Question 71 of 1,733
Design of SAP Workloads on AWShardMultiple ChoiceObjective-mapped

Quick Answer

The answer is the operating system firewall on the instance blocking SAP port 3200. This is correct because the instance is in a running state and the AWS security group already permits inbound traffic on port 3200, yet the SAP application remains unreachable, which points directly to a host-level firewall such as iptables, firewalld, or Windows Firewall that operates independently of AWS network security layers. On the AWS Certified SAP on AWS Specialty PAS-C01 exam, this scenario tests your understanding that security groups and network ACLs control traffic at the cloud network boundary, while the OS firewall controls traffic at the instance level—a common trap is assuming a security group rule alone guarantees application access. Remember the memory tip: “Security groups guard the cloud door, but the OS firewall guards the room.”

PAS-C01 Design of SAP Workloads on AWS Practice Question

This PAS-C01 practice question tests your understanding of design of sap workloads on aws. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Network Topology
instance-ids i-0abcd1234query 'Reservations[0].Instances[0].State'output json"Name": "running","Code": 16

Refer to the exhibit. An SAP administrator runs the AWS CLI command and receives the output shown. The SAP application server (instance i-0abcd1234) is in 'running' state, but the SAP application is not reachable. The security group allows inbound traffic on port 3200. What is the MOST likely cause of the issue?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Full question →
Network Topology
instance-ids i-0abcd1234query 'Reservations[0].Instances[0].State'output json"Name": "running","Code": 16

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The operating system firewall on the instance is blocking port 3200.

Option D is correct because the instance is in 'running' state and the security group allows inbound traffic on port 3200, yet the SAP application is unreachable. This indicates a host-level firewall (e.g., iptables, firewalld, or Windows Firewall) on the SAP application server is blocking inbound connections to port 3200, which operates independently of AWS security groups and network ACLs.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The network ACL for the subnet is blocking outbound traffic.

    Why it's wrong here

    NACLs are stateless; outbound traffic is usually allowed.

  • The instance is in a stopped state.

    Why it's wrong here

    The output shows the instance is running.

  • The security group inbound rule for port 3200 is not applied to the instance.

    Why it's wrong here

    The output does not show security group but the question states it allows port 3200.

  • The operating system firewall on the instance is blocking port 3200.

    Why this is correct

    OS firewall can block traffic even if security group allows it.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume security group rules are the sole determinant of traffic flow, forgetting that the OS firewall on the instance can independently block traffic even when AWS-level permissions are correctly configured.

Trap categories for this question

  • Command / output trap

    The output shows the instance is running.

Detailed technical explanation

How to think about this question

AWS security groups act as a virtual firewall at the instance level, but they do not override or replace the operating system's host firewall (e.g., iptables on Linux or Windows Firewall). The SAP application typically listens on TCP port 3200, and if the OS firewall drops packets before they reach the application, the instance will appear running but the service will be unreachable. A common troubleshooting step is to run 'telnet <instance-ip> 3200' from within the same subnet to isolate whether the block is at the OS or network level.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PAS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PAS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PAS-C01 question test?

Design of SAP Workloads on AWS — This question tests Design of SAP Workloads on AWS — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The operating system firewall on the instance is blocking port 3200. — Option D is correct because the instance is in 'running' state and the security group allows inbound traffic on port 3200, yet the SAP application is unreachable. This indicates a host-level firewall (e.g., iptables, firewalld, or Windows Firewall) on the SAP application server is blocking inbound connections to port 3200, which operates independently of AWS security groups and network ACLs.

What should I do if I get this PAS-C01 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More PAS-C01 practice questions

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PAS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PAS-C01 exam.