound traffic. Option C is correct because the inspection VPC must have routes to send inspected traffic to an egress VPC or Direct Connect for internet access. Option D is correct because the transit gateway route tables must be configured with blackhole routes or specific routes to force traffic through the inspection VPC.

Option B is wrong because VPC endpoints do not route internet traffic. Option E is wrong because service control policies do not enforce routing.

155
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic from a specific VPC to an on-premises network is being dropped. All other VPCs can reach the on-premises network. Which configuration should be checked first?

A.Check the on-premises firewall rules
B.Check the VPC's security groups
C.Check the VPC's network ACLs
D.Check the Transit Gateway route tables
AnswerD

The Transit Gateway route table associated with the VPC attachment might be missing the route to the on-premises network.

Why this answer

The issue is isolated to one VPC, so route tables are the most likely cause. Transit Gateway route tables might not have the route for the on-premises network propagated from that VPC's attachment.

156
MCQhard

A company uses AWS Direct Connect with a public VIF to access Amazon S3. The on-premises network team reports that the BGP session for the public VIF is flapping intermittently. Which configuration change on the customer router would most likely stabilize the BGP session?

A.Set the BGP multi-hop TTL to 255.
B.Configure BGP route filtering to limit the number of routes advertised to AWS to no more than 100.
C.Increase the BGP hold timer to 180 seconds.
D.Disable BGP fast-external-fallover on the customer router.
AnswerB

AWS limits public VIF to 100 prefixes; exceeding causes flapping.

Why this answer

BGP flapping due to route advertisements exceeding the maximum allowed is a known issue. The maximum number of routes allowed on a public VIF is 100. Advertising more than this will cause the session to flap.

Limiting routes to 100 will stabilize.

157
MCQmedium

A company has a VPC with an AWS Transit Gateway connecting multiple VPCs and an on-premises network via AWS Direct Connect. The network team needs to ensure that only specific VPCs can communicate with each other. They create a transit gateway route table for each VPC and attach the VPC to the route table. They also propagate routes from the Direct Connect virtual interface. However, after configuration, traffic between two VPCs that should not communicate is still flowing. What is the MOST likely cause?

A.The VPC route tables have a route for the other VPC CIDR pointing to the transit gateway.
B.The transit gateway route tables are not associated with the VPC attachments.
C.The VPC attachments are using the default transit gateway route table instead of custom route tables.
D.The Direct Connect virtual interface is propagating routes into all route tables.
AnswerC

Default route table allows all routes.

Why this answer

If the transit gateway has a default route table that is shared, all attachments may be associated with it by default. If the team did not explicitly associate each VPC with its own route table, they might be using the default route table, which allows all routes. Option B is correct.

Option A is not possible because route tables are not associated with attachments; attachments are associated with route tables. Option C would affect on-premises connectivity, not inter-VPC. Option D is the opposite of what is needed.

158
Multi-Selectmedium

A network engineer is diagnosing connectivity issues between an on-premises network and AWS over a Direct Connect connection. The BGP session is established, and the engineer can ping the VPC's private IP addresses. However, TCP connections to EC2 instances are failing. Which TWO actions should the engineer take to identify the issue?

Select 2 answers
A.Review the security group rules associated with the EC2 instance
B.Review the VPC route table for the subnet
C.Verify the BGP session status
D.Check the MTU settings on the Direct Connect virtual interface
E.Check the EC2 instance's operating system firewall
AnswersA, E

Security groups may be blocking TCP traffic.

Why this answer

Options A and D are correct. Checking the host-based firewall (A) is essential because OS firewalls can block TCP while allowing ICMP. Checking security group rules (D) is also critical because security groups are stateful and may be blocking inbound TCP.

Option B is incorrect because the BGP session is established. Option C is incorrect because the VPC route table is likely correct if pings work. Option E is incorrect because MTU issues would affect all traffic.

159
MCQeasy

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet for software updates. The instance has a route to a NAT Gateway in the public subnet. However, the instance cannot reach the internet. Which step should the network engineer take to troubleshoot?

A.Move the NAT Gateway to a private subnet
B.Verify that the NAT Gateway is in the same subnet as the EC2 instance
C.Verify that the NAT Gateway has an Elastic IP and the private subnet's route table has a route to the NAT Gateway
D.Attach an Internet Gateway to the private subnet
AnswerC

These are required for outbound internet access.

Why this answer

Option B is correct because the NAT Gateway's Elastic IP must be associated and the route table of the private subnet must point to the NAT Gateway. Option A is wrong because the NAT Gateway is in the public subnet. Option C is wrong because an Internet Gateway is attached to the VPC, not the subnet.

Option D is wrong because the NAT Gateway is not in a public subnet if it has an EIP and route to IGW.

160
MCQmedium

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company has set up a NAT gateway in the public subnet. However, instances in the private subnet cannot reach the internet. What is the most likely cause?

A.The NAT gateway does not have a route to the internet gateway
B.The security group for the instances blocks outbound traffic
C.The NAT gateway is not associated with an Elastic IP
D.The private subnet route table does not have a route to the NAT gateway
AnswerD

Without a default route to the NAT gateway, traffic from private subnet cannot reach the internet.

Why this answer

Option B is correct because the private subnet route table must have a default route (0.0.0.0/0) pointing to the NAT gateway. Option A is wrong because NAT gateway does not need an internet gateway route; it uses the internet gateway of the public subnet. Option C is wrong because security group rules for outbound traffic are usually allowed by default.

Option D is wrong because the NAT gateway is in the public subnet, so it has internet access; the issue is routing from private subnet.

161
MCQmedium

A company has multiple AWS accounts and wants to centrally manage VPC flow logs for compliance. The logs should be published to a central S3 bucket in the logging account. The logging account has an S3 bucket policy that allows cross-account writes. However, flow logs are not being delivered. What is the most likely missing configuration?

A.The VPC Flow Logs service is not enabled in the source account.
B.The S3 bucket policy does not grant 's3:PutObject' to the source account.
C.The source account lacks an IAM role that grants the Flow Logs service permission to write to the central S3 bucket.
D.The VPC Flow Logs destination is set to CloudWatch Logs instead of S3.
AnswerC

Cross-account delivery requires an IAM role with appropriate trust and permissions.

Why this answer

For cross-account flow log delivery, the source account must have an IAM role that trusts the logging account and allows the flow logs service to assume it. The role must have permissions to write to the S3 bucket. Without this role, logs cannot be delivered.

162
Multi-Selecthard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team observes that traffic between two VPCs (VPC A and VPC B) is not being forwarded correctly. The transit gateway route table is configured with static routes for the VPC CIDRs. Which THREE steps should the engineer take to troubleshoot this issue? (Choose THREE.)

Select 3 answers
A.Verify that the transit gateway route table contains the CIDR blocks of both VPCs.
B.Check the route tables in VPC A and VPC B to ensure they have routes pointing to the transit gateway for the other VPC's CIDR.
C.Check the association of the VPC attachments with the transit gateway route table.
D.Check the Direct Connect virtual interface status.
E.Verify that the NAT Gateway in each VPC is properly configured.
AnswersA, B, C

The transit gateway route table must have routes for both VPC CIDRs to forward traffic between them.

Why this answer

Option A is correct because the transit gateway route table must contain the CIDR blocks of both VPCs for traffic to be forwarded between them. Without these static routes, the transit gateway has no destination to route the traffic, causing it to be dropped. Verifying the route table entries ensures the necessary paths exist.

Exam trap

AWS often tests the misconception that NAT Gateway or Direct Connect configurations are involved in VPC-to-VPC routing, when in fact Transit Gateway relies solely on route tables and attachment associations for inter-VPC traffic.

163
Multi-Selectmedium

A network engineer is diagnosing a connectivity issue between an on-premises network and an Amazon VPC connected via a site-to-site VPN. The VPN tunnel is up, but traffic is not reaching the VPC. Which TWO actions should the engineer take to troubleshoot the issue? (Choose two.)

Select 2 answers
A.Review the security group rules associated with the VPC resources to ensure they allow traffic from the on-premises network
B.Confirm the customer gateway is associated with the correct VPC
C.Verify that the VPC route tables include routes for the on-premises network pointing to the virtual private gateway
D.Verify that the on-premises network has a NAT device configured
E.Check that the VPN tunnel's status is 'UP'
AnswersA, C

Security groups act as a firewall for the instances.

Why this answer

Option A is correct because incorrect route propagation can prevent the VPC from knowing the on-premises network. Option D is correct because security group rules might block inbound traffic from the VPN. Option B is wrong because the VPN tunnel is up.

Option C is wrong because the customer gateway is the on-premises endpoint, not the VPC. Option E is wrong because the issue is about routing, not NAT.

164
MCQmedium

A company uses AWS Direct Connect and VPN as backup. The network team notices that during a VPN failover, traffic drops for several minutes. The VPN tunnels are configured with BGP dynamic routing. Which configuration change would MOST likely reduce failover time?

A.Configure static routes over the VPN instead of BGP
B.Increase the BGP keepalive interval and decrease the hold timer
C.Enable BFD on the VPN BGP sessions
D.Decrease the BGP keepalive interval and increase the hold timer
AnswerC

BFD provides sub-second failure detection, reducing failover time.

Why this answer

Option B is correct because BFD (Bidirectional Forwarding Detection) provides sub-second failure detection for BGP sessions, reducing failover time. Option A is wrong because increasing the keepalive interval and decreasing the hold timer can help but may not be as fast as BFD. Option C is wrong because decreasing the keepalive interval and increasing the hold timer would slow down failure detection.

Option D is wrong because static routes do not dynamically adapt to failures.

165
Multi-Selecthard

A company has a Direct Connect connection and wants to use it for both private and public resources. Which TWO components are required to achieve this?

Select 2 answers
A.Transit Gateway
B.Internet gateway
C.VPN connection to the VPC
D.Public virtual interface (VIF)
E.Private virtual interface (VIF)
AnswersD, E

Public VIF connects to public AWS services.

Why this answer

Option B and Option D are correct. A private VIF is required for private IP connectivity to VPCs, and a public VIF is required for public IP connectivity to AWS public services. Option A is wrong because a VPN connection is not required for Direct Connect.

Option C is wrong because a Transit Gateway is optional. Option E is wrong because an internet gateway is not used with Direct Connect public VIF.

166
Multi-Selecthard

A company has a multi-account AWS environment using AWS Transit Gateway with multiple VPC attachments. The network team wants to centralize logging of all network traffic crossing the Transit Gateway. Which TWO services can be used together to achieve this?

Select 2 answers
A.VPC Flow Logs published to a central Amazon S3 bucket
B.AWS Site-to-Site VPN flow logs
C.AWS Direct Connect Gateway flow logs
D.AWS Transit Gateway Network Manager
E.AWS CloudTrail for Transit Gateway events
AnswersA, D

VPC Flow Logs capture traffic; publishing to a central S3 bucket allows aggregation.

Why this answer

Option A is correct because VPC Flow Logs can be published to a central account. Option C is correct because Transit Gateway Network Manager can centralize flow logs. Option B is incorrect because CloudTrail does not capture network traffic.

Option D is incorrect because Direct Connect is for on-premises connectivity. Option E is incorrect because VPN is a site-to-site connection, not a logging service.

167
Multi-Selecthard

A company is using AWS Direct Connect with a private VIF to connect to multiple VPCs in the same region. The company wants to use AWS Transit Gateway to simplify management. Which three components are required to achieve this? (Choose THREE.)

Select 3 answers
A.Direct Connect private virtual interface
B.AWS Transit Gateway
C.VPC peering connection
D.AWS Site-to-Site VPN connection
E.AWS Direct Connect gateway
AnswersA, B, E

Required for Direct Connect connection.

Why this answer

Options A, C, and D are correct. A Direct Connect gateway is needed to connect the Direct Connect connection to the Transit Gateway. A Transit Gateway is the central hub.

A Direct Connect virtual interface is the connection from on-premises to AWS. Option B is wrong because a VPN connection is not required. Option E is wrong because a VPC peering connection is not used with Transit Gateway.

168
MCQeasy

A network engineer needs to capture TCP traffic between an EC2 instance (eni-abc123) and an RDS instance (eni-def456) in the same VPC for troubleshooting. Which AWS service should be used to capture the traffic and store it in S3?

A.Amazon Inspector
B.AWS CloudTrail
C.AWS Config
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture IP traffic information for network interfaces and can be published to S3 or CloudWatch Logs.

Why this answer

VPC Flow Logs capture IP traffic information at the network interface level and can publish logs to S3. Option C is correct. Options A, B, and D are not designed for packet capture or do not capture traffic between two specific ENIs.

169
MCQhard

A company uses AWS Direct Connect with multiple virtual interfaces (VIFs) to connect to multiple VPCs. The network team wants to ensure high availability and failover. Which configuration provides the best resiliency?

A.Provision two Direct Connect connections from different providers and configure BGP
B.Use a single Direct Connect connection with a VPN backup over the internet
C.Configure BGP with multiple AS paths on the same Direct Connect connection
D.Create multiple private VIFs on a single Direct Connect connection
AnswerA

Two separate connections from different providers provide physical diversity and high availability.

Why this answer

Option B is correct because using two separate Direct Connect connections provides path diversity; if one fails, the other can handle traffic. Option A is wrong because multiple VIFs on a single connection share the same physical link. Option C is wrong because a VPN backup over the same internet connection may not provide true diversity.

Option D is wrong because BGP alone does not provide physical redundancy.

170
MCQeasy

A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The engineer wants to ensure that if the primary VPN tunnel goes down, traffic automatically fails over to the secondary tunnel. Which configuration is required?

A.Use static routes with equal-cost multipath (ECMP)
B.Enable VPN CloudHub
C.Enable dynamic routing (BGP) on the VPN connection
D.Configure a second customer gateway device
AnswerC

BGP allows dynamic route advertisement and failover.

Why this answer

Option A is correct because dynamic routing with BGP allows automatic failover between tunnels by propagating routes. Option B is wrong because static routes require manual intervention for failover. Option C is wrong because customer gateways are not for failover; they are endpoints.

Option D is wrong because VPN CloudHub is for connecting multiple VPNs, not failover.

171
MCQmedium

A company has deployed a transit gateway with multiple VPC attachments and VPN attachments. The network team notices that traffic between two VPCs is taking an unexpected path and experiencing high latency. Which tool should be used to trace the path and identify the specific transit gateway route table that is being used?

A.AWS CloudTrail
B.Amazon CloudWatch ServiceLens
C.AWS X-Ray
D.VPC Reachability Analyzer
AnswerD

Reachability Analyzer performs path analysis between resources and shows the route table decisions, including transit gateway routes.

Why this answer

VPC Reachability Analyzer performs connectivity and path analysis between sources and destinations, showing the route table decisions. Option B is correct. Options A, C, and D are not designed for path tracing.

172
MCQhard

A company has a multi-account AWS environment with hundreds of VPCs connected via a transit gateway. The network team needs to centrally monitor network traffic and detect anomalies such as unusual outbound data transfers. Which combination of services would provide the most scalable and cost-effective solution?

A.Use AWS Trusted Advisor to check for unusual traffic patterns
B.Enable VPC Flow Logs in each VPC, publish to CloudWatch Logs, and create cross-account CloudWatch dashboards
C.Use AWS Network Manager to monitor all VPCs and Transit Gateway attachments
D.Enable VPC Flow Logs in each VPC, publish to Amazon S3, and use Amazon Athena to query logs from a central account
AnswerD

S3 is cost-effective for storage and Athena allows querying across accounts.

Why this answer

Option D is correct because VPC Flow Logs capture IP traffic metadata at scale, and publishing to Amazon S3 provides a cost-effective, durable storage layer. Using Amazon Athena to query the logs from a central account enables serverless, on-demand analysis across hundreds of VPCs without provisioning servers, making it both scalable and cost-effective for anomaly detection.

Exam trap

The trap here is that candidates assume CloudWatch Logs is the only or best destination for VPC Flow Logs, overlooking the cost and scalability advantages of S3 combined with Athena for large-scale, cross-account analysis.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor checks for AWS service limits, security best practices, and cost optimization, but it does not analyze VPC traffic patterns or detect anomalies in outbound data transfers. Option B is wrong because publishing VPC Flow Logs to CloudWatch Logs incurs ingestion and storage costs that become prohibitively expensive at scale across hundreds of VPCs, and cross-account CloudWatch dashboards do not provide a queryable interface for ad-hoc anomaly detection. Option C is wrong because AWS Network Manager provides a global view of transit gateway networks and topology, but it does not perform deep packet inspection or traffic anomaly detection; it lacks the query and analysis capabilities needed to identify unusual outbound data transfers.

173
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices that traffic is intermittently dropping and the BGP session between the on-premises router and the AWS Direct Connect virtual interface goes down. Which configuration should be checked first to resolve this issue?

A.Ensure the BGP hold timer values are consistent on both ends
B.Increase the BGP keepalive timer on the on-premises router to 90 seconds
C.Disable BGP authentication on the virtual interface
D.Enable BGP MD5 authentication on the on-premises router
AnswerA

Mismatched hold timers cause session drops.

Why this answer

The BGP hold timer mismatch can cause session flapping. Option B is correct because setting the hold timer to a consistent value (e.g., 30 seconds) on both sides stabilizes the session. Option A is wrong because increasing the BGP timers may mask the issue but doesn't address the root cause.

Option C is wrong because AWS allows BGP authentication. Option D is wrong because MD5 authentication is supported.

174
MCQmedium

A network engineer is troubleshooting connectivity between two VPCs that are peered. The VPC peering connection is active, and the route tables have appropriate routes. However, instances in VPC A cannot reach instances in VPC B. The security groups in both VPCs allow all traffic. What is the most likely issue?

A.The security groups are not allowing ICMP traffic
B.The route tables in both VPCs do not have routes pointing to the peering connection for the other VPC's CIDR
C.The VPC peering connection is not in the 'active' state
D.The instances are in different availability zones
AnswerB

Without these routes, traffic cannot traverse the peering connection.

Why this answer

VPC peering does not support transitive routing; if there is an intermediate resource (like a VPN or another VPC) involved, it won't work. But the question doesn't mention that. Another common issue is that the VPC peering connection requires that the route tables of both VPCs have routes to each other's CIDR, and that security groups reference each other's CIDR or security group IDs.

Since security groups allow all, the issue might be that the security group rules are not allowing traffic from the peer VPC's CIDR. However, since they allow all, the problem is likely that the instances are in different regions and the peering is intra-region? Actually, VPC peering works across regions but requires appropriate route table entries. The most likely issue is that the route tables are missing the necessary routes.

Option A is correct.

175
MCQmedium

A company is using AWS Client VPN to provide remote access to its VPC. Users report that they can connect to the VPN but cannot reach resources in the VPC. The Client VPN endpoint is associated with a single subnet in the VPC, and the authorization rules allow access to the entire VPC CIDR (10.0.0.0/16). The security group assigned to the Client VPN endpoint allows all traffic. What is the most likely cause of this issue?

A.The security group assigned to the Client VPN endpoint does not allow inbound traffic from the client CIDR.
B.The route table associated with the Client VPN subnet does not have a route for the client IP range.
C.The authorization rule is too broad and is blocking traffic.
D.The Client VPN endpoint does not have a security group association group configured.
AnswerB

Without a return route, traffic from instances cannot reach the VPN clients.

Why this answer

The Client VPN endpoint is associated with a single subnet in the VPC. For traffic from the VPN clients to reach resources in the VPC, the route table of that subnet must include a route pointing the client IP range back to the VPN endpoint's network interface. Without this route, the subnet has no path to forward return traffic to the clients, even though the clients can establish the VPN tunnel.

Option B correctly identifies this missing route as the root cause.

Exam trap

AWS often tests the misconception that security groups or authorization rules are the primary cause of connectivity issues after a successful VPN connection, when in reality the missing route in the subnet's route table is the most common culprit for one-way traffic failures in AWS Client VPN.

How to eliminate wrong answers

Option A is wrong because the security group assigned to the Client VPN endpoint controls traffic entering or leaving the endpoint itself, not inbound traffic from the client CIDR; the security group already allows all traffic, so this is not the issue. Option C is wrong because an authorization rule that is too broad (allowing the entire VPC CIDR) would permit traffic, not block it; authorization rules are permissive, not restrictive. Option D is wrong because a 'security group association group' is not a valid AWS Client VPN configuration; the endpoint uses a single security group, and the absence of such a group does not cause connectivity failures.

176
MCQeasy

A company has a VPC with multiple subnets. They want to centrally manage and inspect all traffic between subnets using a security appliance. Which AWS service should be used to achieve this?

A.VPC peering
B.AWS Route 53 Resolver
C.AWS Network Firewall
D.Transit Gateway with a security appliance in a central VPC
AnswerD

Allows centralized inspection.

Why this answer

Option B is correct because Transit Gateway with a middlebox appliance (e.g., firewall) in a shared services VPC allows traffic inspection. Option A is wrong because VPC peering is point-to-point and not centralized. Option C is wrong because AWS Network Firewall can be used but Transit Gateway provides the architecture for central inspection.

Option D is wrong because Route 53 is DNS.

177
MCQeasy

A network engineer needs to capture and analyze network traffic between two EC2 instances in the same VPC for troubleshooting. Which AWS service should be used?

A.AWS CloudTrail.
B.Amazon CloudWatch Metrics.
C.VPC Flow Logs.
D.AWS Config.
AnswerC

Flow Logs capture network traffic metadata.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic information for network interfaces and can be used to analyze traffic between instances. Option A is wrong because CloudTrail logs API calls. Option C is wrong because AWS Config monitors configuration.

Option D is wrong because CloudWatch Metrics provide performance metrics, not packet-level details.

178
MCQmedium

A company has a VPC with resources that need to access an S3 bucket in the same region. To minimize latency and avoid internet traffic, which configuration should be used?

A.Use a NAT Gateway in a public subnet and route traffic through it
B.Create a VPC Gateway Endpoint for S3
C.Use VPC peering to connect to an S3 bucket
D.Create a VPC Interface Endpoint for S3
AnswerB

Provides private, low-latency access.

Why this answer

Option B is correct because a VPC Gateway Endpoint for S3 provides private connectivity to S3 without internet. Option A is wrong because NAT Gateway is for internet access. Option C is wrong because AWS PrivateLink for S3 is not supported; Gateway Endpoints are used.

Option D is wrong because VPC peering does not provide S3 access.

179
Multi-Selecthard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. The network engineer needs to add an IPv6 CIDR block to the VPC and ensure that EC2 instances can communicate over IPv6. Which THREE steps are necessary to achieve this?

Select 3 answers
A.Update security group rules to allow IPv6 traffic.
B.Add a route in the subnet route table for ::/0 to an egress-only internet gateway.
C.Configure a NAT64 gateway for IPv6 to IPv4 translation.
D.Associate an Amazon-provided IPv6 CIDR block with the VPC.
E.Assign IPv6 addresses to the subnets and enable auto-assign IPv6 address.
AnswersB, D, E

Egress-only IGW allows outbound IPv6 traffic.

Why this answer

Options A, B, and D are correct. A: Associate an IPv6 CIDR block. B: Enable IPv6 on the subnet.

D: Add a route for ::/0 to an egress-only internet gateway or internet gateway. Option C is wrong because IPv6 traffic uses egress-only IGW, not NAT. Option E is wrong because security groups do not need to be updated specifically for IPv6; they work for both.

180
MCQhard

A company has a hub-and-spoke network architecture using AWS Transit Gateway. The hub VPC contains a central inspection appliance (NVA) for traffic inspection. Spoke VPCs are attached to the Transit Gateway and have routes pointing to the Transit Gateway for all traffic. The Transit Gateway has a default route table that routes traffic to the NVA for inspection. Recently, the network team noticed that traffic between two spoke VPCs is not being inspected. The team verified that the Transit Gateway route tables are correctly configured and that the NVA is healthy. What should the team do to ensure that inter-spoke traffic is inspected?

A.Configure route propagation in the Transit Gateway route tables to propagate routes from the spoke attachments
B.Enable VPC Flow Logs on the spoke VPCs to capture traffic
C.Add static routes in the spoke VPC route tables pointing to the NVA
D.Increase the bandwidth of the Transit Gateway attachments
AnswerA

Propagation ensures that spoke routes are learned and traffic is forwarded to the NVA for inspection.

Why this answer

Option B is correct because enabling route propagation from the Transit Gateway attachments to the route tables ensures that routes are dynamically updated. Option A is wrong because static routes may cause issues if the NVA IP changes. Option C is wrong because VPC Flow Logs do not configure inspection.

Option D is wrong because increasing bandwidth does not solve the inspection routing issue.

181
Multi-Selectmedium

Which TWO actions should a network engineer take to troubleshoot a BGP session that is not establishing between an on-premises router and AWS Direct Connect? (Select TWO.)

Select 2 answers
A.Verify that the BGP ASN configured on the customer router matches the one provided by AWS.
B.Increase the MTU on the customer router interface.
C.Ensure that the virtual interface is in the 'available' state.
D.Verify that the peer IP addresses on both sides are correct and reachable.
E.Check that the Direct Connect connection is in the 'available' state.
AnswersA, D

Mismatched ASN prevents BGP session establishment.

Why this answer

Common BGP issues include incorrect BGP ASN, incorrect peer IP addresses, missing authentication, and firewall rules blocking TCP port 179. Verifying these settings on both sides is key.

182
MCQeasy

A company uses AWS Client VPN to provide remote access to its corporate network. Users report that they can connect to the VPN but cannot reach resources in the VPC. The VPN is configured with mutual authentication and authorization rules. What should the network engineer verify first?

A.The security group associated with the VPN endpoint allows inbound traffic from the client CIDR
B.The server certificate is valid and trusted by the client
C.The client CIDR range does not overlap with the VPC CIDR
D.The authorization rules grant access to the target network
AnswerD

Authorization rules are required to allow traffic to the VPC.

Why this answer

Option B is correct because authorization rules control which groups can access which networks. Option A is incorrect because if the connection succeeds, the security group is not the issue. Option C is incorrect because the client CIDR range does not affect access to VPC resources.

Option D is incorrect because the server certificate is for authentication, not routing.

183
MCQeasy

A network engineer is troubleshooting intermittent connectivity issues between two VPCs that are peered. The VPC peering connection is in the 'active' state. ICMP ping from an instance in VPC A to an instance in VPC B fails intermittently. What is the most likely cause?

A.The network ACLs are blocking ICMP traffic.
B.The security groups on the instances do not allow inbound ICMP.
C.The VPC peering connection is not in the 'active' state.
D.The route tables in one or both VPCs lack routes to the peer VPC's CIDR via the peering connection.
AnswerD

Intermittent issues could be due to route propagation delays, but typical cause is missing routes.

Why this answer

Since the VPC peering connection is active, the issue is likely that the route tables in one or both VPCs are not correctly configured to route traffic to the peered VPC's CIDR via the peering connection. Without proper routes, traffic is dropped.

184
MCQmedium

A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel status shows 'UP' but traffic is not passing. The engineer checks the route tables and finds that the VPC route table has a route pointing to the virtual private gateway for the on-premises CIDR. What is the most likely missing configuration?

A.The VPC route table does not have a route for the on-premises CIDR pointing to the virtual private gateway
B.The security group of the EC2 instances does not allow inbound traffic from on-premises
C.The VPN tunnel is using the wrong pre-shared key
D.The on-premises router is not advertising the VPC CIDR over BGP
AnswerC

Wrong PSK would prevent the tunnel from coming up, but tunnel is UP, so PSK is correct.

Why this answer

For a VPN to pass traffic, the on-premises router must have a route pointing back to the VPC CIDR via the VPN tunnel. Option B is correct. Options A, C, and D are either already done or not directly related to traffic passing.

185
MCQhard

A company has a hybrid network architecture with an AWS VPC (10.0.0.0/16) connected to an on-premises data center via AWS Direct Connect with a private VIF. The on-premises network uses 10.1.0.0/16. The VPC has subnets in two Availability Zones, each with a private subnet (10.0.1.0/24 and 10.0.2.0/24) and a public subnet. The company recently deployed a new application in the VPC that uses an Application Load Balancer (ALB) in the public subnets. The ALB targets EC2 instances in the private subnets. Users on-premises report that they cannot access the application using the ALB's DNS name. The on-premises network team confirms that they can ping the ALB's private IP address from on-premises. The VPC route tables have routes for the on-premises network pointing to the virtual private gateway (VGW). The security groups and network ACLs are configured to allow traffic from on-premises. What is the most likely cause of the issue?

A.The VPC route tables do not have a route to the on-premises network for the ALB's subnet.
B.The security group on the ALB blocks inbound traffic from the on-premises CIDR.
C.The ALB is deployed in private subnets instead of public subnets.
D.The on-premises DNS resolver does not resolve the ALB's DNS name to a private IP address, causing traffic to go over the internet.
AnswerD

ALB DNS name resolves to public IPs; for private connectivity, private hosted zone or Route 53 Resolver must be used.

Why this answer

Option D is correct because the ALB's DNS name resolves to public IPs, and on-premises traffic to public IPs would go over the internet, not Direct Connect, unless the DNS resolution is configured to return private IPs. Since the users can ping the private IP, the issue is DNS resolution. Option A is wrong because the route tables already have routes to on-premises.

Option B is wrong because the ALB is in public subnets and should be accessible. Option C is wrong because security groups are not the issue as they allow traffic.

186
MCQhard

A company has a VPC with multiple subnets across three Availability Zones. The VPC contains an Auto Scaling group of EC2 instances that process messages from an SQS queue. The instances are deployed in private subnets and need to access the SQS queue over the internet. The company wants to minimize data transfer costs and improve security by keeping traffic within the AWS network. The VPC has a NAT gateway in each AZ for outbound internet access. The network team has configured the route tables for the private subnets to send 0.0.0.0/0 traffic to the NAT gateway in the same AZ. However, the team notices that the EC2 instances are still using the NAT gateways to reach SQS, resulting in higher costs. What should the team do to ensure traffic to SQS stays within the AWS network?

A.Create an interface VPC endpoint for SQS in each private subnet.
B.Create a gateway VPC endpoint for SQS in the VPC and update the route tables for the private subnets to include a route for the SQS prefix list pointing to the endpoint.
C.Set up an AWS Direct Connect connection to route SQS traffic directly.
D.Modify the network ACLs and security groups to allow traffic to SQS without going through the NAT gateway.
AnswerB

Correct: Gateway Endpoints keep traffic within AWS and are free of charge.

Why this answer

Option B is correct because VPC Gateway Endpoints for SQS allow traffic to SQS to stay within the AWS network, avoiding NAT gateways and reducing costs. Option A is wrong because VPC Interface Endpoints are used for services that require private IPs, but SQS supports Gateway Endpoints. Option C is wrong because NACLs and security groups do not change the path; they only filter traffic.

Option D is wrong because Direct Connect is for on-premises, not for VPC-to-SQS traffic.

187
Multi-Selectmedium

A network engineer is troubleshooting high latency on a Direct Connect connection. The engineer wants to use monitoring tools to identify the source of the latency. Which two AWS services can provide metrics and logs to help diagnose the issue? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch
D.AWS Trusted Advisor
E.VPC Flow Logs
AnswersC, E

Provides Direct Connect metrics.

Why this answer

Options A and E are correct. CloudWatch provides metrics for Direct Connect (e.g., connection state, BGP status, packet loss). VPC Flow Logs capture IP traffic information that can be analyzed for latency patterns.

Option B is wrong because CloudTrail logs API calls. Option C is wrong because AWS Config tracks configuration changes. Option D is wrong because Trusted Advisor provides recommendations, not real-time metrics.

188
Multi-Selectmedium

A company is deploying a new application that requires low latency between EC2 instances. Which THREE placement group strategies should the network engineer consider?

Select 3 answers
A.Cross-zone load balancing
B.Spread placement group
C.Availability Zone placement group
D.Partition placement group
E.Cluster placement group
AnswersB, D, E

Spreads instances across distinct hardware for high availability.

Why this answer

Options A, B, and C are valid placement group strategies. Option D is not a placement group type. Option E is not a placement group but a feature of Network Load Balancer.

189
Multi-Selectmedium

Which TWO configuration steps are required to enable VPC Flow Logs to be published to an S3 bucket in a different AWS account? (Select TWO.)

Select 2 answers
A.Attach a resource-based policy to the S3 bucket that grants the source account's Flow Logs service permission to write.
B.Configure the Flow Logs destination as a CloudWatch Logs log group in the source account.
C.Create an IAM role in the source account with a trust policy that allows the Flow Logs service to assume it and grants s3:PutObject to the destination bucket.
D.Create an IAM user in the source account with programmatic access and share the access keys.
E.Enable S3 cross-account replication.
AnswersA, C

The bucket policy must allow cross-account writes.

Why this answer

For cross-account flow logs, you need an IAM role in the source account that the Flow Logs service can assume, and that role must have permissions to write to the destination bucket. Additionally, the S3 bucket policy must grant the source account (or the role) the necessary permissions.

190
MCQeasy

A company uses VPC Flow Logs to monitor network traffic. The flow logs are published to Amazon S3. The security team wants to analyze the logs for suspicious traffic patterns using Amazon Athena. After creating the Athena table, queries return zero results. The logs are in the correct S3 bucket. What is the most likely cause?

A.The flow logs are encrypted with SSE-KMS and Athena does not have permission to decrypt
B.The Athena table is in a different AWS Glue database
C.The flow logs are in gzip format, which Athena does not support
D.The Athena table is not configured to read from the correct S3 partition structure
AnswerD

Partition structure must match the log location.

Why this answer

Option A is correct because VPC Flow Logs are stored in a partitioned folder structure (e.g., AWSLogs/account-id/vpcflowlogs/region/year/month/day/). If the Athena table does not use partition projection or the partition location is incorrect, queries return no data. Option B is wrong because encryption does not prevent Athena from reading.

Option C is wrong because the table can be in any database. Option D is wrong because file format (gzip) is supported by Athena.

191
Multi-Selecthard

A company is troubleshooting an issue where an application running on an EC2 instance cannot connect to an Amazon S3 bucket using a VPC endpoint. The security groups and network ACLs appear correct. Which THREE items should the network team verify to resolve the issue? (Choose three.)

Select 3 answers
A.The VPC endpoint policy allows access to the S3 bucket.
B.S3 Transfer Acceleration is enabled on the bucket.
C.The route table of the subnet includes a route for the S3 prefix list via the VPC endpoint.
D.The VPC endpoint is associated with the subnet where the EC2 instance resides.
E.The VPC has an Internet Gateway attached.
AnswersA, C, D

The endpoint policy controls what actions are allowed.

Why this answer

Option A is correct because the VPC endpoint policy may deny access to the specific S3 bucket. Option C is correct because the route table must have a route for the S3 prefix list via the endpoint. Option D is correct because the endpoint must be associated with the correct subnet (or require DNS resolution).

Option B is wrong because the Internet Gateway is not needed if using a VPC endpoint. Option E is wrong because S3 Transfer Acceleration is for speed, not connectivity.

192
MCQmedium

A company uses AWS Direct Connect with a private VIF to connect to a VPC. The network team wants to monitor the bandwidth utilization of the Direct Connect connection in real time. Which AWS service should be used?

A.AWS CloudTrail
B.VPC Flow Logs
C.AWS Config
D.Amazon CloudWatch
AnswerD

CloudWatch provides Direct Connect metrics such as ConnectionBandwidthUtilization.

Why this answer

Option D is correct because CloudWatch provides metrics for Direct Connect connections including bandwidth utilization. Option A is incorrect because VPC Flow Logs capture traffic per interface, not aggregate bandwidth. Option B is incorrect because CloudTrail logs API calls.

Option C is incorrect because AWS Config records configuration changes.

193
MCQhard

A company has a Direct Connect connection with two private virtual interfaces (VIFs) to two different VPCs. The company wants to use the same Direct Connect connection for both VPCs, but the on-premises router only has one physical port. The network engineer configures a single BGP session over a VLAN-tagged interface. After configuration, only one VPC is reachable. What is the most likely reason?

A.The on-premises router is using the same BGP ASN for both VIFs, which is not allowed
B.The BGP peer IP addresses must be in the same subnet for both VIFs
C.The VLAN ID must be the same for both VIFs to work over a single physical port
D.Each private VIF requires a separate BGP session, and only one session was configured
AnswerD

Each VIF needs its own BGP session.

Why this answer

Option C is correct because each private VIF requires a unique BGP session and VLAN ID. Using a single BGP session cannot serve two VIFs because the VIFs are logically separate. Option A is wrong because the same BGP ASN can be used on both VIFs if the Direct Connect gateway is used.

Option B is wrong because there is no requirement to use the same VLAN. Option D is wrong because the BGP session can be established with different peer IPs.

194
MCQeasy

A company is deploying a web application on EC2 instances behind an ALB. The application must be accessible only over HTTPS. Which security group rule should be added to the ALB security group?

A.Inbound: TCP port 22 from 0.0.0.0/0
B.Inbound: TCP port 443 from 0.0.0.0/0
C.Inbound: TCP port 3306 from 0.0.0.0/0
D.Inbound: TCP port 80 from 0.0.0.0/0
AnswerB

HTTPS uses port 443.

Why this answer

The ALB must terminate HTTPS traffic, which requires an inbound rule allowing TCP port 443 (HTTPS) from 0.0.0.0/0. This ensures clients can establish encrypted TLS connections to the load balancer, as the application is only accessible over HTTPS.

Exam trap

AWS often tests the distinction between the ALB's security group (which needs port 443 for HTTPS) and the EC2 instances' security group (which needs only the ALB's source security group), leading candidates to mistakenly choose port 80 (HTTP) or port 22 (SSH) for the ALB.

How to eliminate wrong answers

Option A is wrong because TCP port 22 (SSH) is used for remote administration of EC2 instances, not for web traffic to an ALB, and opening it to 0.0.0.0/0 would expose management interfaces unnecessarily. Option C is wrong because TCP port 3306 (MySQL) is a database port that should never be exposed to the internet from an ALB; database access should be restricted to application servers via private subnets. Option D is wrong because TCP port 80 (HTTP) would allow unencrypted traffic, which violates the requirement that the application be accessible only over HTTPS; allowing HTTP would bypass the encryption mandate.

195
Multi-Selecthard

A company has a multi-account AWS environment with hundreds of VPCs interconnected via a transit gateway. The network team needs to centrally monitor VPC reachability and identify asymmetric routing paths. Which THREE services or features should be used together to achieve this? (Choose three.)

Select 3 answers
A.Amazon CloudWatch Contributor Insights
B.VPC Reachability Analyzer
C.AWS Network Manager
D.AWS Config
E.AWS CloudHSM
AnswersA, B, C

Analyzes VPC Flow Logs to detect traffic patterns and anomalies.

Why this answer

VPC Reachability Analyzer can test paths and detect asymmetric routing. AWS Network Manager provides central visibility for transit gateway networks. Amazon CloudWatch Contributor Insights helps analyze VPC Flow Logs to identify traffic patterns.

AWS Config evaluates rules but not real-time path analysis. AWS CloudHSM is for hardware security modules.

196
MCQhard

A company has a VPC with multiple subnets across Availability Zones. An application load balancer (ALB) is deployed in public subnets. The network team notices that traffic from the ALB to targets in private subnets is intermittently failing. The targets are healthy. What is the MOST likely cause?

A.The ALB is not associated with a public subnet.
B.The target security group does not allow traffic from the ALB's security group.
C.The network ACL for the target subnets blocks outbound traffic.
D.Cross-zone load balancing is disabled.
AnswerB

The target security group must allow traffic from the ALB's security group; if not, traffic is dropped.

Why this answer

Option A is correct because if the ALB's security group does not allow inbound traffic from the ALB's source IP (the ALB's private IP), health checks may fail? Actually, the question says targets are healthy, but traffic from ALB to targets failing. The ALB communicates using its private IP addresses, and the target security group must allow traffic from the ALB's security group. Option B is incorrect because NACLs are stateless and must allow both inbound and outbound traffic.

Option C is incorrect because the ALB is in public subnets and can reach the internet. Option D is incorrect because cross-zone load balancing is enabled by default.

197
MCQmedium

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company has a NAT Gateway in the public subnet. The network team notices that instances in the private subnets cannot reach the internet. The route table for the private subnets has a default route (0.0.0.0/0) pointing to the NAT Gateway. What could be the issue?

A.The NAT Gateway does not have a route to the internet gateway
B.The NAT Gateway is in a private subnet
C.The VPC does not have a VPC endpoint for the software update service
D.The security group attached to the NAT Gateway is blocking traffic
AnswerB

NAT Gateway must be in a public subnet with a route to IGW.

Why this answer

Option B is correct because the NAT Gateway must be in a public subnet with an internet gateway route to function. Option A is wrong because the NAT Gateway itself does not have a route; the route table of the subnet where it resides needs a route to the internet gateway. Option C is wrong because security groups are for instances, not NAT Gateways.

Option D is wrong because VPC endpoints are for specific AWS services, not general internet access.

198
MCQmedium

An engineer is troubleshooting connectivity from on-premises to a VPC via Direct Connect private VIF. The BGP session is up, traffic is flowing, but the on-premises network cannot reach some subnets in the VPC. The VPC CIDR is 10.0.0.0/16. What is the most likely cause based on the exhibit?

A.The BGP session is up, but the on-premises router is not receiving the VPC CIDR route due to missing route propagation on the virtual private gateway.
B.The customer router configuration snippet is missing the BGP configuration for those subnets.
C.The security groups or network ACLs in the VPC are blocking traffic to those subnets.
D.The route filter prefixes only allow the VPC CIDR 10.0.0.0/16, but the VPC has additional CIDRs that are not being advertised.
AnswerC

Since the VPC CIDR is advertised, reachability issues within the VPC are more likely due to security group or NACL rules.

Why this answer

The exhibit shows that the route filter prefixes for the private VIF include only '10.0.0.0/16'. This means that only this prefix is allowed to be advertised from AWS to on-premises. If the VPC has subnets that are not part of the 10.0.0.0/16 block (e.g., if the VPC has additional CIDRs), they will not be advertised.

However, the VPC CIDR is 10.0.0.0/16, so all subnets should be within that. Another possibility: the on-premises router might be filtering routes. But the most likely cause from the exhibit is that the route filter prefixes are missing the specific subnet prefixes if the VPC uses multiple CIDRs.

But the VPC CIDR is a single /16, so the route filter should cover all. Wait, the issue is that some subnets are not reachable. Perhaps the VPC has multiple CIDRs, or the route filter is too restrictive.

The exhibit shows only one prefix. If the VPC has additional CIDRs (e.g., 10.1.0.0/16), they would not be advertised. But the question says VPC CIDR is 10.0.0.0/16.

So maybe the issue is that the on-premises router is not receiving the specific subnet routes because AWS sends only the VPC CIDR by default. That should be sufficient. If the on-premises network has routes to the VPC, it should reach all subnets.

Another common issue: the route filter prefixes on the private VIF are used to allow prefixes from on-premises, not to control what AWS advertises. Actually, the routeFilterPrefixes attribute on a private VIF defines the prefixes that the customer will advertise to AWS. It does not control what AWS advertises to the customer.

AWS advertises the VPC CIDR automatically. So the exhibit shows the customer's allowed prefixes. That might not be the issue.

The question might be misinterpreting. Possibly the issue is that the VIF's route filter is empty or missing, but it has one. I think the intended answer is that the route filter prefixes are not configured to allow the specific subnet prefixes from on-premises.

But the question is about reaching subnets in the VPC. Let's re-read: 'on-premises network cannot reach some subnets in the VPC'. That could be because the on-premises router does not have routes to those subnets.

AWS advertises the VPC CIDR, so the on-premises router should have a route to the whole /16. If it can reach some subnets but not others, it might be due to security groups or network ACLs. However, the exhibit shows the BGP session is up and traffic is flowing.

The most likely cause based on the exhibit is that the route filter prefixes are too restrictive for the on-premises advertised routes, but that affects traffic from VPC to on-premises? No. I think the correct answer is that the VPC has multiple CIDRs and the route filter only allows the main CIDR, but the question says VPC CIDR is 10.0.0.0/16. I'll go with the option that the VPC has additional CIDRs beyond /16.

But I need to craft options. Let's provide plausible options.

199
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to a partner VPC with CIDR 10.0.0.0/16. Both VPCs are in the same region. They want to use VPC Peering. After creating the peering connection and adding routes, connectivity fails. What is the most likely cause?

A.The peering connection is not set up for transitive routing.
B.The peering connection status is 'pending-acceptance'.
C.Overlapping CIDR blocks prevent VPC peering connectivity.
D.The route tables do not have a route to the peering connection.
AnswerC

VPC peering does not support overlapping CIDRs.

Why this answer

Option A is correct because overlapping CIDRs are not allowed in VPC peering; routes cannot distinguish. Option B is wrong because there is no route conflict after peering. Option C is wrong because VPC peering does not support transitive routing.

Option D is wrong because any status other than active would prevent connectivity, but with overlapping CIDRs, even active won't work.

200
MCQhard

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket. The VPC has a NAT Gateway in the public subnet. The security group for the EC2 instance allows outbound HTTPS to 0.0.0.0/0. The NACL for the private subnet allows outbound HTTPS to 0.0.0.0/0 and inbound ephemeral ports from 0.0.0.0/0. The instance still cannot reach S3. What is the most likely cause?

A.The NAT Gateway's security group does not allow outbound HTTPS traffic.
B.The NACL for the private subnet blocks inbound traffic from S3.
C.The private subnet's route table does not have a route to the NAT Gateway.
D.The S3 bucket policy denies access from the VPC.
AnswerA

NAT Gateway's security group must allow outbound traffic to S3.

Why this answer

Option B is correct because S3 requires HTTPS (443) for API calls, but the NAT Gateway's security group must allow inbound HTTPS from the private subnet and outbound to S3. If the NAT Gateway's security group does not allow outbound HTTPS to S3, traffic is dropped. Option A is wrong because the private subnet has a route to the NAT Gateway.

Option C is wrong because S3 does not have a security group in the VPC. Option D is wrong because the NACL allows inbound ephemeral ports.

201
MCQhard

A network engineer is configuring VPC Flow Logs to deliver to an S3 bucket in a different account. The bucket policy is shown. The flow logs are not being delivered. What is the most likely reason?

A.The Action should be s3:PutObjectAcl instead of s3:PutObject
B.The Principal must be the destination account's log delivery service
C.The aws:SourceArn condition restricts access to a specific account, but the flow logs are from a different account
D.The Resource does not include the bucket ARN itself
AnswerC

The condition limits access to logs from account 123456789012 only.

Why this answer

Option C is correct because the bucket policy uses the log delivery service principal from account 123456789012, but the flow logs are from a different account. The policy needs to allow access for the source account's log delivery service. Option A is incorrect because the action is correct.

Option B is incorrect because the resource includes the full path. Option D is incorrect because the Principal is correct for cross-account delivery.

202
Multi-Selecteasy

A company wants to monitor network traffic in its VPC for security analysis and troubleshooting. Which TWO AWS services can be used to capture and analyze IP traffic information? (Choose TWO.)

Select 2 answers
A.AWS Network Firewall
B.AWS CloudTrail
C.AWS Trusted Advisor
D.Amazon GuardDuty
E.VPC Flow Logs
AnswersA, E

Captures and inspects traffic.

Why this answer

Options A and C are correct. VPC Flow Logs capture IP traffic metadata, and AWS Network Firewall can capture and inspect traffic. B is wrong because CloudTrail records API calls, not network traffic.

D is wrong because GuardDuty is a threat detection service that uses flow logs but does not capture them directly. E is wrong because AWS Trusted Advisor provides best practice checks.

203
MCQmedium

A company uses a VPC with multiple subnets in different Availability Zones. The VPC has a NAT Gateway in a public subnet of us-east-1a, and a second NAT Gateway in us-east-1b for high availability. Each private subnet in us-east-1a routes 0.0.0.0/0 to the NAT Gateway in us-east-1a, and private subnets in us-east-1b route to the NAT Gateway in us-east-1b. The company's EC2 instances in private subnets need to access an external service using IPv6. The VPC is not configured for IPv6. The network engineer needs to enable IPv6 connectivity for these instances. Which solution is the most cost-effective and scalable?

A.Add an IPv6 CIDR block to the VPC and configure a NAT64 gateway to translate IPv6 to IPv4.
B.Add an IPv6 CIDR block to the VPC, assign IPv6 addresses to private subnets, and add a route for ::/0 to an egress-only internet gateway.
C.Attach an internet gateway to the VPC and add a route for ::/0 to the internet gateway in the private subnets.
D.Add an IPv6 CIDR block to the VPC and use the existing NAT Gateways with IPv6.
AnswerB

Egress-only IGW allows outbound IPv6 traffic from private subnets.

Why this answer

Option C is correct because using an egress-only internet gateway (EIGW) provides IPv6 outbound connectivity for instances in private subnets when the VPC is dual-stack. Option A is wrong because NAT64 translates IPv6 to IPv4, but the service is IPv6, so not needed. Option B is wrong because adding IPv6 CIDR and using NAT64 is not necessary.

Option D is wrong because an internet gateway alone does not work for private subnets; it requires a route and instances need public IPv6 addresses.

204
MCQmedium

A company is migrating from a legacy MPLS network to AWS using Direct Connect. The network team wants to ensure high availability with a backup connection. They have two Direct Connect connections from different providers, both terminating at the same AWS Direct Connect location. Which configuration provides the most resilient setup?

A.Use both connections but from the same provider to simplify management.
B.Use both connections with separate virtual interfaces, each terminating on different customer routers.
C.Use one connection with two virtual interfaces for redundancy.
D.Use both connections with a single virtual interface on each, but terminate on the same router.
AnswerB

Full redundancy with diverse paths.

Why this answer

Option D is correct. Using two different devices and separate virtual interfaces provides redundancy at both the physical and logical level. Option A is wrong because a single device is a single point of failure.

Option B is wrong because a single VIF is a single point of failure. Option C is wrong because using the same provider reduces diversity.

205
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. After adding a new VPC attachment, traffic from the on-premises network cannot reach the new VPC. The on-premises BGP route table shows the prefixes of the new VPC as received. What should the engineer check?

A.Verify that the on-premises router is advertising the correct prefix to AWS.
B.Verify that the new VPC has a route to the Transit Gateway in its route table.
C.Verify that the new VPC attachment is associated with the Transit Gateway route table that has the on-premises routes.
D.Verify that the new VPC's DNS resolution is enabled.
AnswerC

Transit Gateway route tables control connectivity between attachments.

Why this answer

Option B is correct because Transit Gateway route tables control inter-VPC and on-premises connectivity; the new VPC attachment must be associated with the correct route table. Option A is wrong because the on-premises already has the routes. Option C is wrong because there is no implied propagation.

Option D is wrong because subdomain is irrelevant.

206
Multi-Selecthard

A company has a Direct Connect connection with multiple virtual interfaces (VIFs). The network team notices that traffic to a specific VPC is intermittently failing. The team suspects an issue with BGP routing. Which THREE steps should the team take to troubleshoot the BGP session? (Choose THREE.)

Select 3 answers
A.View the BGP route advertisements received by the on-premises router from AWS.
B.Check the Direct Connect endpoint health in the AWS Management Console.
C.Verify the allowed prefixes configuration on the virtual interface in the AWS console.
D.Examine VPC Flow Logs for dropped packets on the virtual interface.
E.Check the BGP session status using the 'bgp session' command on the on-premises router.
AnswersA, C, E

This helps identify if AWS is advertising the expected routes.

Why this answer

Option A is correct because viewing the BGP route advertisements received by the on-premises router from AWS directly reveals whether the expected prefixes are being advertised. If the routes are missing or incorrect, the VPC traffic will fail intermittently, making this a primary troubleshooting step for BGP routing issues.

Exam trap

AWS often tests the distinction between physical connectivity checks (like endpoint health) and BGP-specific troubleshooting steps, leading candidates to select options that address layer 1/2 issues instead of the BGP routing layer.

207
Multi-Selecthard

A network engineer is troubleshooting a VPN connection that is not passing traffic. The tunnel status shows as 'UP'. Which THREE steps should the engineer take to diagnose the issue?

Select 3 answers
A.Ensure that the security groups for instances allow inbound traffic from the on-premises network
B.Confirm that the on-premises router is advertising the correct routes via BGP
C.Check the IKE and IPSEC settings on the customer gateway
D.Verify that the VPC route table has a route to the on-premises network via the virtual private gateway
E.Check the internet gateway route table for the VPC
AnswersA, B, D

Security groups can block traffic even if the VPN is up.

Why this answer

Option A is correct because security groups act as a virtual firewall for instances, controlling inbound and outbound traffic at the instance level. Even if the VPN tunnel is up, traffic will be dropped if the security group does not explicitly allow inbound traffic from the on-premises network's IP range. This is a common misconfiguration that prevents traffic flow despite a healthy tunnel.

Exam trap

The trap here is that candidates assume a 'UP' tunnel guarantees traffic flow, but AWS often tests that Layer 3 routing and security group rules are separate from tunnel status and must be verified independently.

208
MCQeasy

A company wants to monitor network traffic to and from an EC2 instance to detect anomalous outbound traffic. Which AWS service should they use to capture and analyze the traffic?

A.Amazon GuardDuty
B.Amazon CloudWatch Logs
C.AWS Config
D.VPC Traffic Mirroring
AnswerD

Traffic Mirroring captures and copies traffic for analysis.

Why this answer

Option C is correct because VPC Traffic Mirroring captures and copies traffic for analysis. Option A is wrong because AWS Config records configuration changes. Option B is wrong because CloudWatch Logs can capture logs but not full packet traffic.

Option D is wrong because GuardDuty is a threat detection service that analyzes findings but does not capture raw traffic.

209
MCQhard

A company has multiple AWS accounts and wants to centrally manage network resources using AWS Transit Gateway. Which feature allows sharing the Transit Gateway across accounts?

A.VPC peering
B.AWS Resource Access Manager (RAM)
C.AWS Organizations
D.AWS Service Catalog
AnswerB

RAM enables sharing Transit Gateways across accounts.

Why this answer

Option C is correct because AWS Resource Access Manager (RAM) allows sharing Transit Gateways across accounts. Option A is wrong because AWS Organizations manages accounts but not resource sharing directly. Option B is wrong because VPC peering is a separate feature.

Option D is wrong because AWS Service Catalog is for creating standardized products.

210
MCQeasy

A network engineer is troubleshooting an issue where an EC2 instance in a public subnet cannot reach the internet. The instance has a public IP, and the route table has a default route to an internet gateway. What is the most likely cause?

A.The network ACL is blocking outbound traffic
B.The internet gateway is not attached to the VPC
C.The security group does not allow outbound HTTP traffic
D.The instance does not have a public IP
AnswerA

Network ACLs are stateless and must explicitly allow outbound traffic and inbound return traffic.

Why this answer

Even with correct routes, if the subnet's network ACL does not allow outbound traffic, the instance cannot reach the internet. Network ACLs are stateless and must allow both outbound and inbound ephemeral ports.

211
Multi-Selectmedium

Which THREE factors should be considered when designing a highly available AWS Site-to-Site VPN connection?

Select 3 answers
A.Use two VPN tunnels with the same customer gateway IP
B.Enable BGP for dynamic route propagation
C.Use two VPN tunnels each with a different customer gateway IP
D.Use a single VPN tunnel with a static route
E.Configure redundant customer gateways
AnswersB, C, E

BGP provides automatic failover and route propagation.

Why this answer

BGP (Border Gateway Protocol) enables dynamic route propagation across the VPN tunnels, allowing automatic failover and route convergence if one tunnel goes down. This is critical for high availability because it eliminates the need for manual route updates and supports path selection based on BGP attributes, ensuring traffic is rerouted through the remaining healthy tunnel.

Exam trap

AWS often tests the misconception that using two tunnels with the same customer gateway IP (Option A) provides redundancy, but the trap is that this still creates a single point of failure at the customer gateway device itself, whereas true high availability requires separate customer gateway IPs (Option C) and redundant gateways (Option E).

212
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. Network engineers report intermittent connectivity issues between VPC A and the on-premises network. The transit gateway route table shows the on-premises CIDR (10.0.0.0/8) propagated from the VPN attachment. VPC A has a subnet route pointing to the transit gateway for 10.0.0.0/8. Which step should the engineer take FIRST to diagnose the issue?

A.Verify that the VPN tunnel status shows as UP on both sides.
B.Enable VPC Flow Logs on VPC A to verify traffic reaching the transit gateway.
C.In the transit gateway route table, verify that the VPN attachment is correctly associated and that the 10.0.0.0/8 route is propagated and has the correct attachment.
D.Check the security group rules on the EC2 instances in VPC A for outbound traffic.
AnswerC

This directly checks whether the transit gateway is correctly routing traffic to the VPN attachment for the on-premises CIDR.

Why this answer

Option C is correct because the first diagnostic step for intermittent connectivity through a transit gateway is to verify the route table configuration. The engineer must confirm that the VPN attachment is correctly associated with the transit gateway route table and that the 10.0.0.0/8 route is propagated from the VPN attachment, as a missing or misassociated route would cause traffic to be dropped even if the VPN tunnel is up.

Exam trap

The trap here is that candidates often jump to checking the VPN tunnel status (Option A) first, assuming the tunnel is the root cause, but the question specifically describes intermittent connectivity that is more likely due to a routing misconfiguration in the transit gateway route table rather than a tunnel flap.

How to eliminate wrong answers

Option A is wrong because verifying the VPN tunnel status is a later step; the tunnel can be UP but traffic may still fail if the transit gateway route table lacks the correct route or association. Option B is wrong because enabling VPC Flow Logs on VPC A would confirm traffic reaching the transit gateway, but it does not diagnose whether the transit gateway is correctly routing the traffic to the VPN attachment, which is the core issue. Option D is wrong because security group rules on EC2 instances control host-level filtering, not the transit gateway routing path; the issue is at the network layer, not the instance firewall.

213
MCQhard

A financial services company uses AWS Direct Connect to connect its data center to multiple VPCs via a transit gateway. They need to meet PCI DSS compliance requirements by encrypting all traffic between the data center and AWS. What solution meets this requirement with the least operational overhead?

A.Enable MACsec on the Direct Connect connection.
B.Use TLS for all application traffic between data center and VPC.
C.Use private VIFs without additional encryption.
D.Create an IPsec VPN tunnel over the Direct Connect VIF to encrypt traffic.
AnswerA

MACsec provides Layer 2 encryption with minimal overhead.

Why this answer

Option D is correct because MACsec provides encryption at Layer 2 without requiring VPN tunnels or additional configuration. Option A is incorrect because IPsec over Direct Connect adds overhead and complexity. Option B is incorrect because TLS is for application-level traffic, not all traffic.

Option C is incorrect because private VIFs do not encrypt traffic by default.

214
MCQhard

A company has a hybrid network with multiple AWS Direct Connect connections to different VPCs. The on-premises network uses BGP to advertise prefixes to AWS. The network team notices that some on-premises prefixes are not being received by the VPCs. What is the MOST likely cause?

A.The on-premises router is advertising more than 100 prefixes over the BGP session
B.The on-premises router is not using BGP communities
C.The on-premises router is using AS_PATH prepending
D.The on-premises router is not setting the MED attribute
AnswerA

AWS limits the number of prefixes per BGP session to 100 by default. Exceeding this causes rejection.

Why this answer

Option A is correct because the maximum number of routes advertised over a Direct Connect virtual interface is 100 by default, and exceeding this limit causes BGP to reject additional routes. Option B is wrong because AS_PATH prepending would affect route preference, not advertisement. Option C is wrong because the MED attribute affects path selection, not advertisement.

Option D is wrong because BGP communities are optional and not required for prefix advertisement.

215
MCQeasy

A company wants to monitor network traffic between its EC2 instances and determine which IP addresses are generating the most traffic. Which AWS service should be used to capture and analyze this traffic?

A.AWS Trusted Advisor
B.AWS CloudTrail
C.AWS Config
D.VPC Flow Logs
AnswerD

Flow Logs capture IP traffic metadata.

Why this answer

Option C is correct because VPC Flow Logs capture IP traffic information and can be published to CloudWatch Logs or S3 for analysis. Option A is wrong because CloudTrail records API calls, not network traffic. Option B is wrong because AWS Config records resource configuration changes.

Option D is wrong because Trusted Advisor provides best-practice checks, not traffic analysis.

216
Multi-Selecthard

A company is deploying a multi-tier application across two Availability Zones. The web tier must be highly available and scale based on traffic. The application load balancer (ALB) is internet-facing. Which TWO configurations are required to ensure the ALB can route traffic to the web instances across both AZs?

Select 2 answers
A.Register the ALB with subnets in at least two Availability Zones.
B.Configure the VPC route tables to allow cross-AZ traffic.
C.Create a target group that includes instances from both Availability Zones.
D.Assign a security group that allows traffic from both AZs.
E.Place the ALB in a single subnet for simplicity and attach multiple ENIs.
AnswersA, C

ALB requires multiple AZs for HA.

Why this answer

Options B and D are correct. The ALB must have subnets in both AZs to be highly available, and each target group must include instances from both AZs. Option A is wrong because route tables are not directly relevant to ALB routing.

Option C is wrong because security groups are per instance, not per AZ. Option E is wrong because a single subnet would limit availability.

217
MCQeasy

A company is using AWS Global Accelerator to improve performance for a web application hosted in two AWS Regions. The application uses an Application Load Balancer (ALB) in each region. The company wants to ensure that traffic is directed to the closest healthy endpoint. Which routing configuration should be used?

A.Global Accelerator endpoint groups with health checks and traffic dials
B.Global Accelerator with weighted endpoint groups
C.Route 53 latency-based routing with health checks
D.Route 53 geolocation routing with Global Accelerator
AnswerA

Global Accelerator automatically routes to the closest healthy endpoint.

Why this answer

Option B is correct because Global Accelerator uses Anycast IPs and directs traffic to the nearest healthy endpoint based on latency and health checks. Option A is wrong because Route 53 latency routing is not used with Global Accelerator. Option C is wrong because Global Accelerator does not use weighted routing.

Option D is wrong because geolocation routing is not the default; Global Accelerator uses proximity.

218
Multi-Selecteasy

A company wants to monitor network traffic in its VPC for security analysis. Which TWO AWS services can be used to capture and analyze network traffic?

Select 2 answers
A.AWS Config
B.AWS CloudTrail
C.Amazon Inspector
D.VPC Flow Logs
E.AWS Shield
AnswersC, D

Can analyze network configurations for security issues.

Why this answer

Option A and D are correct because VPC Flow Logs capture network traffic information, and Amazon Inspector can analyze network configurations for vulnerabilities. Option B is wrong because CloudTrail records API calls. Option C is wrong because AWS Config monitors resource configuration.

Option E is wrong because AWS Shield is for DDoS protection.

219
Multi-Selectmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team needs to monitor the Direct Connect connection for performance issues and receive alerts when latency exceeds a certain threshold. Which TWO actions should the team take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Create a CloudWatch alarm on the Direct Connect latency metric to send notifications when latency exceeds the threshold.
B.Subscribe to AWS Health Dashboard events for Direct Connect.
C.Enable CloudWatch metrics on the Direct Connect virtual interface to monitor latency.
D.Enable VPC Flow Logs to capture traffic patterns and latency.
E.Configure a VPN CloudWatch metric to monitor the Direct Connect connection.
AnswersA, C

CloudWatch alarms can be set on latency metrics to trigger notifications.

Why this answer

Option A is correct because AWS Direct Connect provides a built-in 'Latency' metric in CloudWatch that measures the round-trip time between the Direct Connect location and the AWS region. By creating a CloudWatch alarm on this metric, the team can trigger an SNS notification when latency exceeds a defined threshold, enabling proactive monitoring of performance issues.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (which capture traffic metadata) with performance monitoring tools, or assume that AWS Health Dashboard provides real-time latency metrics, when in fact only the Direct Connect latency metric in CloudWatch directly measures and alerts on latency.

220
MCQmedium

A company is using AWS CloudFormation to deploy a multi-tier application. The template includes an Amazon VPC with public and private subnets, NAT gateways, and route tables. After deployment, the EC2 instances in the private subnet cannot access the internet. The NAT gateway is in a public subnet with an Internet Gateway attached. What is the most likely cause?

A.The route table of the private subnet does not have a default route pointing to the NAT Gateway
B.The Internet Gateway is not attached to the VPC
C.The security group of the EC2 instances blocks outbound traffic to the internet
D.The network ACL of the private subnet blocks outbound traffic
AnswerA

Without a route to the NAT Gateway, traffic to the internet fails.

Why this answer

Option D is correct because the route table associated with the private subnet must have a default route (0.0.0.0/0) pointing to the NAT Gateway. Option A is wrong because security groups can be checked separately. Option B is wrong because NACLs are stateless and would block all traffic if misconfigured.

Option C is wrong because Internet Gateway is not needed in the private subnet route; only the NAT Gateway route is needed.

221
Multi-Selectmedium

A network engineer is configuring a site-to-site VPN connection between an on-premises network and AWS. The VPN tunnel is established, but traffic is not flowing. Which THREE components should the engineer check?

Select 3 answers
A.Security group rules on the VPC resources to allow inbound traffic from on-premises
B.On-premises firewall rules to allow IPsec traffic
C.Network ACLs for the subnet to allow return traffic
D.Internet Gateway attachment to the VPC
E.VPC route table for a route to the on-premises CIDR pointing to the virtual private gateway
AnswersA, B, E

Security groups control traffic flow.

Why this answer

Options A, C, and D are correct. The route table must have a route to the on-premises CIDR via the virtual private gateway. Security groups must allow traffic from on-premises.

The on-premises firewall must allow IPsec traffic. Option B is incorrect because the internet gateway is not needed for VPN traffic. Option E is incorrect because NACLs are stateless and usually allow return traffic if outbound is permitted.

222
MCQhard

A company is using AWS Direct Connect with a private VIF to connect to a VPC. The on-premises network team reports that they can ping the VPC's private IP addresses but cannot establish TCP connections to an EC2 instance's private IP. The security groups and NACLs are configured to allow the traffic. What is the most likely cause of this issue?

A.The EC2 instance's operating system firewall is blocking TCP traffic
B.The Direct Connect virtual interface is in a down state
C.The on-premises firewall is blocking ICMP but not TCP
D.The VPC route table is missing a route for the on-premises CIDR
AnswerA

OS firewall can block TCP while allowing ICMP.

Why this answer

If pings work but TCP connections fail, the issue is likely at Layer 4 or above. The most common cause is the EC2 instance's operating system firewall (e.g., iptables) blocking inbound TCP. Option D is correct.

Options A, B, and C are Layer 3 issues that would affect ping as well.

223
MCQhard

A media company streams live video to viewers worldwide. The application runs on EC2 instances behind an Application Load Balancer in two AWS regions, us-east-1 and eu-west-1. The company uses Amazon CloudFront as a CDN with origins pointing to both regional ALBs. The network team recently deployed AWS Global Accelerator to improve performance by directing traffic to the nearest healthy endpoint. However, after enabling Global Accelerator, viewers in Europe report buffering issues, while viewers in the US have no issues. The team has verified that the Global Accelerator endpoints are healthy and the ALBs are functioning correctly. The application uses a custom domain name. The DNS is managed by Route 53. What is the most likely cause of the buffering issues for European viewers?

A.Global Accelerator is directing European traffic to the us-east-1 endpoint due to endpoint weight misconfiguration.
B.The Route 53 DNS record is not pointing to Global Accelerator but to CloudFront, bypassing Global Accelerator.
C.CloudFront is caching content from the us-east-1 origin only, causing high latency for European viewers.
D.The eu-west-1 ALB is not configured to accept traffic from Global Accelerator IPs.
AnswerA

If weights are not set to distribute traffic, all traffic may go to one region.

Why this answer

Option A is correct because Global Accelerator provides static IP addresses that are anycast from edge locations. If viewers' DNS queries resolve to the Global Accelerator DNS name, they get IPs that may route to the us-east-1 endpoint if the eu-west-1 endpoint is not properly configured or weighted, causing high latency. The most common issue is that the DNS resolution for the custom domain points to Global Accelerator, but the routing within Global Accelerator may not be directing European traffic to the eu-west-1 endpoint if the endpoint weights are misconfigured or if one endpoint is unhealthy.

Option B is wrong because CloudFront origins are separate; Global Accelerator is used instead of CloudFront? Actually, they use both, but the issue is after enabling Global Accelerator. Option C is wrong because CloudFront would not cause issues when Global Accelerator is used. Option D is wrong because the application is not on-premises.

224
MCQhard

A company uses AWS Direct Connect and VPN as backup. They have a Transit Gateway with multiple VPC attachments. The network engineer wants to ensure that traffic uses Direct Connect when available and fails over to VPN. Which configuration should be applied?

A.Set a higher MED value on the VPN BGP advertisements.
B.Prepend AS_PATH on the VPN BGP advertisements to make them less preferred.
C.Apply BGP community tags from Direct Connect to set a higher local preference.
D.Configure BFD on both Direct Connect and VPN interfaces.
AnswerC

AWS uses BGP community tags to influence local preference.

Why this answer

Option D is correct because BGP communities from AWS allow setting local preference to prefer Direct Connect routes over VPN. Option A is wrong because AS_PATH prepending is for inbound route selection. Option B is wrong because MED is for inbound selection.

Option C is wrong because BFD detects failure but does not control preference.

225
MCQeasy

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team wants to monitor the amount of data transferred between VPCs for cost allocation. Which AWS feature should they use?

A.CloudWatch Metrics for Transit Gateway.
B.VPC Flow Logs for each VPC.
C.AWS Config rules.
D.AWS CloudTrail logs.
AnswerB

Flow Logs capture individual flow data including byte counts.

Why this answer

Option B is correct because VPC Flow Logs can be published to CloudWatch Logs or S3 and provide network traffic logs that include source/destination IP, ports, and byte counts, which can be used for cost allocation. Option A is wrong because CloudWatch Metrics for Transit Gateway only show aggregate metrics like bytes in/out per attachment, not per-flow. Option C is wrong because AWS Config records resource configuration changes, not traffic.

Option D is wrong because CloudTrail records API calls.

← PreviousPage 3 of 5 · 346 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Mgmt Ops questions.