CCNA Network Mgmt Ops Questions

75 of 346 questions · Page 4/5 · Network Mgmt Ops topic · Answers revealed

226
Multi-Selectmedium

A network engineer is troubleshooting network connectivity issues in a VPC. The engineer suspects that the network ACL is blocking traffic. Which TWO actions should the engineer take to verify this?

Select 2 answers
A.Review the inbound and outbound rules of the network ACL.
B.Check the security group rules for the affected instances.
C.Use AWS CloudTrail to view network traffic logs.
D.Enable VPC Flow Logs and filter for 'ACCEPT' or 'REJECT' status.
E.Test connectivity using AWS Direct Connect.
AnswersA, D

NACL rules explicitly allow or deny traffic.

Why this answer

Options A and C are correct because reviewing NACL rules and enabling VPC Flow Logs with ACL accept/reject status can identify blocked traffic. Option B is wrong because security groups are stateful and work differently. Option D is wrong because CloudTrail does not log network traffic.

Option E is wrong because Direct Connect is unrelated.

227
MCQhard

A company has a multi-VPC architecture using AWS Transit Gateway (TGW). They have a central inspection VPC with a Gateway Load Balancer (GWLB) and third-party firewall appliances. All other VPCs are attached to the TGW and have route tables that send traffic to the inspection VPC for inspection. Recently, the network team deployed a new VPC (VPC-D) and attached it to the TGW. They configured the VPC-D route table to send all inter-VPC traffic to the TGW. However, traffic from VPC-D to other VPCs is not being inspected. The team confirmed that the firewall appliances are healthy and the GWLB is correctly configured. Which action should the network team take to ensure traffic from VPC-D is inspected?

A.Enable route propagation on VPC-D's TGW attachment.
B.Add a route in VPC-D's subnet route tables pointing to the TGW for all traffic.
C.Create a new TGW route table and associate all VPC attachments to it.
D.Associate VPC-D's TGW attachment with the correct TGW route table that routes traffic to the inspection VPC.
AnswerD

This ensures TGW forwards traffic from VPC-D through the inspection VPC.

Why this answer

Each VPC attached to TGW has a TGW route table that controls how traffic is forwarded. To send traffic from VPC-D through the inspection VPC, the TGW route table associated with VPC-D's attachment must have routes that point to the inspection VPC's attachment. Simply attaching the VPC does not automatically associate it with the correct TGW route table.

Option B is correct because it ensures that the TGW route table used by VPC-D directs traffic to the inspection VPC.

228
Multi-Selecteasy

A company is using AWS CloudWatch to monitor network metrics. They want to create a dashboard that shows the total number of bytes sent and received by all EC2 instances in a specific VPC. Which three metrics should they use? (Choose THREE.)

Select 2 answers
A.TotalNetworkBytes
B.NetworkPacketsOut
C.NetworkOut
D.NetworkPacketsIn
E.NetworkIn
AnswersC, E

Bytes sent.

Why this answer

The relevant metrics are NetworkIn, NetworkOut, and NetworkPacketsIn (or PacketsOut). However, the question asks for bytes sent and received; NetworkIn and NetworkOut are direct measures. NetworkPacketsIn counts packets, not bytes.

The combination of NetworkIn + NetworkOut gives total bytes. The other options are not metrics.

229
MCQhard

A company uses AWS Direct Connect with a public VIF to access Amazon S3. The network team notices that the latency to S3 increases significantly during peak hours. They have tested the connection and confirmed that the physical link is not saturated. The company uses a single Direct Connect connection. The S3 traffic is routed over the public VIF. The team wants to improve performance without adding a new Direct Connect connection. Which action should the team take to reduce latency?

A.Use an AWS Site-to-Site VPN connection over the Direct Connect to access S3 via private IP.
B.Add a second Direct Connect connection to load balance traffic.
C.Configure the Direct Connect public VIF to use a different AWS region closer to the on-premises location.
D.Create an S3 Gateway Endpoint in the VPC and route S3 traffic through a private VIF attached to the VPC.
AnswerD

Gateway Endpoint keeps traffic within AWS and reduces latency compared to public VIF.

Why this answer

Using a Direct Connect gateway allows you to connect to multiple VPCs and also to AWS public services via a private VIF. However, for S3, you can use a private VIF with a VPC interface endpoint (Gateway Endpoint for S3) to keep traffic within the AWS network and avoid internet transit. This reduces latency because traffic goes from Direct Connect to the VPC and then to S3 via the gateway endpoint.

Option B (adding VPN) adds IPSec overhead. Option C uses a different AWS region, which may increase latency. Option D (adding a second Direct Connect) is not allowed per the question.

230
Matchingmedium

Match each VPN term to its correct description in the context of AWS Site-to-Site VPN.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

VPN concentrator on the AWS side attached to a VPC

VPN device on the on-premises side

Encrypted IPsec connection between VGW and CGW

Secret key used to authenticate the VPN tunnel endpoints

Dynamic routing protocol used to exchange routes over VPN tunnels

Why these pairings

These are fundamental components of AWS VPN connectivity.

231
MCQeasy

A company is using AWS Direct Connect with a private VIF to access their VPC. Users report intermittent connectivity issues. You check the Direct Connect console and see that the virtual interface state is 'down'. What is the MOST likely cause?

A.AWS Site-to-Site VPN is not established.
B.MACsec encryption is misconfigured on the customer router.
C.BGP session between the customer router and AWS is down.
D.Jumbo frames are enabled on the VIF but not supported by the customer router.
AnswerC

A private VIF requires an active BGP session; if BGP is down, the VIF state becomes down.

Why this answer

A private VIF relies on a BGP session between the customer router and the AWS Direct Connect router to exchange routes and maintain the virtual interface state. When the BGP session goes down, the VIF state transitions to 'down' because no routing information is being exchanged, causing connectivity loss. This is the most direct and common cause of a VIF being in the 'down' state.

Exam trap

The trap here is that candidates often assume a VIF 'down' state is caused by physical or Layer 1 issues (like MACsec or jumbo frames), but the VIF state is directly tied to the BGP session status, not the underlying physical link.

How to eliminate wrong answers

Option A is wrong because AWS Site-to-Site VPN is a separate connectivity option and is not required for a Direct Connect private VIF to function; the VIF state is independent of any VPN. Option B is wrong because MACsec encryption, when misconfigured, would cause link-level encryption failures but would not directly cause the BGP session or VIF state to go down; the VIF would remain 'up' at the Layer 1/2 level. Option D is wrong because jumbo frame misconfiguration would cause packet loss or MTU issues but would not bring the BGP session or VIF state down; the VIF would still show as 'up' if the BGP session is established.

232
Multi-Selectmedium

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. They notice that traffic between VPCs is being dropped intermittently. Which TWO actions should the engineer take to diagnose the issue? (Choose two.)

Select 2 answers
A.Monitor the Transit Gateway's CloudWatch metrics for packets dropped due to route table limits
B.Review the security group rules on the Transit Gateway
C.Enable VPC Flow Logs on the VPCs
D.Check if the VPC CIDRs are overlapping
E.Create a VPN connection for backup
AnswersA, C

Helps identify route table limits as a cause.

Why this answer

Option A and Option D are correct. Monitoring Transit Gateway CloudWatch metrics for dropped packets can identify route table limits or throttling. Enabling VPC Flow Logs helps analyze traffic patterns and dropped packets.

Option B is incorrect; the VPC CIDR does not need to be unique if properly routed. Option C is incorrect; a VPN connection is not needed for Direct Connect. Option E is incorrect; security groups do not apply to Transit Gateway.

233
MCQmedium

Refer to the exhibit. A network engineer is creating an IAM policy to allow a user to manage VPC Peering connections. The user reports that they cannot delete a VPC Peering connection. What should the engineer add to the policy?

A.ec2:DeleteVpcPeeringConnection
B.ec2:DescribeVpcPeeringConnectionRouteTables
C.ec2:ModifyVpcPeeringConnectionOptions
D.ec2:RejectVpcPeeringConnection
AnswerA

This action allows deleting peering connections.

Why this answer

The correct answer is D because the policy does not include 'ec2:DeleteVpcPeeringConnection'. Option A is wrong because 'ec2:ModifyVpcPeeringConnectionOptions' is for modifying options. Option B is wrong because 'ec2:DescribeVpcPeeringConnectionRouteTables' is not a valid action.

Option C is wrong because 'ec2:RejectVpcPeeringConnection' is for rejection, not deletion.

234
MCQeasy

A network engineer is setting up an AWS Site-to-Site VPN connection. The customer gateway device is behind a NAT device that performs PAT. The VPN tunnel fails to come up. What is the most likely cause?

A.The tunnel options (DPD, encryption algorithms) must match exactly.
B.Dead peer detection (DPD) is disabled.
C.The VPN connection does not have route propagation enabled.
D.The NAT device is not forwarding UDP 500 and UDP 4500 traffic.
AnswerD

IPsec requires these ports for IKE and NAT traversal.

Why this answer

Option D is correct because IPsec requires UDP ports 500 and 4500, which must be forwarded through NAT. Option A is incorrect because route propagation does not affect tunnel establishment. Option B is incorrect because tunnel options are not required to be identical.

Option C is incorrect because dead peer detection does not prevent tunnel establishment.

235
MCQmedium

A company has a Direct Connect connection with a private VIF to a VPC. The network team notices intermittent packet loss on the link. CloudWatch metrics show no errors on the connection. What should the team do next to isolate the issue?

A.Run a traceroute from an on-premises device to an EC2 instance in the VPC.
B.Check the BGP session status on the customer router.
C.Enable VPC Flow Logs on the VPC.
D.Increase the bandwidth of the Direct Connect connection.
AnswerA

Traceroute helps pinpoint where packet loss occurs along the path.

Why this answer

Option D is correct because running traceroute from an on-premises device to an instance in the VPC helps identify where packets are being dropped. Option A is wrong because increasing bandwidth does not fix packet loss. Option B is wrong because BGP status shows routing adjacency but not packet loss.

Option C is wrong because VPC Flow Logs show traffic metadata but not packet loss on the Direct Connect link.

236
MCQmedium

A company has an AWS Site-to-Site VPN connection between an on-premises network and a VPC. The VPN uses virtual private gateways and static routes. The network team reports that the VPN tunnel is up, but traffic from the on-premises network cannot reach some EC2 instances in the VPC. The EC2 instances have security groups that allow inbound traffic from the on-premises network. The VPC route table has a route pointing to the virtual private gateway for the on-premises CIDR. The tunnel status shows 'UP' from both sides. What is the MOST likely cause of the connectivity issue?

A.The VPC route table does not have a route for the on-premises subnet that the traffic originates from, but only for a larger CIDR.
B.The VPC has a network ACL that denies inbound traffic from the on-premises CIDR.
C.The customer gateway device is using a different pre-shared key than configured in AWS.
D.The virtual private gateway is not attached to the correct VPC.
AnswerA

If the route is for a different CIDR, traffic may not be routed correctly.

Why this answer

The security group may be allowing traffic from the on-premises CIDR but not from the tunnel endpoint IP. However, the more common issue is that the on-premises network's source IP is being translated or the VPC route table is missing a route for the specific subnet. Option A is a typical cause: if the on-premises CIDR is not exactly matched, the VPC may not route traffic back.

Option C could cause issues if the VPN is not in the main route table. Option D would cause tunnel issues.

237
MCQmedium

A company has a VPC with public and private subnets. The public subnet has a NAT Gateway, and the private subnet has EC2 instances that need internet access. The private instances can reach the internet, but cannot access an S3 bucket in the same region using the S3 gateway endpoint. What is the most likely cause?

A.The S3 gateway endpoint is not in the same VPC.
B.The S3 bucket policy does not allow access from the VPC.
C.The NAT Gateway is in a different availability zone than the private instances.
D.The private subnet's route table does not have a route to the S3 gateway endpoint.
AnswerD

Without a route to the endpoint, traffic to S3 goes through the NAT Gateway or is dropped.

Why this answer

For private instances to use a gateway endpoint, the route table for the private subnet must have a route pointing to the S3 endpoint. Additionally, the endpoint's policy must allow the traffic. The NAT Gateway is not used for gateway endpoints.

238
MCQhard

A company has a multi-account AWS environment using AWS Transit Gateway. The network team wants to centralize network logging from all accounts into a single account for analysis. Which combination of services should be used to achieve this?

A.AWS CloudTrail and Amazon CloudWatch Logs
B.Amazon Kinesis Data Streams and Amazon Redshift
C.Amazon S3 and Amazon Athena
D.AWS Config and Amazon DynamoDB
AnswerC

VPC Flow Logs can be published to a central S3 bucket, and Athena can query them.

Why this answer

Option D is correct because VPC Flow Logs can be published to a central S3 bucket using cross-account permissions, and then Amazon Athena can analyze the logs. Option A is wrong because CloudWatch Logs cross-account subscription is possible but not as straightforward for central analysis. Option B is wrong because Amazon Kinesis can stream data but requires additional setup.

Option C is wrong because AWS Config records configuration changes, not network traffic.

239
MCQhard

A network engineer has created a VPC endpoint for a VPC endpoint service. The endpoint is 'available' but the application cannot connect to the service using the private DNS name. The engineer checks the Route 53 private hosted zone and finds that no record exists for the endpoint. What is the most likely cause?

A.The VPC endpoint service is not accepting connections
B.The VPC endpoint policy is blocking connectivity
C.The security group for the endpoint does not allow inbound traffic
D.The 'PrivateDnsEnabled' flag is set to false on the VPC endpoint
AnswerD

If private DNS is not enabled, Route 53 does not automatically create records for the endpoint.

Why this answer

When 'VpcEndpointPolicyEnabled' is true, the endpoint has a policy that may restrict access. However, the issue is that the private DNS name is not resolving. For VPC endpoints, AWS automatically creates a Route 53 private hosted zone for the endpoint if 'PrivateDnsEnabled' is true.

If it's false, no automatic DNS record is created. Option C is correct. Options A, B, and D are plausible but not the most likely given the lack of DNS record.

240
Multi-Selectmedium

A company is troubleshooting a slow network connection between two EC2 instances in the same VPC but different Availability Zones. Which TWO tools can be used to measure throughput and diagnose performance issues?

Select 2 answers
A.iperf
B.tcpdump
C.traceroute
D.nslookup
E.ping
AnswersA, C

iperf measures network throughput.

Why this answer

Option A and Option D are correct. iperf measures network throughput, and traceroute shows the path and latency. Option B is wrong because nslookup does not measure throughput. Option C is wrong because tcpdump captures packets but does not measure throughput.

Option E is wrong because ping measures latency but not throughput.

241
Multi-Selectmedium

A company is designing a highly available Direct Connect connection. Which THREE components should be deployed to meet this requirement? (Select THREE.)

Select 3 answers
A.A single BGP session over one of the virtual interfaces.
B.Two Direct Connect connections to two different AWS Direct Connect locations.
C.A VPN connection as a backup to Direct Connect.
D.Two customer routers (or one router with two physical interfaces) connecting to the two Direct Connect connections.
E.Two virtual interfaces (VIFs) configured on the Direct Connect connections.
AnswersB, D, E

Provides physical diversity.

Why this answer

For high availability, you need at least two Direct Connect connections (preferably to different AWS locations), two customer routers (or one router with two interfaces), and two virtual interfaces (VIFs) to provide redundancy. Using BGP with multiple sessions ensures automatic failover.

242
MCQhard

A network engineer is troubleshooting connectivity issues between two VPCs that are peered. The VPCs are in the same region but different accounts. The engineer verifies that the route tables and security group rules are correctly configured. However, instances in VPC A cannot ping instances in VPC B. What is the most likely cause?

A.Network ACLs are not configured to allow inbound ICMP
B.The route tables in VPC A point to a VPN gateway instead of the VPC peering connection
C.Security groups are stateful and block return traffic
D.The VPC peering connection is in the 'failed' state
AnswerB

Transitive routing is not supported; routes must point directly to the peering connection.

Why this answer

Option D is correct because VPC peering does not support transitive routing; if traffic goes through a VPN or another VPC, it will not work. Option A is wrong because security groups are stateful and return traffic is allowed. Option B is wrong because NACLs are stateless but can be checked; however, if correctly configured, they would not block.

Option C is wrong because the VPC peering connection is established.

243
MCQeasy

A network engineer needs to troubleshoot high latency between two EC2 instances in the same VPC but in different Availability Zones. Which tool should be used to measure network performance?

A.Use traceroute to identify the path
B.Use ping to test connectivity
C.Use iperf to measure throughput and latency
D.Use netstat to check network statistics
AnswerC

iperf is designed for active network performance measurement.

Why this answer

Option A is correct because iperf is a common tool for measuring network throughput and latency. Option B is wrong because traceroute shows the path but not detailed performance. Option C is wrong because netstat shows connections and statistics but not active measurements.

Option D is wrong because ping measures round-trip time but not throughput.

244
MCQmedium

A network engineer is troubleshooting connectivity issues between an EC2 instance in a VPC and an on-premises server over a Direct Connect connection. The engineer has verified that the VPC route tables, Direct Connect virtual interface, and on-premises routing are correctly configured. Which tool should be used to verify the path MTU and identify fragmentation issues?

A.Use the netstat command
B.Use the ping command with the DF flag set to test MTU
C.Use the nslookup command
D.Use the traceroute command
AnswerB

ping with 'do not fragment' flag can detect MTU issues.

Why this answer

The ping command with the Don't Fragment (DF) flag set (e.g., `ping -M do -s <size>` on Linux) is the correct tool to verify path MTU because it forces the packet not to be fragmented. If the packet size exceeds the MTU of any link along the path, the router will drop the packet and send an ICMP Fragmentation Needed message back, allowing the engineer to pinpoint the maximum supported MTU and identify fragmentation issues.

Exam trap

The trap here is that candidates often choose traceroute (option D) thinking it shows MTU along the path, but traceroute does not set the DF flag or control payload size to test fragmentation; it only measures hop latency and path, not MTU boundaries.

How to eliminate wrong answers

Option A is wrong because netstat displays network connections, routing tables, and interface statistics, but it cannot test path MTU or detect fragmentation. Option C is wrong because nslookup is a DNS resolution tool that queries name servers and has no relevance to MTU or fragmentation testing. Option D is wrong because traceroute shows the hop-by-hop path and latency but does not allow you to set the DF flag or control packet size to specifically test MTU thresholds; it can indicate path changes but not fragmentation boundaries.

245
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They want to limit traffic between specific VPCs for security purposes. Which feature should they use?

A.Security groups attached to the Transit Gateway.
B.Transit Gateway route tables.
C.VPC Flow Logs.
D.Network ACLs in each VPC.
AnswerB

Route tables control which attachments can communicate.

Why this answer

Option C is correct because Transit Gateway route tables can be used to control traffic between attachments by creating separate route tables and associating attachments accordingly. Option A is wrong because Network ACLs are per-subnet, not per-VPC. Option B is wrong because security groups are instance-level.

Option D is wrong because VPC Flow Logs are for monitoring, not control.

246
Multi-Selectmedium

A network engineer is troubleshooting high latency on a Direct Connect connection. Which TWO actions should the engineer take to diagnose the issue?

Select 2 answers
A.Check the BGP session status
B.Enable VPC Flow Logs on the VPC
C.Run a continuous 'mtr' from on-premises to an AWS resource
D.Review CloudWatch metrics for the Direct Connect virtual interface
E.Run a traceroute from on-premises to an AWS IP address
AnswersC, D

Identifies latency at each hop.

Why this answer

Option A and D are correct because CloudWatch metrics can show latency and packet loss, and 'mtr' can trace the path and identify hops. Option B is incorrect because traceroute may not work over Direct Connect due to ICMP filtering. Option C is incorrect because BGP session status does not directly indicate latency.

Option E is incorrect because VPC Flow Logs show traffic metadata, not latency.

247
MCQhard

A financial company has a multi-account AWS environment using AWS Organizations. They have deployed a centralized inspection VPC with a third-party firewall appliance. All VPCs are attached to a Transit Gateway. The security team wants to ensure that all traffic between VPCs is inspected by the firewall. The firewall is deployed in an Auto Scaling group behind a Network Load Balancer (NLB). What is the BEST way to route traffic to the firewall?

A.Use a Gateway Load Balancer (GWLB) endpoint in each VPC to route traffic to the firewall.
B.Use VPC peering between each VPC and the inspection VPC.
C.Deploy a firewall appliance in each VPC and route traffic locally.
D.Create a Transit Gateway attachment in the inspection VPC and point the NLB as the target. Route traffic through the Transit Gateway route tables to the inspection VPC.
AnswerD

ECMP distributes traffic across firewall instances.

Why this answer

Option A is correct because Transit Gateway supports equal-cost multi-path (ECMP) routing, allowing traffic to be distributed across multiple firewall instances via the NLB. Option B is incorrect because VPC peering bypasses the Transit Gateway. Option C is incorrect because the firewall should be in the inspection VPC, not in each VPC.

Option D is incorrect because the GWLB is not used here; the NLB is the correct choice.

248
MCQeasy

A company has deployed a web application in a VPC with public subnets for the web servers and private subnets for the database servers. The web servers need to access the internet for software updates. The network engineer configured a NAT Gateway in the public subnet and added a route in the private subnet route table pointing 0.0.0.0/0 to the NAT Gateway. However, the web servers cannot reach the internet. What is the most likely cause?

A.The private subnet route table does not have a route to the NAT Gateway for 0.0.0.0/0.
B.The security group of the web servers is blocking outbound traffic to the internet.
C.The web servers are in a public subnet, but the route table for the public subnet points 0.0.0.0/0 to the NAT Gateway instead of the Internet Gateway.
D.The NAT Gateway does not have a route to the Internet Gateway in its route table.
AnswerC

Public subnets should route internet traffic to an Internet Gateway, not a NAT Gateway. The NAT Gateway is for private subnets.

Why this answer

Option C is correct because the web servers are deployed in a public subnet, which requires a route table entry pointing 0.0.0.0/0 to an Internet Gateway (IGW) for direct internet access. Instead, the engineer configured the route to point to a NAT Gateway, which is intended for private subnets. A public subnet must have a direct IGW route; using a NAT Gateway in a public subnet breaks outbound connectivity because the NAT Gateway itself relies on the IGW for internet access, but the web servers' traffic is sent to the NAT Gateway instead of the IGW, causing a routing loop or failure.

Exam trap

The trap here is that candidates often confuse the purpose of a NAT Gateway (for private subnets) with an Internet Gateway (for public subnets), and assume that placing a NAT Gateway in a public subnet automatically provides internet access to instances in that subnet, when in fact the route table must point to the IGW for public subnets.

How to eliminate wrong answers

Option A is wrong because the private subnet route table does have a route to the NAT Gateway for 0.0.0.0/0 as stated in the scenario, so this is not the issue. Option B is wrong because security groups are stateful and by default allow all outbound traffic; unless explicitly modified to block outbound traffic, they would not prevent internet access. Option D is wrong because a NAT Gateway does not have its own route table; it is an AWS-managed service that uses an Elastic IP and relies on the route table of the subnet it resides in to route traffic to the Internet Gateway, but the problem is with the web servers' subnet route table, not the NAT Gateway's.

249
MCQmedium

A company has a Direct Connect connection with a public VIF to access AWS public services. They notice that traffic to Amazon S3 is taking a suboptimal path via the internet instead of the Direct Connect. What is the MOST likely cause?

A.The BGP session for the public VIF is not advertising the S3 prefixes
B.The public VIF is in a 'DOWN' state
C.The on-premises router does not have a route for the S3 CIDR ranges pointing to the Direct Connect
D.The virtual private gateway is not attached to the VPC
AnswerC

Need to route S3 traffic over Direct Connect.

Why this answer

Option D is correct because you need to add a route to the on-premises router pointing to the Direct Connect for the S3 CIDR ranges. Option A is incorrect because the public VIF does not use BGP for prefixes. Option B is incorrect because the VIF is up.

Option C is incorrect because the public VIF does not use a virtual private gateway.

250
MCQmedium

Refer to the exhibit. A network engineer is analyzing VPC Flow Logs to troubleshoot connectivity issues. The engineer notices that traffic from 10.0.1.5 to 192.168.1.1 on port 80 is logged as ACCEPT, but the application team reports that the web request failed. What is the most likely cause?

A.The VPC Flow Logs are not capturing all packets due to sampling.
B.The network ACL is returning an ICMP unreachable message that is not logged.
C.The destination host 192.168.1.1 is not reachable or does not have a route back to the source.
D.The security group on the ENI is blocking outbound traffic to 192.168.1.1.
AnswerC

The outbound packet was accepted, but the lack of a return path or the destination being down would cause the application to fail.

Why this answer

The VPC Flow Logs record the state of the TCP handshake from the perspective of the network path, but they do not confirm that the destination host successfully processed the request or that a return path exists. If 192.168.1.1 has no route back to 10.0.1.5, the initial SYN-ACK will never reach the source, causing the application to time out even though the forward traffic was accepted by the network ACL and security group.

Exam trap

AWS often tests the misconception that an ACCEPT log entry guarantees end-to-end connectivity, when in fact it only confirms that the packet passed the hypervisor-level firewall rules, not that the destination host processed it or that a return path exists.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture all packets by default; sampling is only enabled when explicitly configured, and the question does not mention sampling. Option B is wrong because network ACLs do not generate ICMP unreachable messages; they silently drop traffic, and any ICMP unreachable would be generated by the destination host or a router, not the ACL. Option D is wrong because if the security group on the ENI were blocking outbound traffic to 192.168.1.1, the flow log entry would show REJECT or no log entry at all, not ACCEPT.

251
MCQeasy

A network engineer needs to capture and analyze DNS query logs generated by Amazon Route 53. Which AWS service should be used to store and query these logs?

A.AWS CloudTrail
B.Amazon Kinesis Data Firehose
C.Amazon CloudWatch Logs
D.Amazon S3
AnswerC

Route 53 can publish DNS query logs to CloudWatch Logs for analysis.

Why this answer

Option A is correct because Route 53 can log DNS queries to CloudWatch Logs. Option B is wrong because Amazon S3 is an object store, not a log analysis service. Option C is wrong because Amazon Kinesis Data Firehose can stream data but not directly store for querying.

Option D is wrong because AWS CloudTrail records API calls, not DNS queries.

252
MCQhard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. After a network change, some VPCs cannot reach the on-premises network. The Transit Gateway route table shows the correct association and propagation. What is the most likely cause?

A.The Transit Gateway attachment is in a failed state
B.The VPN connection to the on-premises network has insufficient bandwidth
C.The BGP session between the Transit Gateway and on-premises router is down
D.The VPC route tables do not have a route pointing to the Transit Gateway
AnswerD

Without a route to the Transit Gateway, traffic from the VPC cannot reach on-premises networks.

Why this answer

Option B is correct because the VPC route table must have a static route or propagated route pointing to the Transit Gateway for traffic to flow. Option A is wrong because attachment is fine if route table shows correct association. Option C is wrong because BGP is used for on-premises routes, not for VPC routes.

Option D is wrong because VPN is one way to connect on-premises, but the issue is about VPC routing.

253
MCQhard

A company has a hybrid network with multiple AWS Direct Connect connections to multiple VPCs. They want to monitor network performance and receive alerts when latency exceeds a threshold. Which combination of AWS services should be used to achieve this?

A.AWS CloudTrail and Amazon SNS
B.AWS Trusted Advisor and Amazon SES
C.Amazon CloudWatch and Amazon CloudWatch Alarms
D.VPC Flow Logs and Amazon CloudWatch Logs
AnswerC

CloudWatch provides Direct Connect metrics and alarms for thresholds.

Why this answer

The correct answer is B because CloudWatch publishes Direct Connect metrics such as latency, and CloudWatch Alarms can trigger alerts. Option A is wrong because CloudTrail does not provide performance metrics. Option C is wrong because VPC Flow Logs do not provide latency metrics.

Option D is wrong because AWS Trusted Advisor provides best-practice checks, not real-time latency monitoring.

254
MCQeasy

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking an unexpected path. Which AWS service should be used to analyze the packet-level traffic flow and identify the path?

A.AWS CloudTrail
B.AWS X-Ray
C.AWS Config
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture IP traffic metadata and can be used to trace paths.

Why this answer

VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol, packet/byte counts) at the network interface level, enabling analysis of packet-level traffic flow paths through AWS Transit Gateway. By enabling flow logs on the Transit Gateway attachment or VPC subnets, you can trace the actual path traffic takes between VPCs, including whether it traverses the Transit Gateway or an unexpected route.

Exam trap

AWS often tests the misconception that CloudTrail or Config can analyze network traffic paths, but only VPC Flow Logs provide the packet-level metadata needed to trace the actual data plane flow through Transit Gateway.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API calls and management events, not packet-level traffic flows; it cannot show the data plane path of network traffic. Option B is wrong because AWS X-Ray traces application-layer requests (e.g., HTTP/SQL) and is designed for distributed application debugging, not for analyzing network-layer packet flows or routing paths. Option C is wrong because AWS Config evaluates resource configurations and compliance rules (e.g., route table settings) but does not capture or analyze live packet-level traffic flows.

255
Multi-Selecthard

A company is designing a highly available hybrid network using two AWS Direct Connect connections from different providers. The company wants to use BGP to advertise the same on-premises prefixes to AWS. Which THREE practices should be followed to ensure high availability and optimal traffic flow? (Choose three.)

Select 3 answers
A.Advertise different on-premises prefixes on each connection
B.Advertise the same prefixes with different prefix lengths to influence route selection
C.Configure a unique private ASN for each Direct Connect connection
D.Set the same MED value for prefixes advertised on both connections
E.Use different BGP community tags for each connection to influence routing policies
AnswersB, C, E

AWS prefers more specific prefixes (longer prefix length).

Why this answer

Option A is correct because using different ASNs prevents BGP loop prevention from discarding routes. Option B is correct because using different BGP communities can influence routing policies. Option D is correct because using different prefix lengths allows AWS to prefer the more specific prefix.

Option C is wrong because using the same MED value would not help in path selection. Option E is wrong because advertising the same prefixes on both connections is necessary for redundancy.

256
MCQhard

A company has a VPC with a VPN connection to an on-premises network. The network team reports that the VPN tunnel is flapping intermittently. You need to identify the cause. Which AWS service provides logs that can help troubleshoot the VPN tunnel status?

A.VPC Flow Logs
B.Amazon CloudWatch
C.AWS CloudTrail
D.AWS Health Dashboard
AnswerB

CloudWatch provides VPN tunnel metrics and logs.

Why this answer

The correct answer is A because VPN tunnel metrics are available in CloudWatch, including tunnel state and data in/out. Option B is wrong because CloudTrail does not provide tunnel status logs. Option C is wrong because VPC Flow Logs capture traffic, not tunnel status.

Option D is wrong because AWS Health Dashboard provides service health, not specific VPN tunnel logs.

257
Multi-Selecteasy

Which TWO are valid methods to monitor and troubleshoot AWS Direct Connect connections?

Select 2 answers
A.Use CloudFront to monitor Direct Connect utilization.
B.Enable AWS CloudTrail to log Direct Connect API calls.
C.Enable Direct Connect Connection and Virtual Interface metrics in CloudWatch.
D.Use AWS Direct Connect Connection tests to verify connectivity and performance.
E.Enable VPC Flow Logs on the VIF.
AnswersC, D

CloudWatch provides metrics for Direct Connect, such as connection state and BGP status.

Why this answer

Options A and B are correct. Option C is incorrect because VPC Flow Logs do not capture Direct Connect traffic. Option D is incorrect because CloudFront is not related to Direct Connect monitoring.

Option E is incorrect because CloudTrail does not provide real-time connection monitoring.

258
MCQhard

A company has a VPC with a public subnet and a private subnet. The private subnet instances need to make outbound internet requests. A NAT Gateway is deployed in the public subnet. The network engineer notices that instances in the private subnet cannot reach the internet, but the NAT Gateway's Elastic IP is reachable from the internet. Which of the following is the most likely cause?

A.The network ACL on the private subnet blocks outbound traffic.
B.The route table for the private subnet does not have a default route (0.0.0.0/0) pointing to the NAT Gateway.
C.The NAT Gateway is not associated with an Elastic IP.
D.The security group attached to the NAT Gateway blocks outbound traffic.
AnswerB

Without this route, outbound traffic cannot reach the NAT Gateway.

Why this answer

Option C is correct because the private subnet route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway. Option A is wrong because the NAT Gateway is in a public subnet with a route to IGW. Option B is wrong because security groups are not applicable to NAT Gateway.

Option D is wrong because NACL on private subnet would affect inbound/outbound traffic, but the issue is routing.

259
MCQmedium

A network engineer created a VPC interface endpoint for a third-party SaaS service using AWS PrivateLink. The endpoint shows 'available' state, but on-premises clients cannot connect to the service via the private endpoint DNS name. What is the MOST likely reason?

A.The endpoint is not in the 'available' state.
B.Private DNS is not enabled for the endpoint.
C.The endpoint is not associated with any subnet.
D.The endpoint type is Gateway, not Interface.
AnswerB

Private DNS must be enabled for the private hosted zone to resolve the endpoint DNS name.

Why this answer

Option B is correct because Private DNS for the endpoint must be enabled for the private DNS name to resolve correctly from on-premises. Option A is incorrect because the endpoint is in 'available' state. Option C is incorrect because the subnet IDs are present.

Option D is incorrect because the endpoint type is Interface, not Gateway.

260
MCQeasy

A company uses AWS Direct Connect to connect its data center to a VPC. The VIF is up, and the BGP session is established. However, the on-premises router cannot ping the VPC's private IP addresses. Which configuration is most likely missing?

A.The Direct Connect virtual interface is in the wrong VLAN.
B.The BGP password is incorrect.
C.The on-premises router is not advertising the VPC CIDR via BGP.
D.The VPC route table does not have a route pointing to the Virtual Private Gateway for the on-premises CIDR.
AnswerD

Without this route, the VPC does not know to send traffic to the Direct Connect via the VGW.

Why this answer

For traffic to reach VPC private IPs, the VPC route table must have a route pointing to the Virtual Private Gateway (VGW) for the on-premises CIDR. Even with BGP up, without this route, traffic won't be sent to the VGW.

261
MCQmedium

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The connection uses a private virtual interface (VIF) to access the VPC. The network team is monitoring the link and notices that the BGP session goes down intermittently. The team has checked the physical layer and found no issues. The BGP keepalive timer is set to 30 seconds on both sides. The network engineer suspects that the issue might be related to the BGP hold timer. What should the engineer do to stabilize the BGP session?

A.Configure a static route on the on-premises router for the VPC CIDR.
B.Decrease the BGP hold timer to 10 seconds on the on-premises router.
C.Increase the BGP hold timer to 90 seconds on both the on-premises router and the AWS side.
D.Change the virtual interface to a public VIF to improve BGP stability.
AnswerC

Correct: A higher hold timer reduces the chance of BGP session flapping due to intermittent connectivity.

Why this answer

Option A is correct because increasing the BGP hold timer allows more time to receive keepalives, reducing flapping due to transient issues. Option B is wrong because decreasing the hold timer would make the session more sensitive. Option C is wrong because a static route would bypass BGP and not provide redundancy.

Option D is wrong because moving to a public VIF is unrelated to BGP stability.

262
MCQhard

A company is designing a multi-region active-active architecture using Application Load Balancers (ALBs) and AWS Global Accelerator. They need to ensure that traffic is distributed evenly across regions and that failover happens automatically. Which configuration should they use?

A.Use Route 53 latency-based routing with health checks
B.Configure Global Accelerator with a single endpoint group containing both ALBs
C.Configure Global Accelerator with two endpoints (one per region) and set equal weights
D.Use a Network Load Balancer in each region and Route 53 weighted routing
AnswerC

Global Accelerator supports endpoint weights for traffic distribution and health checks for failover.

Why this answer

Global Accelerator uses endpoint weights to distribute traffic. Setting equal weights for both regional endpoints ensures even distribution, and health checks automatically route traffic away from unhealthy regions.

263
MCQmedium

A company has set up a Direct Connect connection with a private VIF to its VPC. The BGP session is up, but traffic is not passing between the on-premises network and the VPC. Which configuration should be verified?

A.Ensure jumbo frames are enabled on the Direct Connect interface
B.Verify that the VIF is a public VIF
C.Review the Direct Connect virtual interface metrics in CloudWatch
D.Check the BGP advertised routes and the VPC route tables
AnswerD

Routes must be properly advertised and propagated to the VPC route table.

Why this answer

Option C is correct because the on-premises network must advertise routes to the VPC via BGP, and the VPC must have routes pointing to the virtual private gateway. Option A is wrong because jumbo frames are not required. Option B is wrong because VIF type (private vs public) is not the issue if BGP is up.

Option D is wrong because CloudWatch metrics are for monitoring, not routing.

264
Multi-Selectmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The network team needs to monitor the BGP session status for each VPN attachment. Which TWO services can be used to monitor BGP status and receive alerts if a session goes down?

Select 2 answers
A.Amazon CloudWatch Alarms on the BGP status metric.
B.AWS Config rules.
C.VPC Flow Logs.
D.AWS CloudTrail logs.
E.Amazon CloudWatch metrics for VPN tunnels.
AnswersA, E

Alarms can notify when BGP goes down.

Why this answer

Options A and D are correct. CloudWatch can monitor VPN tunnel metrics including BGP status, and CloudWatch Alarms can trigger alerts. Option B is wrong because VPC Flow Logs do not include BGP status.

Option C is wrong because AWS Config does not monitor BGP. Option E is wrong because CloudTrail does not monitor BGP.

265
MCQmedium

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The network team notices increased latency and packet loss during peak hours. The Direct Connect virtual interface (VIF) is configured as a private VIF to a VPC. What is the MOST likely cause of the issue?

A.Jumbo frames are not enabled on the VIF.
B.The VIF bandwidth is insufficient for the traffic volume.
C.The BGP keepalive timer is set too low.
D.The MTU size of the VIF is set to 1500 bytes.
AnswerB

Bursty traffic can exceed the provisioned bandwidth, causing congestion.

Why this answer

Option C is correct because bursty traffic can exceed the VIF bandwidth and cause congestion, leading to latency and packet loss. Option A is incorrect because BGP timers affect routing convergence, not bandwidth. Option B is incorrect because jumbo frames would improve throughput, not cause packet loss.

Option D is incorrect because the issue is during peak hours, not a persistent MTU mismatch.

266
MCQeasy

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The network team notices intermittent packet loss on the Direct Connect virtual interface (VIF). Which AWS service should be used to monitor the latency and packet loss on the VIF?

A.AWS Health Dashboard
B.VPC Flow Logs
C.AWS CloudWatch
D.AWS Transit Gateway Network Manager
AnswerC

CloudWatch provides Direct Connect metrics including packet loss and latency.

Why this answer

CloudWatch provides metrics for Direct Connect including packet loss and latency. VPC Flow Logs capture IP traffic metadata but not latency. AWS Health Dashboard shows service health.

Transit Gateway is a network transit hub but not a monitoring service.

267
MCQmedium

Refer to the exhibit. A network engineer has established a VPC peering connection between VPC A (10.0.0.0/16) in account 111111111111 and VPC B (192.168.0.0/16) in account 222222222222. The peering connection status is 'active'. However, instances in VPC A cannot reach instances in VPC B. What is the MOST likely cause?

A.The peering connection is not in the 'active' state
B.Route tables in one or both VPCs do not have routes to the peer CIDR
C.Security groups in VPC B are blocking traffic
D.The CIDR blocks overlap
AnswerB

Missing routes prevent communication.

Why this answer

Option D is correct because the route tables in both VPCs need routes to the peer CIDR via the peering connection. Option A is incorrect because the status is active. Option B is incorrect because the CIDRs are non-overlapping.

Option C is incorrect because there is no indication of security groups blocking, though they could; but the most common cause is missing routes.

268
MCQmedium

A network engineer is troubleshooting why an EC2 instance (with the above security group) is not responding to HTTP requests from the internet. The instance is in a public subnet with an Internet Gateway attached. The route table has a default route to the Internet Gateway. What is the most likely cause?

A.The security group only allows traffic from the 10.0.0.0/8 range
B.The security group does not allow inbound ICMP traffic
C.The route table does not have a route for the internet
D.The network ACL is blocking inbound HTTP
AnswerA

The security group rule only permits HTTP from the private 10.0.0.0/8 CIDR, not from the internet.

Why this answer

The security group allows HTTP from 10.0.0.0/8 only, which is a private IP range. It does not allow traffic from 0.0.0.0/0 (the internet). Option B is correct.

Options A, C, and D are not the issue.

269
MCQmedium

A company uses AWS Direct Connect with a private virtual interface (VIF) to connect its on-premises network to its VPC. The on-premises network team reports that they can ping the private IP address of an EC2 instance in the VPC, but cannot establish a TCP connection to a web server running on that instance. The network security group allows inbound TCP port 80 from the on-premises CIDR. What should the network engineer check next?

A.Review the network ACL associated with the subnet to ensure it allows inbound TCP 80.
B.Check the operating system firewall and web server configuration on the EC2 instance.
C.Check the BGP session status on the Direct Connect virtual interface.
D.Verify the route table on the VPC has a route back to the on-premises network.
AnswerB

The OS firewall or application may block TCP despite security group allowing it.

Why this answer

Option C is correct because the instance's OS firewall or web server configuration may be blocking the connection. Option A is wrong because ping works, indicating routing is fine. Option B is wrong because the BGP session status is unrelated to connectivity to the instance.

Option D is wrong because the NACL is stateless and would affect ping as well.

270
MCQhard

A company has an AWS Direct Connect connection with a private VIF to a VPC. They notice that traffic from the on-premises network to the VPC is being routed through the internet instead of the Direct Connect. The VPC route table has a route pointing to the virtual private gateway for the on-premises CIDR. What is the most likely cause?

A.The virtual private gateway is not attached to the VPC
B.The security group on the VPC resources blocks the traffic
C.The on-premises CIDR is more specific than the VPC route table entry
D.The on-premises router is not advertising the prefix via BGP over the Direct Connect
AnswerD

Without BGP advertisement, the route is not propagated to the VPC.

Why this answer

Option D is correct because if the on-premises router is advertising the prefix with a community that is not accepted by the Direct Connect BGP peer, the route will not be installed. Option A is incorrect because a more specific route would not cause traffic to go to the internet. Option B is incorrect because the virtual private gateway is the correct target.

Option C is incorrect because security groups do not affect routing.

271
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage and monitor network traffic across multiple VPCs and on-premises networks?

Select 2 answers
A.AWS Transit Gateway Network Manager
B.Amazon CloudWatch
C.AWS WAF
D.AWS Direct Connect
E.AWS Shield
AnswersA, B

It provides a central dashboard for network connectivity.

Why this answer

AWS Transit Gateway Network Manager provides a central view of network topology and metrics. Amazon CloudWatch can aggregate logs and metrics from multiple sources.

272
MCQmedium

Refer to the exhibit. A Direct Connect private virtual interface is in the 'available' state, and the BGP session is up. However, the on-premises network cannot reach any resources in the VPC attached to the Direct Connect gateway. What is the MOST likely cause?

A.The BGP ASN is private and not allowed
B.The VLAN ID is incorrect
C.The Direct Connect gateway is not associated with the virtual private gateway or route propagation is not enabled
D.The BGP session is not established
AnswerC

Routes are not being advertised.

Why this answer

Option B is correct because even though the BGP session is up, the on-premises router may not be learning the VPC routes. The Direct Connect gateway must be associated with the virtual private gateway and route propagation must be enabled. Option A is incorrect because the BGP session is up.

Option C is incorrect because the VLAN is configured. Option D is incorrect because the ASN is valid.

273
MCQeasy

A company is using AWS Direct Connect with a private VIF to connect its on-premises data center to a VPC. The network team wants to monitor the link health and receive alarms if the connection goes down. Which AWS service should they use?

A.Amazon CloudWatch with Direct Connect metrics.
B.Amazon Inspector.
C.AWS Config.
D.VPC Flow Logs.
AnswerA

CloudWatch provides metrics like ConnectionState and BGP status for Direct Connect.

Why this answer

Option A is correct because CloudWatch provides metrics for Direct Connect connections, such as connection state and BGP status, and can trigger alarms. Option B is wrong because VPC Flow Logs capture IP traffic logs, not link health. Option C is wrong because AWS Config tracks configuration changes, not operational status.

Option D is wrong because Amazon Inspector is for security assessments.

274
Drag & Dropmedium

Arrange the steps to configure an AWS Client VPN endpoint for remote access:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create certificates, then the endpoint, associate with network, authorize access, then distribute client config.

275
MCQmedium

A company has set up a Site-to-Site VPN connection between its on-premises network and AWS. The VPN tunnel shows as 'UP' but traffic is not flowing. What should the engineer check?

A.Ensure the customer gateway is configured correctly
B.Verify the security group rules for the VPN connection
C.Check the internet gateway route table
D.Verify that route propagation is enabled on the VPC route table
AnswerD

Without route propagation, the VPC does not know about the on-premises network.

Why this answer

Option D is correct because route propagation from the virtual private gateway to the VPC route table must be enabled. Option A is wrong because the tunnel state is up, so security group is not likely the issue (security group affects instances, not VPN endpoint). Option B is wrong because the internet gateway is for public internet access, not VPN.

Option C is wrong because the customer gateway is the on-premises endpoint; it is configured but if routes are not propagated, traffic won't flow.

276
Multi-Selectmedium

A network engineer is troubleshooting high latency on an AWS Transit Gateway that connects multiple VPCs and an on-premises network via AWS Site-to-Site VPN. The engineer wants to identify potential causes. Which TWO actions should the engineer take? (Choose two.)

Select 2 answers
A.Review the NACL rules for each subnet in the VPCs.
B.Review the CloudWatch metrics for the VPN tunnels for packet loss and latency.
C.Enable Transit Gateway Flow Logs to capture traffic between attachments.
D.Re-create the VPN connections to reset the tunnels.
E.Enable VPC Flow Logs on the VPCs attached to the transit gateway.
AnswersB, C

VPN tunnel metrics can indicate performance issues.

Why this answer

Option B is correct because CloudWatch metrics for VPN tunnels provide direct visibility into packet loss and latency, which are key indicators of performance issues on the AWS Site-to-Site VPN component of the Transit Gateway. Option C is correct because Transit Gateway Flow Logs capture IP traffic information between attachments, allowing the engineer to analyze traffic patterns, identify drops, and pinpoint which VPC or VPN attachment is contributing to the high latency.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs with Transit Gateway Flow Logs, assuming VPC Flow Logs can diagnose Transit Gateway latency, but VPC Flow Logs lack the attachment-level context and latency metrics needed for this specific troubleshooting scenario.

277
MCQhard

A company has a VPC with a CIDR of 172.16.0.0/16. The VPC contains an Amazon RDS for MySQL database in a private subnet. The database is accessed by EC2 instances in the same VPC and by on-premises servers via a Site-to-Site VPN. The network team recently enabled VPC Flow Logs and noticed that the database is receiving a high number of SYN packets from an IP address that is not part of the VPC or on-premises network. The security group for the database only allows inbound traffic on port 3306 from the EC2 instances' security group and the on-premises CIDR (10.0.0.0/8). The network ACL for the database subnet allows inbound and outbound traffic on all ports from all sources. What is the most likely cause of the unexpected traffic?

A.The security group for the database has an inbound rule that allows traffic from 0.0.0.0/0.
B.The RDS database has a public endpoint that is accessible from the internet.
C.The Site-to-Site VPN is misconfigured and routing internet traffic into the VPC.
D.The network ACL for the database subnet allows all inbound traffic, so packets from the internet reach the database subnet's network ACL before being evaluated by the security group.
AnswerD

NACL is stateless and allows all traffic, so packets enter the subnet and are then evaluated by the security group, which drops them.

Why this answer

Option B is correct because a network ACL is stateless and allows traffic from any source, including the internet, because it allows all inbound traffic. Even though the security group blocks the traffic, the NACL allows it, so the packets reach the NACL and are logged. Option A is wrong because the security group is blocking the traffic, not allowing it.

Option C is wrong because RDS is not publicly accessible. Option D is wrong because the VPN is only for on-premises traffic; the IP is not from on-premises.

278
MCQeasy

A network engineer needs to capture and analyze traffic crossing a VPC peering connection for troubleshooting. Which AWS service should be used?

A.AWS CloudTrail.
B.VPC Traffic Mirroring.
C.AWS Transit Gateway Network Manager.
D.VPC Flow Logs for the peering connection.
AnswerD

Flow Logs capture IP traffic metadata.

Why this answer

VPC Flow Logs capture IP traffic information for network interfaces, including those attached to a VPC peering connection. They can be published to Amazon CloudWatch Logs or Amazon S3, and the logs contain fields such as source/destination IP, ports, protocol, and packet/byte counts, which are essential for troubleshooting traffic across the peering link. This is the correct service because it directly logs metadata about the traffic traversing the peering connection without requiring any changes to the network path.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (which log traffic metadata) with VPC Traffic Mirroring (which captures full packet payloads), but Traffic Mirroring cannot be applied to a peering connection itself, only to individual ENIs within a VPC.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (e.g., who created the peering connection) but does not capture network traffic or packet-level data. Option B is wrong because VPC Traffic Mirroring copies packets from an Elastic Network Interface (ENI) for analysis, but it cannot be applied to a VPC peering connection itself; it only works on source or target ENIs within a VPC. Option C is wrong because AWS Transit Gateway Network Manager provides a central view of network topology and metrics for Transit Gateway-based networks, but it does not capture or analyze traffic crossing a VPC peering connection (which is a direct VPC-to-VPC link, not a Transit Gateway attachment).

279
MCQmedium

A company has a VPC with a public subnet hosting a web server. The security group for the web server allows inbound HTTP (port 80) from 0.0.0.0/0. The network ACL for the public subnet allows inbound HTTP from 0.0.0.0/0. Users report that they cannot access the website. The engineer verifies that the web server is running and has a public IP. What is the most likely issue?

A.The web server is listening on a different port.
B.The network ACL outbound rule is blocking return traffic.
C.The internet gateway is not attached to the VPC.
D.The security group outbound rule is blocking return traffic.
AnswerB

Network ACLs are stateless, so return traffic on ephemeral ports must be explicitly allowed.

Why this answer

Even if inbound rules allow traffic, if the network ACL's outbound rule (stateless) does not allow return traffic (ephemeral ports), the connection will fail. Security groups are stateful and allow return traffic automatically.

280
MCQmedium

A company has a transit gateway with multiple VPC attachments and an on-premises VPN connection. The network team is seeing asymmetric routing and packet drops. What should they implement to resolve this?

A.Disable equal-cost multipath (ECMP) routing on the Transit Gateway.
B.Create VPC peering connections between all VPCs.
C.Use BGP ASN prepending on the on-premises routers.
D.Enable route propagation from the Transit Gateway to VPC route tables.
AnswerA

Disabling ECMP ensures consistent path selection per flow.

Why this answer

Option C is correct because equal-cost multipath (ECMP) routing over multiple tunnels can cause asymmetric flows. Disabling ECMP on the Transit Gateway ensures consistent path selection based on flow hashing. Option A is incorrect because VPC peering is not needed.

Option B is incorrect because BGP ASN prepending influences path selection but doesn't fix asymmetry from ECMP. Option D is incorrect because route propagation doesn't affect ECMP behavior.

281
MCQhard

A network engineer ran the command shown in the exhibit to check VPC peering connections. Two peering connections are active. The engineer wants to verify that routes are correctly configured. What additional step is needed to ensure that instances in vpc-11111111 can communicate with instances in vpc-33333333?

A.Configure security groups to allow traffic between the VPCs.
B.Enable DNS resolution for the peering connection.
C.Add a route in the route table of vpc-11111111 pointing to vpc-33333333 via the peering connection, and a route in vpc-33333311 pointing to vpc-11111111 via the same peering connection.
D.Ensure that the peering connection is in the 'active' state.
AnswerC

Routes are needed in both VPCs.

Why this answer

Option B is correct because VPC peering requires route table entries in both VPCs pointing to the peering connection. Option A is wrong because the peering is active. Option C is wrong because security groups need to allow traffic, but routing is the first step.

Option D is wrong because DNS resolution is not required for IP communication.

282
MCQhard

A network engineer is troubleshooting an issue where an on-premises server cannot reach an EC2 instance in a VPC over a Site-to-Site VPN. The VPN tunnel is up, and BGP is established. The engineer checks the route tables and sees the on-premises CIDR in the VPC route table pointing to the virtual private gateway. What is the most likely cause?

A.The VPN tunnel is not passing traffic due to a mismatch in pre-shared keys.
B.The on-premises router does not have a route back to the VPC CIDR pointing to the VPN tunnel.
C.The network ACLs in the VPC are blocking the traffic.
D.The security group attached to the EC2 instance is blocking inbound traffic from the on-premises CIDR.
AnswerB

Without a return route, the on-premises server cannot send traffic back to the EC2 instance.

Why this answer

Option C is correct because if the on-premises network has a route back to the VPC pointing to an incorrect next-hop (e.g., internet gateway), return traffic is dropped. Option A is wrong because VPN tunnel being up indicates the tunnel is fine. Option B is wrong because security group rules would affect inbound traffic from the on-premises server, but the issue is bidirectional.

Option D is wrong because NACLs are stateless and if they block traffic, it would be symmetric.

283
MCQmedium

A company is using AWS Transit Gateway with multiple VPC attachments. They need to ensure that traffic between two specific VPCs is encrypted in transit. The VPCs are in the same AWS region. What is the SIMPLEST solution?

A.Enable encryption on the Transit Gateway route tables
B.Use AWS PrivateLink to connect the VPCs
C.Create a VPN attachment on the Transit Gateway and route traffic through it
D.Use VPC peering instead of Transit Gateway and enable encryption
AnswerC

VPN provides encryption.

Why this answer

Option B is correct because an AWS Transit Gateway supports transit gateway peering attachments with VPN encryption for traffic between VPCs. Option A is incorrect because the Transit Gateway itself does not encrypt traffic. Option C is incorrect because VPC peering does not provide encryption by default.

Option D is incorrect because AWS PrivateLink is for services, not VPC-to-VPC encryption.

284
MCQhard

A company runs a critical application on EC2 instances in an Auto Scaling group across two Availability Zones. The application is fronted by an Application Load Balancer (ALB). The network team recently migrated from a transit VPC to a transit gateway for inter-VPC connectivity. After the migration, users experience intermittent connectivity failures. The team checks the ALB target group and sees that health checks are passing. However, from an EC2 instance in the same VPC, they can reach the ALB but not the application. They notice that the application sends traffic to an internal DNS server that is in a different VPC, and the application depends on that DNS resolution. The transit gateway route tables are configured to propagate routes from attached VPCs. The DNS server is reachable from the application VPC over the transit gateway. What is the MOST likely cause of the intermittent failures?

A.The transit gateway route tables have a blackhole route for the DNS server's VPC.
B.The Auto Scaling group is scaling in and out frequently, causing application instances to be terminated during DNS resolution.
C.The DNS server returns different IP addresses for the same DNS name, and some IPs are not reachable due to route table misconfiguration.
D.The ALB security group does not allow traffic from the application instances on the ephemeral ports.
AnswerC

DNS changes with TTL can cause intermittent reachability to specific IPs.

Why this answer

If the DNS server returns different IP addresses for the same DNS name due to DNS round-robin or time-to-live (TTL) caching, the application may get an IP address that is not reachable (e.g., from a different VPC or a terminated instance). The health check may pass because the target group health check uses the ALB's IP, not the application's DNS resolution. Option A is plausible but less likely because the DNS server is reachable.

Option B could cause total failure, not intermittent. Option D would affect all traffic, not just intermittent.

285
MCQhard

A multinational corporation is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. The network team is experiencing asymmetric routing for traffic between two VPCs that both have routes to the same on-premises network. Which feature should the team implement to resolve this issue?

A.Deploy a NAT Gateway in each VPC to force symmetric traffic.
B.Use AS_PATH prepending on the BGP advertisements from the on-premises router to influence route preference.
C.Create a Transit Gateway peering attachment between the two VPCs.
D.Enable VPC Flow Logs to detect and alert on asymmetric flows.
AnswerB

AS_PATH prepending makes one path less preferred, ensuring symmetric routing.

Why this answer

AS_PATH prepending allows the on-premises router to artificially lengthen the AS_PATH for specific BGP routes, making those routes less preferred. This influences route selection in the Transit Gateway and VPC route tables, ensuring that traffic from each VPC takes a consistent path and eliminating asymmetric routing.

Exam trap

The trap here is that candidates often confuse AS_PATH prepending with a general routing policy tool, but the key is that it directly influences BGP best-path selection to break ties and enforce path preference, which is exactly what is needed to fix asymmetric routing in a multi-homed Transit Gateway design.

How to eliminate wrong answers

Option A is wrong because a NAT Gateway is used for outbound-only traffic to the internet and does not enforce symmetric routing between VPCs or between VPCs and on-premises networks; it would also break return traffic from on-premises. Option C is wrong because a Transit Gateway peering attachment connects two Transit Gateways, not two VPCs directly, and does not resolve routing asymmetry caused by equal-cost paths to the same on-premises destination. Option D is wrong because VPC Flow Logs only provide visibility into traffic flows for monitoring and troubleshooting; they do not actively influence routing decisions to fix asymmetric routing.

286
MCQhard

A network engineer is troubleshooting high latency on a VPN connection between an on-premises network and AWS. The VPN uses two tunnels to a virtual private gateway. The engineer notices that traffic is only using one tunnel, and the other tunnel is idle. What should the engineer do to ensure both tunnels are utilized?

A.Create two separate site-to-site VPN connections to two different virtual private gateways and enable ECMP.
B.Configure BGP MED values to prefer the idle tunnel.
C.Configure static routes with equal metrics on both tunnels.
D.Use a transit gateway with equal cost multipath routing.
AnswerA

Using ECMP across multiple VPN connections allows both tunnels to be used simultaneously.

Why this answer

Option B is correct because creating two site-to-site VPN connections to different virtual private gateways allows for active-active use through ECMP routing. Option A is incorrect because BGP metrics (MED) influence path selection but won't force both tunnels to be used if the configuration is active-passive. Option C is incorrect because a transit gateway with ECMP can utilize multiple tunnels.

Option D is incorrect because static routes do not support load balancing across tunnels without ECMP.

287
MCQeasy

A company monitors its VPC using VPC Flow Logs. The logs are sent to CloudWatch Logs. The security team wants to detect traffic to known malicious IP addresses. Which AWS service can be used to analyze the flow logs in near real-time?

A.AWS WAF
B.AWS CloudTrail
C.Amazon Athena
D.Amazon Kinesis Data Analytics
AnswerD

Can process streaming flow logs in real-time and detect patterns.

Why this answer

Amazon Athena can query VPC Flow Logs stored in S3, but for near real-time analysis, Amazon Kinesis Data Analytics (or Kinesis Data Firehose with Lambda) can process streaming logs. However, the simplest managed service for real-time pattern matching is Amazon Kinesis Data Analytics with SQL.

288
MCQeasy

A company has a VPC with public and private subnets. The private subnets need internet access for software updates. The company wants to minimize costs and management overhead. Which solution should they use?

A.Use a VPC endpoint for S3 and CloudFront
B.Attach an internet gateway to the VPC and add a default route to the private subnet route table pointing to the internet gateway
C.Create a NAT gateway in a public subnet and add a route to the private subnet route table pointing to the NAT gateway
D.Launch a NAT instance on an EC2 instance in a public subnet
AnswerC

Managed service, low overhead.

Why this answer

Option A is correct because a NAT gateway provides outbound internet access for private subnets with minimal management. Option B is incorrect because a NAT instance requires management. Option C is incorrect because an internet gateway alone does not provide outbound access for private subnets.

Option D is incorrect because a VPC endpoint is for specific AWS services, not general internet.

289
MCQmedium

A company uses AWS Direct Connect with a private virtual interface (VIF) to connect its data center to a VPC. The network team needs to ensure high availability and failover in case the primary connection fails. Which solution provides the most cost-effective high availability?

A.Use a VPN connection over the internet as a backup
B.Provision a second Direct Connect connection at a different AWS Direct Connect location and configure BGP with AS_PATH prepending
C.Use a VPN connection over the same Direct Connect connection as backup
D.Provision a second private virtual interface on the same Direct Connect connection
AnswerB

Provides diverse path and failover.

Why this answer

Option C is correct because using a second Direct Connect connection to a different AWS Direct Connect location provides geographic redundancy. Option A is wrong because it's a single point of failure. Option B is wrong because VPN over the same Direct Connect relies on the same physical connection.

Option D is wrong because adding a VPN over the internet provides a backup but is not as reliable as a second Direct Connect.

290
MCQhard

A company is migrating its on-premises data center to AWS. The network team needs to establish a site-to-site VPN connection with dynamic routing using BGP. The on-premises router supports BGP but does not support BGP communities. The VPN connection is established, but the VPC does not learn the on-premises routes. What is the most likely cause?

A.The VPN tunnel uses pre-shared keys instead of certificates
B.The VPC route table needs a static route to the on-premises CIDR
C.The VPN tunnel is not in a UP state
D.The on-premises router is not advertising any prefixes over BGP
AnswerD

Without advertisement, no routes are learned.

Why this answer

Option B is correct because the on-premises router must advertise its routes over the BGP session. Option A is incorrect because BGP communities are not required. Option C is incorrect because the VPN connection is established.

Option D is incorrect because BGP does not require static routes.

291
Multi-Selecthard

A company is using AWS Site-to-Site VPN to connect its on-premises network to a VPC. The network team wants to ensure high availability and failover. Which three actions should they take? (Choose THREE.)

Select 3 answers
A.Configure both tunnels as active/active.
B.Enable BGP on the VPN connections.
C.Use two Customer Gateway devices in different locations.
D.Use static routes instead of BGP.
E.Configure two VPN tunnels to the same Customer Gateway.
AnswersA, B, C

Both tunnels carry traffic; if one fails, traffic shifts to the other.

Why this answer

For high availability, use two tunnels (both active/active or active/passive), use two Customer Gateway devices for redundancy, and configure BGP for dynamic routing and fast failover. Static routes require manual intervention. A single tunnel is not redundant.

292
MCQhard

Refer to the exhibit. The IAM policy above is attached to a user in account A (123456789012). The user needs to create a VPC peering connection with account B and accept it. The user in account A can create the peering request, but the accept fails with an 'UnauthorizedOperation' error. What is the MOST likely reason?

A.The user does not have permission to create routes in the VPC
B.The 'ec2:CreateVpcPeeringConnection' action requires a specific VPC ARN
C.The user does not have permission to accept the peering connection from the other account
D.The 'ec2:AcceptVpcPeeringConnection' action is not allowed in the policy
AnswerC

The policy does not grant cross-account accept.

Why this answer

Option C is correct because the 'AcceptVpcPeeringConnection' action is allowed on all resources ('*'), but the specific ARN for the peering connection is not granted for the accept action. The second statement allows actions only on peering connections in account A, but the accept action is performed on the requester's side? Actually, the accept is done by the accepter (account B). The user in account A is trying to accept? The scenario says 'the user in account A can create the peering request, but the accept fails'.

Actually, the accept is done by account B. So the user in account A cannot accept a peering connection that belongs to account B. The policy allows accept on 'ec2:AcceptVpcPeeringConnection' with resource '*', but the accept action is performed on the resource in the accepter account.

The second statement restricts to peering connections in account A. The accept action is not covered by the second statement because it's not in the action list of the second statement. Wait, the first statement allows accept on all resources.

So why would it fail? The issue is that the accept action is called on the peering connection resource in the accepter account, which is not in account A. The policy does not have permissions for resources in other accounts. The correct answer is that the user does not have permission to accept the peering connection because the resource ARN in the second statement only covers peering connections in account A.

But the first statement allows accept on all resources. However, the 'ec2:AcceptVpcPeeringConnection' action requires permission on the resource of the peering connection in the accepter account. Since the user is in account A, they cannot accept a peering connection that is owned by account B.

The most likely reason is that the user lacks permissions to accept the peering connection in the other account. Option C captures this.

293
Multi-Selectmedium

A company has a VPC with a public subnet and a private subnet. The public subnet has a bastion host (EC2) with a security group that allows SSH from a specific IP range. The private subnet has an RDS instance. The company wants to enable the bastion host to connect to the RDS instance. Which TWO steps are required?

Select 2 answers
A.Configure the RDS instance to use a custom DB parameter group with SSL enabled.
B.Add a rule to the NACL for the private subnet to allow inbound traffic from the bastion host's IP.
C.Assign a public IP address to the RDS instance.
D.Create a route in the public subnet's route table to the RDS instance.
E.Add a rule to the RDS security group that allows inbound traffic from the bastion host's security group.
AnswersB, E

NACL must allow inbound traffic from the bastion to the RDS port.

Why this answer

The bastion host needs network-level access to the RDS instance. The RDS security group must allow inbound from the bastion's security group, and the bastion must be in the same VPC or have network connectivity. The NACL must allow the traffic.

294
MCQeasy

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The company wants to ensure that traffic to the VPC uses the Direct Connect connection instead of the internet. Which configuration is required?

A.Create a VPC peering connection to the on-premises network.
B.Add a route in the VPC route table pointing to the on-premises CIDR via the virtual private gateway.
C.Use a NAT gateway in the VPC.
D.Add a route in the VPC route table pointing to the on-premises CIDR via the internet gateway.
AnswerB

This directs traffic to the Direct Connect connection.

Why this answer

To ensure traffic uses Direct Connect, the route table in the VPC must have a route to the on-premises CIDR via the virtual private gateway (VGW) attached to the Direct Connect. Additionally, on the on-premises side, routes must point to the Direct Connect. The VPC route table should have a more specific route or a default route pointing to the VGW.

295
MCQhard

A global company is designing a multi-region Active-Active application using Amazon Route 53 latency-based routing. Each region has an Application Load Balancer (ALB) fronting Auto Scaling groups. The application requires sticky sessions based on the user's source IP. The network team notices that users are frequently switched to a different region mid-session, causing errors. What should the team do to resolve this issue?

A.Configure Route 53 health checks with a low threshold to quickly detect failures
B.Enable stickiness on each ALB using a cookie generated by the ALB
C.Use a custom origin header in the Route 53 latency policy to route based on the user's IP address and enable ALB stickiness
D.Switch to geolocation routing policy with a bias to maintain sessions
AnswerC

Custom origin header and ALB stickiness provide session persistence.

Why this answer

Option C is correct because Route 53 latency-based routing does not natively support sticky sessions; using a custom origin header with ALB stickiness ensures users stick to the correct regional endpoint. Option A is wrong because enabling ALB stickiness alone does not prevent Route 53 from switching regions. Option B is wrong because health checks do not affect routing decisions during a session.

Option D is wrong because geolocation routing would not adapt to latency and may cause incorrect routing.

296
Multi-Selectmedium

A company is deploying a new application across multiple Availability Zones in a single region. The application requires low-latency communication between instances in different AZs. Which THREE design choices help achieve high availability and low latency? (Select THREE.)

Select 3 answers
A.Use a spread placement group for the instances.
B.Use larger instance sizes to handle traffic spikes.
C.Launch EC2 instances in at least two Availability Zones.
D.Use a single NAT Gateway to provide internet access.
E.Use an Application Load Balancer to distribute traffic across AZs.
AnswersA, C, E

Spread placement groups reduce risk of simultaneous failures.

Why this answer

Option A is correct because an Application Load Balancer distributes traffic across AZs and provides health checks. Option B is correct because placing instances in multiple AZs ensures availability if one AZ fails. Option C is incorrect because a single NAT Gateway in one AZ creates a single point of failure.

Option D is correct because using EC2 instances in a spread placement group reduces correlated failures. Option E is incorrect because increasing instance size does not improve availability or latency.

297
MCQmedium

A company has multiple AWS accounts and wants to centralize VPC flow logs for analysis. The flow logs are published to Amazon S3 in each account. A central account needs to access these logs. Which solution meets the requirements with the least operational overhead?

A.Set up AWS Glue jobs to copy logs to a central S3 bucket
B.Use AWS Transit Gateway to centralize network traffic and capture logs
C.Use VPC peering to connect the accounts and access the S3 buckets directly
D.Use S3 bucket policies in each account to grant the central account access
AnswerD

Simplest and most scalable.

Why this answer

Option C is correct because cross-account bucket policies allow the central account to access logs without additional infrastructure. Option A is wrong because VPC peering does not grant S3 access. Option B is wrong because Transit Gateway does not provide S3 access.

Option D is wrong because it adds complexity.

298
MCQhard

A company has a VPC with public and private subnets. The private subnets use a NAT gateway for outbound internet access. The security team notices that some EC2 instances in the private subnets are able to reach the internet, but others are not. All instances have the same security group and are in the same private subnet. What is the most likely cause?

A.The route table associated with the private subnet is missing a default route to the NAT gateway.
B.The network ACL is blocking outbound traffic on ephemeral ports.
C.The NAT gateway's security group is blocking traffic from some instances.
D.The internet gateway is not attached to the VPC.
AnswerA

Without a default route, instances cannot reach the internet via the NAT gateway.

Why this answer

Option B is correct because if the route table for the private subnet does not have a default route to the NAT gateway, instances will not have internet access. Option A is incorrect because the NAT gateway's security group must allow inbound traffic, but by default it allows all inbound from the VPC. Option C is incorrect because the NACL is stateless and if it blocks outbound traffic, it would affect all instances equally.

Option D is incorrect because the internet gateway is for public subnets, not private.

299
MCQhard

A network engineer is troubleshooting a VPN connection between an AWS Virtual Private Gateway and an on-premises Cisco ASA. The tunnel status shows 'UP' but no traffic passes. The engineer checks the route tables and finds the correct static routes on both sides. What should the engineer check next?

A.Review the IPsec phase 2 settings, including the traffic selectors.
B.Check the IKE phase 1 parameters (e.g., encryption, hash).
C.Verify that the pre-shared keys match.
D.Confirm that the VPC route table has a route to the on-premises subnet.
AnswerA

Phase 2 parameters or mismatched encryption domains could cause the tunnel to be UP but not pass traffic.

Why this answer

If the tunnel is up but no traffic passes, the issue is often phase 2 IPsec security associations (SAs) or mismatch in encryption domains. Unlike phase 1, phase 2 can fail silently.

300
Drag & Dropmedium

Arrange the steps to configure a site-to-site VPN connection between an AWS Virtual Private Gateway and an on-premises Cisco ASA in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First, define the customer gateway, then create the VPN connection, apply the configuration, verify the tunnel, and finally configure routing.

← PreviousPage 4 of 5 · 346 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Mgmt Ops questions.