CCNA Network Mgmt Ops Questions

46 of 346 questions · Page 5/5 · Network Mgmt Ops topic · Answers revealed

301
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The connection uses a private virtual interface (VIF) and BGP. The network team recently added a new CIDR block (10.0.3.0/24) to the VPC. They updated the VPC's route table to include a route to the on-premises network. However, the on-premises network cannot reach resources in the new subnet. The BGP session is up, and the Direct Connect gateway is configured. What should the network team do to resolve the issue?

A.Add a static route in the on-premises router pointing to the Direct Connect interface.
B.Set up a new VPN connection as a backup and route traffic over VPN.
C.Add the new CIDR block (10.0.3.0/24) to the Direct Connect gateway's allowed prefixes.
D.Create a new private VIF for the new CIDR block.
AnswerC

This allows the Direct Connect gateway to advertise the new prefix to the on-premises network via BGP.

Why this answer

When adding a new CIDR to a VPC, the Direct Connect gateway does not automatically advertise the new prefix to the on-premises router. The team needs to ensure that the VPC's CIDR is allowed in the Direct Connect gateway's allowed prefixes. Option A is correct because the new CIDR must be added to the allowed prefixes list for the Direct Connect gateway to advertise it via BGP.

Option D is incorrect as it would cause traffic to be routed through VPN, not Direct Connect.

302
Multi-Selecthard

A network engineer is diagnosing a connectivity issue between two VPCs connected via VPC peering. The engineer has confirmed that the route tables in both VPCs have appropriate routes and the security groups allow traffic. However, traffic from VPC A to VPC B fails. Which TWO steps should the engineer take to troubleshoot? (Select TWO.)

Select 2 answers
A.Check the network ACL of the subnet in VPC B where the target instance resides.
B.Confirm that both VPCs are in the same AWS account.
C.Verify the VPC peering connection status is active.
D.Check the operating system firewall on the target instance.
E.Enable VPC Flow Logs on both VPCs to analyze traffic.
AnswersA, D

NACLs are stateless and may block inbound traffic.

Why this answer

Option B is correct because checking the NACL of the subnet in VPC B where the target instance resides can reveal if inbound traffic is blocked. Option D is correct because verifying the OS-level firewall on the target instance in VPC B can block traffic even if AWS network is open. Option A is wrong because the peering connection status is active; if it were pending or deleted, it would be obvious.

Option C is wrong because cross-account configuration is not mentioned. Option E is wrong because VPC Flow Logs are useful but not the first step for a basic connectivity check.

303
Matchingmedium

Match each BGP attribute to its role in route selection.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco-proprietary attribute, highest weight preferred

Used to influence outbound traffic from an AS

Shorter path is preferred

Used to influence inbound traffic to an AS

IP address of the next router to reach the destination

Why these pairings

These BGP attributes are important for route selection in hybrid networking.

304
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance has a NAT Gateway in the public subnet. However, the instance cannot reach the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. What is the most likely cause?

A.The NAT Gateway does not have an Elastic IP address attached.
B.The security group for the EC2 instance blocks outbound traffic.
C.The network ACL for the private subnet blocks outbound traffic.
D.The private subnet route table does not have a route to the internet gateway.
AnswerA

Without EIP, NAT Gateway cannot communicate with internet.

Why this answer

Option B is correct. The NAT Gateway's Elastic IP must be associated, otherwise traffic cannot be translated. Option A is wrong because the route is already present.

Option C is wrong because NACLs are stateless but would affect both directions if misconfigured. Option D is wrong because security groups are stateful and allow return traffic.

305
MCQeasy

A company uses AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. The on-premises network can reach some VPCs but not others. All VPCs are attached to the same Transit Gateway. What should the engineer check first?

A.The VPC flow logs for the unreachable VPCs.
B.The Transit Gateway route tables and associations.
C.The Direct Connect virtual interface status.
D.The BGP session between the on-premises router and the Direct Connect router.
AnswerB

Route tables determine the connectivity between attachments; misconfiguration is the likely cause.

Why this answer

The Transit Gateway route tables control which VPCs and attachments can communicate. If some VPCs are in a different route table or if propagation is not configured, traffic may not be routed correctly.

306
MCQhard

A company has a Direct Connect connection with a private VIF and a public VIF. The private VIF is used to access VPC resources, and the public VIF is used to access AWS public services. Recently, the company enabled AWS Global Accelerator for its application. The network team notices that traffic to the application via Global Accelerator is not using the Direct Connect connection but is going over the internet. What should the team do to ensure traffic uses the Direct Connect public VIF?

A.Configure a VPN connection over the Direct Connect public VIF to route Global Accelerator traffic
B.Advertise the Global Accelerator IP addresses on the on-premises router to route traffic via the public VIF
C.Attach a Direct Connect gateway to the Global Accelerator
D.Create a private VIF for Global Accelerator traffic
AnswerA

Use a VPN over the public VIF to control routing, but Global Accelerator traffic typically goes over internet; however, using a VPN can force traffic via Direct Connect.

Why this answer

Option A is correct because Global Accelerator uses anycast IPs that are advertised over the public internet; to route traffic via Direct Connect, the on-premises routes must point to the public VIF. Option B is wrong because private VIF is for VPC access, not public services. Option C is wrong because the Direct Connect gateway is for private VIFs.

Option D is wrong because VPN is not required.

307
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The network team notices that traffic between two VPCs in different regions is being dropped intermittently. What is the most likely cause?

A.Transit Gateway cannot route traffic between VPCs in different regions without inter-region peering
B.Security groups in the source VPC are blocking traffic
C.Route tables in the Transit Gateway are not propagating routes correctly
D.NAT Gateway in the source VPC is causing asymmetric routing
AnswerA

Transit Gateway is regional; inter-region connectivity requires explicit peering.

Why this answer

Option B is correct because Transit Gateway is a regional resource and does not support inter-region peering natively; traffic between VPCs in different regions must go through a VPN or Direct Connect, or use Transit Gateway inter-region peering (which must be explicitly configured). Option A is incorrect because security groups are stateful and would not drop traffic intermittently. Option C is incorrect because route propagation does not cause intermittent drops.

Option D is incorrect because NAT Gateway is used for outbound traffic to the internet, not for inter-VPC traffic.

308
MCQmedium

A company has deployed a Network Load Balancer (NLB) in front of a fleet of EC2 instances in a VPC. The NLB is configured with a TCP listener on port 443. Clients are experiencing timeouts. The target group health checks are passing. What is the most likely cause?

A.Cross-zone load balancing is disabled.
B.Deletion protection is enabled on the NLB.
C.The security group for the EC2 instances does not allow traffic from the NLB.
D.The target group is using an incorrect health check path.
AnswerC

NLB uses its own IP addresses; security group must allow them.

Why this answer

Option C is correct because security groups must allow traffic from the NLB's private IP addresses. Option A is incorrect because cross-zone load balancing affects distribution, not timeouts. Option B is incorrect because health checks passing means targets are healthy.

Option D is incorrect because deletion protection prevents accidental deletion, not timeouts.

309
Multi-Selectmedium

A company wants to monitor network traffic between its VPC and on-premises data center over a Direct Connect private VIF. The network team needs to capture the source and destination IP addresses, protocols, and packet counts. Which THREE AWS services or features should they use together? (Choose three.)

Select 3 answers
A.Amazon CloudWatch Logs
B.VPC Flow Logs
C.AWS CloudTrail
D.AWS Config
E.Amazon CloudWatch Contributor Insights
AnswersA, B, E

Can store and query flow logs.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic metadata. Option D is correct because CloudWatch Logs can store and analyze flow logs. Option E is correct because CloudWatch Contributor Insights can analyze flow log data to identify top talkers etc.

Option A is wrong because CloudTrail records API calls. Option C is wrong because AWS Config tracks configuration.

310
Multi-Selecteasy

A company wants to monitor network traffic between two VPCs connected via a Transit Gateway. Which THREE AWS services can be used to capture and analyze this traffic?

Select 3 answers
A.VPC Flow Logs
B.AWS Config
C.Third-party network monitoring appliance deployed in a VPC
D.Transit Gateway Flow Logs
E.AWS CloudTrail
AnswersA, C, D

Captures IP traffic for VPCs.

Why this answer

Options A, B, and E are correct because VPC Flow Logs, Transit Gateway Flow Logs, and third-party appliances can capture traffic. Option C is incorrect because CloudTrail logs API calls. Option D is incorrect because AWS Config records configuration changes.

311
MCQmedium

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The connection is up, but the network team cannot reach resources in a VPC. The virtual interface is in the 'available' state, and BGP session is established. What should the team check next?

A.Check the on-premises firewall rules
B.Check the BGP authentication
C.Check the VPC route tables for propagated routes
D.Check the Direct Connect physical link status
AnswerC

The Direct Connect virtual interface routes must be propagated to the VPC route tables.

Why this answer

Since the Direct Connect physical link is up, the virtual interface is available, and the BGP session is established, the issue lies in the routing of traffic within AWS. The most likely cause is that the VPC route tables do not contain the necessary routes (either static or propagated from the Direct Connect virtual private gateway) to direct traffic back to the on-premises network. Checking the VPC route tables for propagated routes is the correct next step to ensure the on-premises CIDR is being advertised and accepted.

Exam trap

The trap here is that candidates assume a working BGP session guarantees end-to-end connectivity, but BGP only ensures the routing protocol is exchanging prefixes; the VPC route table must still have the propagated routes or a static route to direct traffic to the virtual private gateway.

How to eliminate wrong answers

Option A is wrong because on-premises firewall rules would affect outbound traffic from the data center, but the question states the network team cannot reach resources in a VPC, implying the issue is on the AWS side or the routing path; the BGP session is established, so the underlying connectivity is fine. Option B is wrong because BGP authentication is already verified as the BGP session is established; if authentication were misconfigured, the session would not reach the established state. Option D is wrong because the Direct Connect physical link status is already confirmed as up, and the virtual interface is available, so the physical layer is not the problem.

312
MCQhard

A company has a Direct Connect connection with multiple virtual interfaces (VIFs). They notice that traffic from on-premises to a VPC is being dropped. The VPC is associated with a private VIF. The on-premises router has a BGP route to the VPC's CIDR. The VPC's route table has a route to the virtual private gateway. What is the MOST likely cause of the dropped traffic?

A.The VPC route table does not have a route pointing to the virtual private gateway for the on-premises CIDR
B.The MTU size on the Direct Connect connection is too small
C.The BGP session is not established
D.The allowed prefixes on the virtual private gateway do not include the on-premises CIDR
AnswerA

Return traffic is dropped without a route.

Why this answer

Option B is correct because if the VPC's route table does not have a route back to the on-premises CIDR, return traffic will be dropped, causing connectivity issues. Option A is incorrect because the VIF is up and BGP is established. Option C is incorrect because allowed prefixes are for advertisement, not return traffic.

Option D is incorrect because MTU issues would not cause drops.

313
MCQhard

Refer to the exhibit. A network engineer created a NAT gateway in a public subnet, but its state shows 'failed'. What is the most likely cause?

A.The subnet does not have a route to an internet gateway
B.The subnet is private
C.The NAT gateway is still being created
D.The Elastic IP is already associated with another instance
AnswerD

A NAT gateway requires an unassociated Elastic IP.

Why this answer

The correct answer is B because the NAT gateway address has a public IP but the allocation ID is present; a common reason for failure is that the Elastic IP is already associated with another resource. Option A is wrong because the subnet is public (has route to IGW). Option C is wrong because the state is 'failed', not 'pending'.

Option D is wrong because the NAT gateway is in a public subnet; it should have a route to IGW.

314
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. They need to centrally manage VPC flow logs across all accounts and enable analysis for security incidents. The flow logs must be stored in a central S3 bucket in the management account. What is the MOST scalable and cost-effective approach?

A.Use a Lambda function in each account to copy flow logs from CloudWatch to a central S3 bucket.
B.Deliver flow logs to Kinesis Data Firehose in each account and then to a central S3 bucket.
C.Configure VPC Flow Logs in each account to deliver to a central S3 bucket using cross-account delivery.
D.Create flow logs in each account and export them to a central CloudWatch Logs destination.
AnswerC

Cross-account delivery to S3 is scalable and cost-effective.

Why this answer

Option B is correct because sending flow logs to a central S3 bucket using cross-account delivery is scalable and cost-effective. Option A is incorrect because logging to CloudWatch Logs in each account and then exporting incurs additional costs and complexity. Option C is incorrect because VPC Flow Logs cannot be sent directly to a central S3 bucket from member accounts without enabling cross-account delivery.

Option D is incorrect because VPC Flow Logs do not support Kinesis Data Firehose directly.

315
Multi-Selectmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that VPC A cannot communicate with VPC B, while all other VPCs communicate normally. The transit gateway route table shows routes from both VPCs. Which TWO actions should the network engineer take to diagnose the issue? (Choose TWO.)

Select 2 answers
A.Check the security groups and network ACLs in VPC A and VPC B.
B.Establish a VPN connection between VPC A and the transit gateway.
C.Create a VPC peering connection between VPC A and VPC B.
D.Verify that the VPCs are associated with the correct transit gateway route table.
E.Configure an AWS Direct Connect virtual interface between the VPCs.
AnswersA, D

Correct: Security group or NACL rules may be blocking traffic between the VPCs.

Why this answer

Option A is correct because route table association is required for a VPC to use the transit gateway's routes. Option C is correct because security groups or NACLs in the VPCs can block traffic between subnets in different VPCs even if the transit gateway routes are correct. Option B is wrong because VPC peering is not required when using Transit Gateway.

Option D is wrong because AWS Direct Connect is unrelated to inter-VPC routing. Option E is wrong because a VPN connection is not needed for VPC-to-VPC communication via Transit Gateway.

316
MCQmedium

A network engineer notices that traffic from an EC2 instance in a public subnet to the internet is not working. The instance has a public IP assigned and is in a public subnet with a route to an internet gateway. The security group allows outbound traffic. What should the engineer check next?

A.Ensure the network ACL allows outbound traffic.
B.Verify that the route table for the subnet has a 0.0.0.0/0 route pointing to the internet gateway.
C.Confirm that the internet gateway is attached to the VPC.
D.Check if the instance has a public IP assigned.
AnswerB

Without this route, traffic cannot reach the internet.

Why this answer

Even if the instance has a public IP, if the subnet's route table does not have a default route (0.0.0.0/0) pointing to the internet gateway, traffic to the internet will fail. This is a common misconfiguration.

317
MCQmedium

A company has deployed a web application on EC2 instances behind an Application Load Balancer (ALB). The application is experiencing intermittent timeouts. CloudWatch metrics show that the ALB's RequestCount is within normal limits, but TargetResponseTime occasionally spikes to 10 seconds. What is the most likely cause?

A.The ALB is configured with an incorrect idle timeout value.
B.The ALB's cross-zone load balancing is disabled.
C.The EC2 instances are experiencing high CPU utilization during peak periods.
D.The security group for the EC2 instances is blocking traffic from the ALB.
AnswerC

High CPU leads to slow responses, matching the symptom of occasional spikes in TargetResponseTime.

Why this answer

High CPU utilization on the EC2 instances can cause slow response times, leading to timeouts. The ALB distributes requests, so RequestCount may appear normal while individual instances struggle.

318
MCQhard

A network engineer is designing a multi-region architecture using AWS Transit Gateway and wants to minimize inter-region latency for data transfer between VPCs. The application requires high throughput and low latency. Which design should be used?

A.Establish VPC peering connections between all VPCs across regions
B.Use AWS Site-to-Site VPN between Transit Gateways in each region
C.Configure VPC endpoints to route traffic through AWS backbone
D.Use Transit Gateway inter-region peering between Transit Gateways
AnswerD

This provides low-latency, high-throughput connectivity.

Why this answer

Option C is correct because Transit Gateway inter-region peering provides direct, encrypted connections with low latency. Option A is wrong because VPC peering is limited to two VPCs and does not scale. Option B is wrong because VPN adds overhead and latency.

Option D is wrong because VPC endpoints are for service access, not inter-VPC traffic.

319
Matchingmedium

Match each AWS service or feature to its primary function in network architecture.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hub-and-spoke connectivity between VPCs and on-premises

Dedicated network connection from on-premises to AWS

Direct network connection between two VPCs

Private access to services across VPCs and accounts

Encrypted tunnel over the internet to AWS

Why these pairings

These are core AWS networking services for connectivity.

320
MCQhard

A company is using an AWS Transit Gateway to connect multiple VPCs and on-premises networks via Direct Connect. The network team notices that traffic from an on-premises network (CIDR 172.16.0.0/12) to a VPC (CIDR 10.0.0.0/16) is being dropped. The transit gateway route table shows a static route for 10.0.0.0/16 pointing to the VPC attachment. The Direct Connect virtual interface (VIF) is associated with the transit gateway and the on-premises router is advertising 172.16.0.0/12 via BGP. What is the most likely cause of the traffic being dropped?

A.The VPC has a route that points to the transit gateway for the on-premises CIDR, causing asymmetric routing.
B.The Direct Connect VIF is not configured with BFD.
C.The transit gateway route table does not have a route for the on-premises CIDR (172.16.0.0/12) pointing to the Direct Connect attachment.
D.The VPC route table does not have a route for the on-premises CIDR pointing to the transit gateway.
AnswerC

The transit gateway needs a route for the on-premises CIDR to forward return traffic to the Direct Connect attachment.

Why this answer

The transit gateway route table must contain a route for the on-premises CIDR (172.16.0.0/12) pointing to the Direct Connect attachment for return traffic to be forwarded correctly. Without this route, the transit gateway has no path for traffic destined to the on-premises network, causing it to be dropped. The static route for 10.0.0.0/16 only handles traffic toward the VPC, not the return direction.

Exam trap

The trap here is that candidates often assume the transit gateway automatically learns routes from BGP advertisements over Direct Connect and installs them into the route table, but in reality, you must either propagate the attachment or add a static route for the on-premises CIDR.

How to eliminate wrong answers

Option A is wrong because asymmetric routing would not cause traffic to be dropped; it would still be delivered, though potentially with issues. Option B is wrong because BFD (Bidirectional Forwarding Detection) is used for fast failure detection, not for enabling traffic forwarding; its absence does not cause traffic to be dropped. Option D is wrong because the VPC route table is irrelevant for traffic originating from on-premises; the issue is the transit gateway's lack of a return route for the on-premises CIDR.

321
Multi-Selecthard

A company uses AWS Direct Connect with a public VIF to access S3. The on-premises network uses BGP to advertise a specific prefix to AWS. The company wants to ensure that traffic to S3 from on-premises always uses the Direct Connect connection and not the internet. Which TWO configurations must be in place?

Select 2 answers
A.Set a higher MED value on routes learned from the internet to make them less preferred.
B.Set a higher local preference on the Direct Connect BGP session for the S3 prefixes.
C.Disable the internet gateway for the VPC.
D.Set the AS_PATH prepend on the Direct Connect BGP session.
E.Configure the on-premises router to advertise a more specific route for the S3 CIDR blocks over the Direct Connect BGP session.
AnswersB, E

Local preference influences outbound route selection; higher value is preferred.

Why this answer

To force traffic to S3 through Direct Connect, the on-premises routers must prefer the Direct Connect path. This involves advertising a specific prefix (like the S3 service endpoints) over BGP with a higher local preference, and using the most specific route (longest prefix match).

322
MCQeasy

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to access the internet. The instance has a route table with a default route to a NAT gateway. However, the instance cannot reach the internet. What is the most likely cause?

A.The NAT gateway is placed in a private subnet.
B.The instance does not have a public IP address assigned.
C.The security group attached to the instance does not allow outbound HTTPS traffic.
D.The network ACL on the private subnet blocks outbound HTTP traffic.
AnswerA

NAT gateway must be in a public subnet with an internet gateway.

Why this answer

Option C is correct because the NAT gateway must be in a public subnet with an internet gateway to route traffic. Option A is wrong because security groups are stateful and allow outbound traffic by default. Option B is wrong because a public IP is not needed for outbound traffic through NAT.

Option D is wrong because network ACLs are stateless and need explicit rules, but the default allows outbound traffic.

323
MCQhard

A company uses AWS CloudFormation to deploy a multi-tier application. The template includes a VPC, public and private subnets, security groups, and an Application Load Balancer. The network team wants to ensure that the ALB can only accept traffic from a specific set of IP addresses. They add a security group rule that allows inbound traffic on port 443 from the allowed IP CIDR. However, after deployment, the ALB is not responding to requests from the allowed IPs. The team checks the security group and confirms the rule exists. They also verify that the ALB is in the public subnet and has a public DNS name. What is the MOST likely cause?

A.The security group rule is blocking return traffic; security groups are stateful.
B.The ALB listener is not configured to forward traffic to the target group.
C.The public subnet does not have a route to an internet gateway.
D.The ALB is using an internal scheme instead of internet-facing.
AnswerC

Without internet gateway, ALB cannot receive traffic from internet.

Why this answer

The ALB must be in a public subnet with an internet gateway route for 0.0.0.0/0 to be accessible from the internet. If the subnet route table does not have that route, traffic from the internet cannot reach the ALB. Option A is the most likely.

Option B is false because security groups are stateful. Option C is irrelevant as ALB uses listeners. Option D is not needed for internet-facing ALB.

324
MCQhard

A company has a VPC with an AWS Site-to-Site VPN connection to their on-premises network. The VPN uses dynamic routing with BGP. The on-premises network is advertising a specific route to the VPC. However, instances in the VPC cannot reach the on-premises network. The VPN tunnels are up and BGP sessions are established. What should the engineer check?

A.The tunnel options include the correct encryption algorithms.
B.The on-premises router is advertising the route with the correct ASN.
C.Route propagation is enabled on the VPC route tables.
D.The VPN connection's static routes are configured for the on-premises CIDR.
AnswerC

Without route propagation, BGP routes are not added to route tables.

Why this answer

Option C is correct because even if BGP routes are received, they must be propagated to the route tables. If route propagation is not enabled, the routes are not added. Option A is incorrect; static routes are not necessary for dynamic routing.

Option B is incorrect because the VPN connection routes are already configured. Option D is incorrect because the tunnels are up, so the configuration is likely correct.

325
MCQmedium

A company has a VPC with an AWS Direct Connect private VIF connected to a virtual private gateway. The on-premises network uses BGP to advertise routes to AWS. The network team wants to ensure that only specific prefixes from on-premises are accepted. They configure the virtual private gateway with a BGP community. However, after configuration, they notice that all prefixes are still being accepted. What is the MOST likely reason?

A.The virtual private gateway needs to have the BGP community enabled.
B.The virtual private gateway does not filter routes based on BGP communities; you need to use a prefix list.
C.The BGP community is not being advertised by the on-premises router.
D.The BGP community must be configured on the customer gateway device.
AnswerB

BGP communities are tags, not filters.

Why this answer

BGP communities are used for tagging routes, but the virtual private gateway does not filter based on communities by default. To filter, you must use a customer-managed prefix list or a route table that only accepts specific prefixes. Option C is correct.

Option A is not a common issue. Option B is not required. Option D is false because BGP communities are supported.

326
Multi-Selectmedium

A network engineer is analyzing VPC Flow Logs and notices that some rejected traffic is not logged. Which THREE conditions could cause this?

Select 3 answers
A.The traffic is blocked by a network ACL.
B.The traffic is rejected by the destination network.
C.The Flow Logs capture only accepted traffic due to the filter.
D.The Flow Logs are configured for a specific network interface only.
E.The traffic is blocked by a security group before reaching the network interface.
AnswersC, D, E

Flow Logs can filter by acceptance status.

Why this answer

Option A, Option B, and Option D are correct. Flow Logs do not capture traffic that does not reach the network interface (e.g., blocked by security group), traffic that is not logged for the specific interface, or traffic that is not logged if the log format is incorrect. Option C is wrong because NACL logs are captured.

Option E is wrong because Flow Logs capture both accepted and rejected traffic if they reach the interface.

327
MCQmedium

A company uses AWS Direct Connect with a private VIF to connect to a VPC. The network team notices that traffic from on-premises to an EC2 instance in the VPC is taking a suboptimal path through the internet instead of the Direct Connect. What is the most likely cause?

A.The on-premises router does not have a specific route for the VPC CIDR via the Direct Connect.
B.The VPC route table does not include a route to the Direct Connect gateway.
C.The Direct Connect virtual interface has BGP ASN prepending configured.
D.The VPC route table does not have a prefix list for the on-premises CIDR.
AnswerA

Without a specific route, traffic may default to internet.

Why this answer

Option A is correct. If the on-premises network does not have a specific route pointing to the Direct Connect for the VPC CIDR, traffic may use the internet. Option B is wrong because prefix lists are not required.

Option C is wrong because ASN prepending would affect outbound traffic, not inbound. Option D is wrong because VPC route tables are not visible to on-premises.

328
Multi-Selectmedium

A network engineer is troubleshooting a slow connection between an EC2 instance and an RDS database in the same VPC. The engineer wants to analyze network performance metrics. Which TWO metrics should the engineer examine? (Choose two.)

Select 2 answers
A.Database connections count
B.Disk queue depth
C.Round-trip time between the EC2 instance and RDS
D.RDS instance CPU utilization
E.Network packets dropped by the RDS instance's network interface
AnswersC, E

Direct measure of latency.

Why this answer

Option A and Option D are correct. Network packets dropped by the RDS instance's network interface indicate congestion. Round-trip time is a direct measure of latency.

Option B is incorrect because CPU utilization is a system metric, not network-specific. Option C is incorrect because database connections are application-level. Option E is incorrect because disk queue depth is storage-related.

329
MCQhard

A company has a large AWS environment with hundreds of VPCs connected via Transit Gateway. They want to centrally manage network traffic flow and enforce security policies. Which service should they use to create a central network inspection architecture?

A.AWS WAF
B.Security groups
C.AWS Network Firewall
D.AWS Shield Advanced
AnswerC

Network Firewall is designed for centralized network inspection and can be integrated with Transit Gateway.

Why this answer

AWS Network Firewall provides managed firewall services that can be centrally deployed in a dedicated VPC and route traffic through it for inspection.

330
MCQmedium

A company has a hybrid network with multiple VPCs connected via a Transit Gateway. They want to centralize outbound internet traffic through a single VPC with a NAT gateway. The security team requires that all traffic to the internet must be logged. Which solution is MOST operationally efficient?

A.Enable VPC Flow Logs on the NAT gateway's subnet and publish to Amazon S3
B.Enable VPC Flow Logs on the central VPC and publish to Amazon CloudWatch Logs
C.Deploy a third-party firewall appliance in the central VPC and enable logging
D.Enable AWS CloudTrail to log all network events
AnswerB

Captures all IP traffic and can be analyzed.

Why this answer

Option C is correct because VPC Flow Logs capture all IP traffic and can be published to CloudWatch Logs for analysis. Option A is incorrect because it only captures traffic through the NAT gateway, not all internet-bound traffic. Option B is incorrect because AWS CloudTrail logs API calls, not network traffic.

Option D is incorrect because it adds complexity and is not necessary.

331
Multi-Selecthard

A company is using a transit gateway to connect multiple VPCs and on-premises networks via VPN. The network team notices that some VPCs can communicate with each other but not with the on-premises network. The transit gateway route tables are configured correctly. Which TWO configurations should the team check?

Select 2 answers
A.Verify that the transit gateway is in a 'available' state
B.Check the security group rules of the EC2 instances in the VPCs
C.Verify that the on-premises router is advertising the on-premises CIDR over BGP to the VPN
D.Check the VPC Flow Logs for dropped packets
E.Confirm that the VPN attachment is associated with the correct transit gateway route table
AnswersC, E

If routes are not advertised, the transit gateway won't have paths to on-premises.

Why this answer

Options B and D are correct. The VPN attachment must be associated with the correct transit gateway route table (B), and the on-premises router must advertise the correct routes via BGP (D). Option A is incorrect because if some VPCs can communicate with each other, the transit gateway is not in a failed state.

Option C is incorrect because VPC Flow Logs do not affect routing. Option E is incorrect because security groups and NACLs are VPC-level and would affect inter-VPC traffic as well.

332
MCQeasy

A network engineer is troubleshooting intermittent connectivity issues between two VPCs connected via a VPC peering connection. The engineer notices that the route tables in both VPCs have the correct routes. What should the engineer check next?

A.Check security group and network ACL rules
B.Verify that DNS resolution is enabled for the VPCs
C.Ensure that the VPN connection is active
D.Check the internet gateway configuration
AnswerA

Security groups and NACLs can block traffic even with correct routes.

Why this answer

Option A is correct because security group rules and NACLs can block traffic even if routes are correct. Option B is wrong because DNS resolution is not related to basic connectivity. Option C is wrong because internet gateway is not involved in VPC peering.

Option D is wrong because VPN connection is a different service.

333
MCQhard

A company is using AWS Client VPN to provide remote access to employees. Users report that they can connect to the VPN but cannot reach resources in the VPC. The Client VPN endpoint is associated with a subnet, and authorization rules are configured. What is the most likely cause?

A.The Client VPN endpoint's security group does not allow inbound traffic from the client IP pool.
B.The VPC's network ACLs are blocking traffic.
C.The authorization rules are not associated with the correct groups.
D.The subnet association is missing.
AnswerA

The security group acts as a firewall for the VPN endpoint; if it doesn't allow traffic from the client CIDR, traffic is blocked.

Why this answer

The Client VPN endpoint must be associated with a subnet, but the subnet must have a route to the target network (e.g., the VPC CIDR). If the route table for the subnet does not have a route back to the VPC CIDR via the VPN endpoint, traffic will not be forwarded. Alternatively, the security group on the VPN endpoint must allow inbound traffic from the client CIDR.

334
MCQhard

A company has a multi-account AWS environment using AWS Organizations. Each account contains a VPC with a private subnet and a public subnet. The company uses a centralized inspection VPC in the network account with third-party firewall appliances. All internet-bound traffic from the VPCs must be routed through the inspection VPC via an AWS Transit Gateway. The network team has configured the transit gateway with separate route tables: one for the inspection VPC and one for the spoke VPCs. The spoke VPCs have a default route (0.0.0.0/0) pointing to the transit gateway. The inspection VPC has a default route pointing to an egress VPC that has an internet gateway. However, traffic from a spoke VPC is not reaching the internet. The network engineer has verified that the firewall appliances are running and that the security groups and NACLs allow traffic. What is the most likely cause of the issue?

A.The inspection VPC route table does not have a route to the transit gateway for the spoke VPC CIDRs.
B.The inspection VPC route table does not have a route to the spoke VPC CIDRs via the transit gateway.
C.The inspection VPC route table has a blackhole route for the spoke VPC CIDRs.
D.The transit gateway route table for the spoke VPCs does not have a route to the egress VPC.
AnswerA

Correct: Without a route to the transit gateway, the firewall cannot send traffic back to the spoke VPCs.

Why this answer

Option B is correct because in a centralized inspection architecture, spoke VPCs must send traffic to the inspection VPC, and the inspection VPC must have a route to send traffic back to the transit gateway for egress. If the inspection VPC's route table does not have a route pointing to the transit gateway for the spoke VPCs' CIDRs, the return traffic will be dropped. Option A is wrong because the inspection VPC does not need a route to the spoke VPCs via the transit gateway; it needs a route to the transit gateway for return traffic.

Option C is wrong because the transit gateway route table for spoke VPCs needs a route to the inspection VPC, not the egress VPC. Option D is wrong because the inspection VPC route table should not have a blackhole route for spoke VPCs.

335
MCQeasy

A network engineer is designing a highly available VPN connection between an on-premises network and AWS. The on-premises network has two internet connections from different ISPs. Which AWS VPN configuration should be used to provide the highest availability?

A.Create a single VPN tunnel from one customer gateway to the virtual private gateway.
B.Create two customer gateways, each with a VPN tunnel to the virtual private gateway.
C.Create one customer gateway with two VPN tunnels, each using different internet connections.
D.Use AWS Direct Connect instead of VPN for higher availability.
AnswerB

Two tunnels from different devices and ISPs provide high availability.

Why this answer

Option B is correct because using two customer gateways with two VPN tunnels each provides redundancy at both the device and ISP level. Option A is wrong because a single VPN tunnel is not redundant. Option C is wrong because a single customer gateway with two tunnels only provides ISP redundancy.

Option D is wrong because Direct Connect is not a VPN.

336
Multi-Selectmedium

A network team is planning a migration of a legacy application to AWS. The application requires a static IP address for the on-premises firewall whitelist. Which THREE AWS services can provide a static IP address for outbound traffic from a VPC?

Select 3 answers
A.AWS Direct Connect with a public virtual interface.
B.VPC endpoint (gateway endpoint) for S3.
C.Application Load Balancer without a static IP.
D.Amazon NAT Gateway with an Elastic IP address.
E.Network Load Balancer with an Elastic IP address per subnet.
AnswersA, D, E

Traffic over a public VIF comes from a static public IP (the Direct Connect public IP).

Why this answer

Options A, B, and E are correct. NAT Gateway provides a static EIP, Direct Connect uses public VIF with static IP, and an internet-facing NLB can provide static IPs. Option C is wrong because VPC endpoints do not provide static IP.

Option D is wrong because ALB does not have static IP by default.

337
MCQmedium

A network engineer is monitoring a Direct Connect connection. The exhibit shows CloudWatch metric data for the ConnectionState metric. The engineer sees that the average value is 0.0 for most of the day. What does this indicate?

A.The connection was fluctuating between up and down.
B.The connection was down for most of the day.
C.The metric data is incomplete.
D.The connection was up and stable.
AnswerB

0 means down.

Why this answer

Option D is correct because ConnectionState metric has a value of 0 for down and 1 for up. Average 0.0 means the connection was down. Option A is wrong because it was down.

Option B is wrong because 0 indicates down. Option C is wrong because it was not varying; it was consistently 0.

338
MCQhard

A network engineer configured a custom network ACL for a VPC. An EC2 instance in a subnet associated with this ACL cannot receive ping (ICMP) from the internet. The security group allows ICMP. Which rule is causing the issue?

A.The default NACL rules are missing.
B.Outbound rule 220 blocks all outbound traffic.
C.Inbound rule 130 allows ICMP, but it is overridden by rule 120.
D.Inbound rule 100 only allows HTTPS.
AnswerC

Rule 120 (deny all) is evaluated before rule 130 (allow ICMP), so ICMP is denied.

Why this answer

Option D is correct because the inbound deny-all rule (120) with priority 120 blocks all traffic not explicitly allowed, and ICMP (protocol 1) is allowed only by rule 130 but rule 120 is evaluated first? Actually, evaluation order is by rule number; rule 120 (deny) has lower number than 130 (allow), so rule 120 is evaluated first? Wait, NACL rules are evaluated in ascending order; rule 100, 110, 120, 130. Since rule 120 is deny all, it is evaluated before rule 130. Thus, ICMP traffic is denied by rule 120.

The outbound rules are fine because egress is allowed for ephemeral ports. Option A is incorrect because the inbound ICMP rule (130) exists but is after deny-all. Option B is incorrect because inbound HTTPS is allowed.

Option C is incorrect because outbound rules are not the issue.

339
Multi-Selectmedium

A network engineer is troubleshooting an issue where an EC2 instance in a VPC cannot reach an S3 bucket via a gateway endpoint. The instance is in a private subnet with a route table that has a route for the S3 prefix list pointing to the gateway endpoint. Which TWO actions should the engineer take to diagnose the problem?

Select 2 answers
A.Verify that the route table for the subnet includes a route for the S3 prefix list (com.amazonaws.region.s3) with target type gateway endpoint.
B.Ensure the VPC has an interface endpoint for S3.
C.Review VPC Flow Logs for the subnet to see if traffic is being dropped.
D.Confirm that the EC2 instance has a public IP address.
E.Check the security group associated with the EC2 instance to ensure it allows outbound HTTPS (443) traffic.
AnswersA, E

Without this route, traffic goes to NAT/IGW.

Why this answer

Options A and C are correct. The route table must have the prefix list route, and the security group must allow HTTPS traffic. Option B is wrong because the instance does not need a public IP for gateway endpoint.

Option D is wrong because interface endpoints are different. Option E is wrong because VPC Flow Logs can help but are not the first diagnostic step.

340
Multi-Selectmedium

A company is designing a VPN connection between an on-premises network and AWS. The network engineer wants to ensure high availability and fast failover. Which TWO actions should the engineer take? (Select TWO.)

Select 2 answers
A.Use the same customer gateway IP address for both tunnels
B.Use static routes instead of BGP to simplify configuration
C.Create two separate VPN connections to the same VPC
D.Enable BGP and configure BFD (Bidirectional Forwarding Detection) on the VPN tunnels
E.Configure two VPN tunnels to two different AWS endpoint IP addresses
AnswersD, E

BFD provides sub-second failure detection.

Why this answer

Options A and C are correct. A: Two tunnels on two separate AWS endpoints provide redundancy. C: BGP with BFD provides fast failover detection.

Option B is wrong because static routes do not provide dynamic failover. Option D is wrong because the same customer gateway IP is used for both tunnels. Option E is wrong because multiple VPN connections to the same VPC are not needed if the tunnels are diverse.

341
Multi-Selecthard

A company has a VPC with multiple subnets. The network engineer wants to monitor network traffic between two specific EC2 instances in different subnets. Which THREE methods can be used to capture and analyze this traffic?

Select 3 answers
A.Enable VPC Flow Logs for the subnets containing the instances.
B.Configure Traffic Mirroring on one of the instances' ENI.
C.Use AWS CloudTrail to log network traffic.
D.Create a VPC peering connection between the two subnets' VPCs.
E.Set up AWS Network Firewall and route traffic through it.
AnswersA, B, E

Flow logs will show metadata of all traffic, including between the instances.

Why this answer

VPC Flow Logs capture metadata, Traffic Mirroring captures full packets, and AWS Network Firewall can inspect traffic. VPC Peering is for connectivity, not monitoring.

342
Multi-Selecteasy

A network engineer is setting up a VPC peering connection between two VPCs in the same AWS account and Region. Which TWO steps are required to enable communication between instances in the peered VPCs? (Choose two.)

Select 2 answers
A.Attach an internet gateway to each VPC
B.Establish a VPN connection between the VPCs
C.Add routes in each VPC's route table pointing to the CIDR of the other VPC
D.Configure a NAT gateway in each VPC
E.Update security group rules to allow traffic from the peered VPC CIDR
AnswersC, E

Routes are needed for traffic to traverse the peering connection.

Why this answer

Option A is correct because VPC peering requires adding routes in both VPC route tables. Option D is correct because security group rules must allow traffic from the peered VPC CIDR. Option B is wrong because VPC peering does not require an internet gateway.

Option C is wrong because VPC peering does not use a VPN connection. Option E is wrong because a NAT gateway is not required for VPC peering.

343
Multi-Selectmedium

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network team wants to log and monitor all traffic flows across the Transit Gateway for security analysis. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Use AWS Config rules to evaluate the Transit Gateway route tables.
B.Send the flow logs to Amazon CloudWatch Logs for monitoring and alerting.
C.Enable VPC Flow Logs on each Transit Gateway attachment.
D.Enable VPC Flow Logs on the Transit Gateway itself.
E.Configure VPC Traffic Mirroring on the Transit Gateway.
AnswersB, C

CloudWatch Logs can aggregate and analyze flow logs for security monitoring.

Why this answer

Option B is correct because VPC Flow Logs can be published to Amazon CloudWatch Logs, enabling real-time monitoring, alerting, and integration with AWS Lambda or third-party tools for security analysis. This allows the network team to capture IP traffic information for all flows across Transit Gateway attachments when flow logs are enabled on those attachments. Option C is correct because VPC Flow Logs must be enabled at the Transit Gateway attachment level (not on the Transit Gateway itself) to capture traffic traversing the Transit Gateway, as the Transit Gateway is a network transit hub and does not generate its own flow logs.

Exam trap

The trap here is that candidates mistakenly think VPC Flow Logs can be enabled directly on the Transit Gateway itself (Option D), but AWS only supports flow logs on Transit Gateway attachments, not the Transit Gateway as a resource.

344
MCQeasy

A network engineer needs to analyze network traffic between EC2 instances in the same VPC to troubleshoot a performance issue. Which AWS feature should they use?

A.AWS Config.
B.AWS CloudTrail.
C.AWS X-Ray.
D.VPC Flow Logs.
AnswerD

Flow logs capture IP traffic metadata.

Why this answer

VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol, packet/byte counts) for network interfaces in a VPC, making them the correct tool for analyzing network traffic between EC2 instances to troubleshoot performance issues. Unlike other options, Flow Logs operate at the network layer (Layer 3/4) and can be published to CloudWatch Logs or S3 for detailed traffic analysis.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (network-level traffic metadata) with CloudTrail (API-level logging) or X-Ray (application tracing), failing to recognize that only Flow Logs provide the raw IP flow data needed for network performance analysis.

How to eliminate wrong answers

Option A is wrong because AWS Config is a resource inventory and compliance auditing service that tracks configuration changes, not network traffic flows. Option B is wrong because AWS CloudTrail records API calls and management events (control plane), not data plane network traffic between instances. Option C is wrong because AWS X-Ray is a distributed tracing service for application-level request analysis (Layer 7), not for raw network packet metadata analysis.

345
MCQmedium

A company has a VPC with a NAT Gateway in a public subnet. The network team notices that instances in private subnets cannot access the internet. Reviewing the route tables, the private subnet route table has a default route (0.0.0.0/0) pointing to the NAT Gateway. What is the most likely cause of the issue?

A.The network ACL in the private subnet blocks outbound traffic.
B.The NAT Gateway's subnet route table does not have a default route pointing to an Internet Gateway.
C.The NAT Gateway does not have an Elastic IP address attached.
D.The security group attached to the NAT Gateway blocks outbound traffic.
AnswerB

Without a route to IGW, NAT Gateway cannot forward traffic to the internet.

Why this answer

The NAT Gateway must have a route to an Internet Gateway. If the NAT Gateway's subnet route table does not have a default route pointing to an IGW, it cannot route traffic to the internet. Security groups, NACLs, or EIP are less likely to be the issue.

346
Multi-Selectmedium

A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The engineer wants to ensure high availability by using two tunnels. Which two components must be configured to achieve this? (Choose TWO.)

Select 2 answers
A.A single customer gateway with two IP addresses
B.An AWS Transit Gateway
C.Two customer gateways, each with a unique public IP address
D.Two VPN connections
E.A virtual private gateway with two BGP sessions
AnswersC, E

Each tunnel requires a separate customer gateway.

Why this answer

Options A and D are correct. Two customer gateways are needed for two tunnels (one per tunnel endpoint), and the virtual private gateway must have two BGP sessions, one per tunnel. Option B is wrong because one VPN connection can have two tunnels.

Option C is wrong because a Transit Gateway is not required. Option E is wrong because one customer gateway is insufficient.

← PreviousPage 5 of 5 · 346 questions total

Ready to test yourself?

Try a timed practice session using only Network Mgmt Ops questions.