SAA-C03 · topic practice

VPC practice questions

Practise SAA-C03 VPC practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security

What the exam tests

What to know about VPC

VPC questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common VPC exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

VPC questions

20 questions · select your answer, then reveal the explanation

Question 1mediummulti select
Read the full NAT/PAT explanation →

A service in private subnets downloads product images from Amazon S3 and stores job state in DynamoDB. A NAT Gateway is currently the only route to AWS services, and the monthly bill is dominated by NAT data processing charges. Which two changes will most directly reduce that cost? Select two.

Question 2mediummulti select
Read the full NAT/PAT explanation →

A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.

Question 3easymultiple choice
Read the full NAT/PAT explanation →

Your application runs in private subnets with no NAT gateway. It needs to call AWS Secrets Manager to retrieve secrets. For private connectivity without internet egress, which VPC endpoint type should you create for AWS Secrets Manager?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A service runs in private subnets. It must call AWS APIs (for example, S3 and Secrets Manager). The team currently sends all outbound traffic through a NAT Gateway, and NAT charges have become a major cost driver. The workload must not traverse the public internet. What change most directly reduces NAT Gateway cost while maintaining private connectivity to those AWS services?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

A team wants to remove a bastion host used for administrative access to EC2 instances in private subnets. The instances should be reachable only for occasional troubleshooting by engineers who authenticate with AWS SSO. What is the best secure alternative within AWS, assuming the instances already have an instance profile attached?

Question 6hardmulti select
Read the full NAT/PAT explanation →

A CI system runs on EC2 instances in private subnets and uploads build artifacts to an S3 bucket. The security team wants to eliminate NAT Gateway costs, force all uploads to use TLS, and require SSE-KMS with an approved customer managed key. Which three changes should be made? Select three.

Question 7mediummultiple choice
Review the full subnetting walkthrough →

A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.

Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.

Which architecture best meets these requirements?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A company hosts an application on EC2 instances in private subnets. The instances must (1) read objects from Amazon S3 and (2) retrieve secrets from AWS Secrets Manager. The team currently sends all outbound traffic through a NAT gateway to reach both services. They want to reduce monthly cost while keeping traffic private (no internet egress) and without changing application logic. Which change is the most cost-effective?

Question 9easymulti select
Read the full VPC explanation →

A web application runs on an Auto Scaling group behind an Application Load Balancer. The business wants the service to keep running if one Availability Zone goes down. Which two changes should you make? Select two.

Question 10easymultiple choice
Read the full VPC explanation →

A company’s private workload in a VPC uploads objects to an S3 bucket. Security requires that S3 requests are allowed only when they traverse a specific S3 Gateway VPC Endpoint (vpce-0abc123example). Which change best enforces this restriction at the S3 bucket level?

Question 11easymultiple choice
Read the full NAT/PAT explanation →

A company runs EC2 instances in private subnets and needs to access Amazon S3 objects without using a NAT gateway. They want the traffic to stay within AWS private networking as much as possible (no internet egress). Which VPC endpoint type should they create for Amazon S3?

Question 12mediummultiple choice
Review the full subnetting walkthrough →

A company uses Amazon RDS for a PostgreSQL database powering a customer-facing application. The application’s availability depends on fast database failover with minimal manual intervention. The RDS instance currently runs as a single-AZ deployment in one DB subnet group. Which change most directly meets the goal?

A latency-sensitive telemetry service uses a custom TCP protocol on EC2 instances in private subnets. The service must preserve the client source IP for rate limiting, avoid HTTP header inspection, and keep per-request overhead as low as possible. Which changes should the team make? Select three.

Question 14mediummultiple choice
Read the full VPC explanation →

A ticket booking system runs on EC2 instances behind an Application Load Balancer. The design must tolerate the failure of one Availability Zone. What should the Auto Scaling group configuration include?

Question 15mediummultiple choice
Review the full subnetting walkthrough →

A stateless web API runs on EC2 instances behind an Application Load Balancer (ALB). The Auto Scaling group (ASG) currently uses subnets from only one Availability Zone, even though the ALB spans two Availability Zones. During maintenance of that single AZ, the ALB remains up but clients see timeouts because there are no healthy targets. Which change most directly improves resilience against an AZ failure?

Question 16mediummultiple choice
Review the full subnetting walkthrough →

A web app runs on an EC2 Auto Scaling group behind an Application Load Balancer (ALB). The ALB is configured with health checks and the ASG spans three subnets in three Availability Zones. During an AZ outage, monitoring shows the number of healthy instances drops sharply and never returns to the original capacity until the ASG is manually adjusted. What change most directly improves resilience so capacity returns automatically during an AZ failure?

Question 17easymultiple choice
Read the full VPC explanation →

A team runs an Amazon NLB in a VPC with targets registered in multiple Availability Zones (AZs). Their bill shows high inter-AZ data transfer charges. They want to reduce unnecessary cross-AZ traffic costs while still maintaining healthy targets per AZ. What change is most likely to reduce inter-AZ charges?

Question 18mediummulti select
Review the full subnetting walkthrough →

A workload in private subnets must upload logs to Amazon S3 and retrieve one secret from AWS Secrets Manager. The security team forbids internet egress and wants the lowest operational overhead. Which two VPC endpoints should be created? Select two.

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

A web application runs in private subnets with no NAT gateway. It needs to retrieve credentials from AWS Secrets Manager at runtime. After a recent network hardening change, the application logs timeout errors when calling Secrets Manager.

Which change will most directly enable private connectivity to Secrets Manager while keeping the subnets NAT-free?

Question 20hardmultiple choice
Review the full subnetting walkthrough →

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a image sharing application. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused VPC sessions

Start a VPC only practice session

Every question in these sessions is drawn from the VPC domain — nothing else.

Related practice questions

Related SAA-C03 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAA-C03 exam test about VPC?
VPC questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just VPC questions in a focused session?
Yes — the session launcher on this page draws every question from the VPC domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAA-C03 topics?
Use the topic links above to move to related areas, or go back to the SAA-C03 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAA-C03 exam covers. They are not copied from any real exam or dump site.