SAP-C02 · topic practice

VPC practice questions

Practise AWS Certified Solutions Architect Professional SAP-C02 VPC practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security

What the exam tests

What to know about VPC

VPC questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common VPC exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

VPC questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full VPC explanation →

A company has a centralized logging account and multiple application accounts. All VPC Flow Logs are sent to a central S3 bucket in the logging account. The security team needs to analyze the logs using Amazon Athena. The team must ensure queries are cost-effective and return results quickly for recent logs. Which configuration should be used?

Question 2mediummultiple choice
Review the full routing breakdown →

A company is designing a cross-account network architecture. The security team requires that all traffic between VPCs in different accounts must be inspected by a centralized firewall appliance in the security account. The network team wants to minimize complexity and avoid route table manipulation. Which solution meets these requirements?

Question 3mediummulti select
Read the full VPC explanation →

A company is using AWS Organizations with multiple accounts. The central IT team wants to deploy a set of common VPCs in each account using AWS CloudFormation StackSets. The StackSets must be managed from the management account. Which THREE permissions are required for the StackSets to successfully deploy stacks into member accounts?

Question 4hardmultiple choice
Read the full VPC explanation →

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

Question 5mediummultiple choice
Read the full VPC explanation →

A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its on-premises Active Directory (AD) to AWS Managed Microsoft AD. The company has a hub-and-spoke VPC topology with a central transit gateway. The AD domain controllers must be deployed in two different AWS Regions for disaster recovery. The corporate security policy requires that all AD traffic between Regions must traverse the transit gateway and be inspected by a third-party firewall appliance deployed in the inspection VPC. Which architecture meets these requirements?

Question 7mediumdrag order
Read the full VPC explanation →

Drag and drop the steps to set up a cross-region VPC peering connection in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 8hardmultiple choice
Review the full subnetting walkthrough →

A company has attached the above bucket policy to an S3 bucket. The bucket is accessed by an application running on an EC2 instance in the same AWS account. The EC2 instance is in a private subnet and uses an S3 Gateway Endpoint (vpce-12345678) to access the bucket. The application is failing to get objects from the bucket. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVpce": "vpce-12345678"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 9mediumdrag order
Read the full VPC explanation →

Drag and drop the steps to set up a Direct Connect private virtual interface in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 10hardmulti select
Read the full NAT/PAT explanation →

A company has a data lake on Amazon S3 that is accessed by multiple business units via VPC endpoints. The security policy mandates that all access to the data lake must be encrypted in transit and originate from approved VPCs. The company has a central security account that manages AWS Network Firewall. Which combination of controls should be implemented to enforce this policy? (Choose TWO.)

Question 11hardmulti select
Read the full NAT/PAT explanation →

A company is designing a multi-account AWS environment using AWS Organizations. The company has several business units that each require their own VPC in shared accounts managed centrally. The company wants to enable VPC sharing to allow business units to create resources in shared subnets while maintaining network isolation. Which combination of steps should the company take to achieve this? (Choose TWO.)

Question 12mediummultiple choice
Read the full VPC explanation →

A company's AWS environment includes multiple VPCs across several accounts that are connected via a transit gateway. The network team wants to monitor all network traffic between VPCs for security analysis. Which solution is the most scalable and cost-effective?

Question 13mediummulti select
Read the full VPC explanation →

A company uses AWS Organizations and wants to centralize Amazon VPC IP Address Manager (IPAM) across multiple accounts. Which TWO steps are required to enable cross-account IPAM?

Question 14hardmultiple choice
Read the full VPC explanation →

A company has a central logging account that receives VPC Flow Logs, CloudTrail logs, and AWS Config logs from all accounts in the organization. The logs are stored in S3 buckets. The security team wants to analyze these logs using Amazon Athena. What is the MOST cost-effective way to ensure that the Athena queries only scan the necessary data?

Question 15hardmultiple choice
Review the full subnetting walkthrough →

A company has multiple AWS accounts that each have their own VPCs with overlapping CIDR ranges. They want to use AWS Transit Gateway to connect these VPCs to a central network account. However, overlapping CIDRs prevent attachment. What is the MOST scalable solution?

Question 16easymultiple choice
Review the full routing breakdown →

A company is designing a network architecture for a multi-account AWS environment. They need to establish a central inspection VPC through which all traffic between VPCs in different accounts must pass. Which AWS service should be used to route traffic between VPCs through the inspection VPC?

Question 17mediummultiple choice
Review the full subnetting walkthrough →

A company has a management account in AWS Organizations and wants to share a central Amazon VPC subnet with multiple member accounts for a shared services VPC. Which AWS service should be used to share the subnet?

Question 18hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A solutions architect is troubleshooting why EC2 instances launched in subnet-11111111 cannot access the internet. The subnet is in a VPC with an internet gateway attached. The route table for the subnet has a default route (0.0.0.0/0) pointing to the internet gateway. What is the MOST likely cause?

Network Topology
$ aws ec2 describe-vpcsregion us-east-1query 'Vpcs[0].VpcId'$ aws ec2 describe-subnetsfilters Name=vpc-idRefer to the exhibit."vpc-0abcd1234""Subnets": ["SubnetId": "subnet-11111111","CidrBlock": "10.0.1.0/24","MapPublicIpOnLaunch": false},"SubnetId": "subnet-22222222","CidrBlock": "10.0.2.0/24",
Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations and wants to implement a data perimeter across all accounts to ensure that data can only be accessed from approved networks. Which combination of controls should be used to enforce this perimeter?

Question 20mediummultiple choice
Read the full VPC explanation →

A company with multiple AWS accounts wants to centrally manage network security policies. The security team needs to inspect all traffic between VPCs in different accounts and block malicious traffic. Which solution is MOST operationally efficient?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused VPC sessions

Start a VPC only practice session

Every question in these sessions is drawn from the VPC domain — nothing else.

Related practice questions

Related SAP-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAP-C02 exam test about VPC?
VPC questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just VPC questions in a focused session?
Yes — the session launcher on this page draws every question from the VPC domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAP-C02 topics?
Use the topic links above to move to related areas, or go back to the SAP-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAP-C02 exam covers. They are not copied from any real exam or dump site.