Question 640 of 1,733
TechnologyhardMultiple SelectObjective-mapped

Quick Answer

The answer is that security group rules, network ACLs, SAProuter configuration, and DNS entries in Amazon Route 53 must be updated or reconfigured during the migration. These three components are critical because they directly control network-level access and name resolution; security groups and ACLs filter traffic at the instance and subnet layers, while the SAProuter’s IP or hostname in the saprouttab file must reflect the new VPC’s addressing, and Route 53 records must point to the new private IPs of SAP application servers to maintain support connectivity. On the AWS Certified SAP on AWS Specialty PAS-C01 exam, this scenario tests your understanding of how VPC boundaries affect network-dependent SAP components, with a common trap being to assume IAM roles or S3 bucket policies need updating—they do not, as they are not VPC-specific. A useful memory tip is “DNS, ACLs, and SAProuter—three network links you must alter.”

PAS-C01 Technology Practice Question

This PAS-C01 practice question tests your understanding of technology. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An SAP application on AWS needs to be migrated to a new virtual private cloud (VPC). The SAP system uses SAProuter to connect to SAP support. Which THREE components must be updated or re-configured during the migration to ensure uninterrupted connectivity?

Question 1hardmulti select
Review the full routing breakdown →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Update the Amazon Route 53 DNS records for the SAP application and database servers.

Options A, C, and D are correct. Security groups and network ACLs control traffic at the instance and subnet level; they must be updated for the new VPC. The SAProuter configuration includes the SAProuter IP address or hostname; if the SAProuter instance gets a new IP in the new VPC, the connection string (e.g., in saprouttab) must be updated. DNS entries in Amazon Route 53 must be updated to reflect new IP addresses of SAP application servers. Option B is incorrect because IAM roles are not tied to VPC and remain valid. Option E is incorrect because the S3 bucket policy does not change due to VPC migration unless bucket names or ARNs change.

Key principle: Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Adjust the S3 bucket policy to allow access from the new VPC.

    Why it's wrong here

    S3 bucket policies use IAM principals and VPC conditions, but if the S3 bucket remains the same, the policy does not need to change just because the VPC changes.

  • Update the Amazon Route 53 DNS records for the SAP application and database servers.

    Why this is correct

    When instances are migrated to a new VPC, their private IP addresses may change; DNS records must be updated to maintain name resolution.

    Related concept

    CIDR notation defines the prefix length.

  • Modify the SAProuter configuration (e.g., saprouttab) to use the new IP address or hostname of the SAProuter instance.

    Why this is correct

    SAProuter connections rely on the IP address/hostname of the SAProuter instance; if it changes, the configuration must be updated.

    Related concept

    CIDR notation defines the prefix length.

  • Recreate IAM roles for the SAP application servers.

    Why it's wrong here

    IAM roles are global and not tied to a specific VPC; they do not need to be recreated.

  • Update security group rules and network ACLs to allow SAP traffic in the new VPC.

    Why this is correct

    Security groups and network ACLs are VPC-specific and must be configured to permit required SAP ports and protocols.

    Related concept

    CIDR notation defines the prefix length.

Common exam traps

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Detailed technical explanation

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Key takeaway

Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related PAS-C01 subnetting questions on CIDR, address ranges, and subnet selection.

Related practice questions

Related PAS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PAS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PAS-C01 question test?

Technology — This question tests Technology — CIDR notation defines the prefix length..

What is the correct answer to this question?

The correct answer is: Update the Amazon Route 53 DNS records for the SAP application and database servers. — Options A, C, and D are correct. Security groups and network ACLs control traffic at the instance and subnet level; they must be updated for the new VPC. The SAProuter configuration includes the SAProuter IP address or hostname; if the SAProuter instance gets a new IP in the new VPC, the connection string (e.g., in saprouttab) must be updated. DNS entries in Amazon Route 53 must be updated to reflect new IP addresses of SAP application servers. Option B is incorrect because IAM roles are not tied to VPC and remain valid. Option E is incorrect because the S3 bucket policy does not change due to VPC migration unless bucket names or ARNs change.

What should I do if I get this PAS-C01 question wrong?

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related PAS-C01 subnetting questions on CIDR, address ranges, and subnet selection.

What is the key concept behind this question?

CIDR notation defines the prefix length.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 20, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PAS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PAS-C01 exam.