CCNA Networking and Content Delivery Questions

75 of 268 questions · Page 1/4 · Networking and Content Delivery · Answers revealed

1
MCQhard

A SysOps administrator is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises data center connected via AWS Direct Connect. The EC2 instance can reach other instances in the same VPC but cannot reach the on-premises network. The virtual private gateway (VGW) is attached to the VPC and the Direct Connect virtual interface is up. Which configuration step should the administrator verify first?

A.Check the security group rules for the EC2 instance
B.Confirm that the Direct Connect virtual interface is associated with the correct VLAN
C.Add a route in the VPC route table for the on-premises CIDR pointing to the virtual private gateway
D.Verify the network ACL inbound and outbound rules for the VPC subnet
AnswerC

This is required for traffic to flow from the VPC to on-premises via Direct Connect.

Why this answer

Option D is correct because for Direct Connect to work, the on-premises CIDR must be added to the VPC route table pointing to the virtual private gateway. Without this route, traffic from the VPC to on-premises is dropped. Option A is wrong because the security group controls inbound/outbound traffic but does not affect routing.

Option B is wrong because network ACLs are stateless and would need to allow both inbound and outbound; but the primary issue is routing. Option C is wrong because the VGW is already attached and the virtual interface is up, indicating the physical connection is fine.

2
Multi-Selectmedium

A company is using Amazon CloudFront to deliver content from an S3 bucket. The SysOps administrator wants to restrict access so that only CloudFront can access the S3 bucket. Which TWO steps should be taken?

Select 2 answers
A.Generate presigned URLs for all objects in the S3 bucket.
B.Configure the S3 bucket policy to grant the OAI s3:GetObject permission.
C.Configure CloudFront signed URLs to limit viewer access.
D.Create an Origin Access Identity (OAI) for the CloudFront distribution.
E.Set the S3 bucket policy to allow access only from the CloudFront distribution ID.
AnswersB, D

This allows CloudFront to read objects while blocking direct S3 access.

Why this answer

Options A and C are correct. Creating an Origin Access Identity (OAI) and granting it read access to the S3 bucket, then configuring the bucket policy to deny all other principals, ensures only CloudFront can access the content. Option B is incorrect because presigned URLs are for individual user access, not for CloudFront origin access.

Option D is incorrect because CloudFront signed URLs restrict viewer access, not origin access. Option E is incorrect because bucket policies use OAI, not CloudFront distribution IDs.

3
Multi-Selectmedium

A SysOps administrator is designing a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which THREE components are required to achieve this?

Select 3 answers
A.A VPC Gateway Endpoint
B.An Internet Gateway attached to the VPC
C.A NAT Gateway in a public subnet
D.A Site-to-Site VPN connection
E.A route table in the private subnet with a default route to the NAT Gateway
AnswersB, C, E

IGW provides internet access for public subnets and NAT Gateway.

Why this answer

Option A, Option D, and Option E are correct. A NAT Gateway in a public subnet, an Internet Gateway attached to the VPC, and a route table in the private subnet with a default route to the NAT Gateway are all required. Option B is wrong because a VPN is not needed.

Option C is wrong because a VPC Gateway Endpoint is for specific services like S3, not general internet access.

4
MCQmedium

A SysOps administrator is troubleshooting connectivity issues between two VPCs that are peered together. The VPCs are in the same AWS region. An EC2 instance in VPC A (10.0.1.0/24) cannot ping an EC2 instance in VPC B (10.0.2.0/24). Both VPCs have route tables that include the CIDR of the other VPC with the peering connection as the target. The security groups and network ACLs allow all inbound and outbound traffic. What is the most likely issue?

A.The route tables do not have a route to the other VPC's CIDR.
B.The VPC peering connection is not enabled for DNS resolution.
C.There is a third VPC C that is peered with both VPC A and VPC B, and VPC A is trying to reach VPC B through VPC C.
D.The VPCs are in different AWS regions.
AnswerC

VPC peering does not support transitive routing; traffic must go directly through the peering connection.

Why this answer

Option C is correct because transitive routing is not supported with VPC peering. Even though VPC A and VPC B are both peered with VPC C, traffic cannot flow from VPC A to VPC B through VPC C. Each VPC peering connection is a one-to-one relationship, and EC2 instances in VPC A cannot reach VPC B unless there is a direct VPC peering connection between them.

The route tables in VPC A and VPC B must point directly to each other's CIDR via a direct peering connection, not through an intermediate VPC.

Exam trap

The trap here is that candidates assume VPC peering supports transitive routing, similar to a router in a traditional network, but AWS explicitly prohibits this — each peering connection is a direct, non-transitive link.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that both VPCs have route tables that include the CIDR of the other VPC with the peering connection as the target, so missing routes are not the issue. Option B is wrong because DNS resolution settings (enableDnsHostnames and enableDnsSupport) are irrelevant to ICMP ping connectivity between private IP addresses; DNS resolution only affects name resolution, not direct IP-based reachability. Option D is wrong because the question states the VPCs are in the same AWS region, and inter-region VPC peering is supported (though with additional considerations), so region mismatch is not the problem here.

5
MCQeasy

A SysOps administrator needs to create a VPC with both public and private subnets. The public subnet will host a NAT gateway and a bastion host. The private subnet will host application servers that need outbound internet access for updates. Which routing configuration should the administrator implement?

A.Public subnet route table: 0.0.0.0/0 -> Internet Gateway; Private subnet route table: 0.0.0.0/0 -> Internet Gateway via the NAT Gateway.
B.Public subnet route table: 0.0.0.0/0 -> Internet Gateway; Private subnet route table: 0.0.0.0/0 -> Internet Gateway.
C.Public subnet route table: 0.0.0.0/0 -> NAT Gateway; Private subnet route table: 0.0.0.0/0 -> Internet Gateway.
D.Public subnet route table: 0.0.0.0/0 -> Internet Gateway; Private subnet route table: 0.0.0.0/0 -> NAT Gateway.
AnswerD

This allows private instances to access the internet through the NAT gateway while remaining private.

Why this answer

The private subnet route table should have a default route (0.0.0.0/0) pointing to the NAT gateway, which is in the public subnet. The public subnet route table should have a default route pointing to the internet gateway. Option A is incorrect because the private subnet should not have a route to the internet gateway.

Option C is incorrect because the private subnet should not have a route to the NAT gateway via the internet gateway. Option D is incorrect because the NAT gateway should be in the public subnet.

6
MCQeasy

A SysOps Administrator needs to monitor network traffic in a VPC. Which AWS service provides packet-level information about IP traffic?

A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.AWS Config
D.VPC Flow Logs
AnswerD

Correct because Flow Logs capture IP traffic metadata.

Why this answer

Option C is correct because VPC Flow Logs capture IP traffic information for network interfaces. Option A is wrong because CloudWatch Logs can store logs but not capture IP traffic directly. Option B is wrong because AWS Config records resource configuration changes.

Option D is wrong because CloudTrail records API calls.

7
MCQeasy

A SysOps administrator is troubleshooting an issue where an EC2 instance cannot be accessed via SSH from the internet. The security group allows inbound SSH (port 22) from 0.0.0.0/0. The network ACL (NACL) for the subnet has an inbound rule allowing SSH from 0.0.0.0/0. What else could be blocking access?

A.The NACL inbound rule is blocking traffic.
B.The internet gateway is not attached to the VPC.
C.The security group rule is misconfigured.
D.The NACL outbound rule is blocking return traffic.
AnswerD

NACL outbound must allow ephemeral ports for return traffic.

Why this answer

Option C is correct. The NACL must also have an outbound rule to allow return traffic. NACLs are stateless, so outbound rules must be explicitly set.

Option A is wrong because the security group is already correct. Option B is wrong because NACL inbound is allowed. Option D is wrong because the internet gateway allows inbound traffic.

8
MCQhard

A company uses Amazon CloudFront to serve content from an S3 bucket. The bucket is configured as an origin with Origin Access Control (OAC). Users report that they can access the content via CloudFront but also directly via the S3 bucket URL. How can the company restrict direct access to the S3 bucket?

A.Disable OAC and use Origin Access Identity (OAI) instead.
B.Use pre-signed URLs for all S3 requests.
C.Remove the bucket policy and rely on ACLs.
D.Update the S3 bucket policy to deny access to any principal other than the CloudFront service.
AnswerD

This ensures only CloudFront can access the bucket, blocking direct S3 URLs.

Why this answer

Option A is correct because an S3 bucket policy that denies all access except when the request includes a specific CloudFront header (via OAC) or is from the CloudFront service principal is the standard way to restrict direct access. Option B is wrong because removing the bucket policy would make the bucket public if ACLs allow, but OAC requires a bucket policy to allow CloudFront access. Option C is wrong because using a pre-signed URL is for temporary access, not for blocking direct access.

Option D is wrong because OAC already restricts access to CloudFront only; the bucket policy must explicitly deny all other principals.

9
MCQhard

Refer to the exhibit. A security group is attached to an Application Load Balancer (ALB) that serves HTTPS traffic on port 443. Users can access the application via HTTPS. However, the ALB's health checks to targets on port 80 are failing. What is the reason?

A.The ALB's security group does not allow HTTPS traffic from the internet.
B.The security group for the target instances does not allow HTTP traffic from the ALB's security group.
C.The ALB's security group does not allow HTTP traffic from the target's IP range.
D.The health check is configured to use HTTPS, but the target only supports HTTP.
AnswerB

Correct because the ALB's health check requests are blocked by the target's security group.

Why this answer

Option D is correct because the security group allows inbound traffic on port 80 only from the 10.0.0.0/16 CIDR, but the ALB's health check requests originate from the ALB's private IP, which is within the VPC CIDR (10.0.0.0/16). However, the target's security group must allow traffic from the ALB's security group. If the target's security group does not allow traffic from the ALB's security group, health checks fail.

But the exhibit shows the ALB's security group, not the target's. The question might be tricky: The ALB's security group allows HTTP from VPC CIDR, which is fine. The issue might be that the target's security group does not allow traffic from the ALB's security group.

However, based on the exhibit, the ALB's security group is correct. The most likely cause is that the target's security group does not allow inbound traffic from the ALB's security group. But since the exhibit is for the ALB, the answer should reference the target's security group.

Option D states "The security group for the target instances does not allow HTTP traffic from the ALB's security group." This is correct because the health checks fail at the target level. Option A is wrong because the ALB's security group allows HTTPS from anywhere. Option B is wrong because the ALB's security group allows HTTP from VPC CIDR.

Option C is wrong because health checks use HTTP, not HTTPS.

10
MCQmedium

Refer to the exhibit. A company has an S3 bucket policy as shown. The SysOps administrator notices that users from the allowed IP range (192.0.2.0/24) can access objects, but users outside that range are denied. However, a CloudFront distribution with an origin access identity (OAI) is also unable to access the bucket and receives 'Access Denied'. What is the MOST likely cause?

A.The policy does not allow 's3:GetObject' for the CloudFront OAI.
B.The CloudFront distribution is not in the allowed IP range.
C.The condition aws:SourceIp restricts access based on the requestor's IP, not the CloudFront IP.
D.The CloudFront OAI is not configured in the bucket policy.
AnswerC

CloudFront's IP is different; the condition should be based on OAI.

Why this answer

Option D is correct. The bucket policy uses aws:SourceIp condition, which blocks CloudFront because CloudFront's IPs are different from the client IP. To allow CloudFront access while restricting direct access, the policy should use aws:SourceArn or refer to the OAI.

Option A is wrong because the OAI is not mentioned in the policy. Option B is wrong because the policy allows GetObject. Option C is wrong because the bucket policy allows from 192.0.2.0/24.

11
Multi-Selecteasy

Which TWO AWS services can be used to improve the security of a VPC? (Choose TWO.)

Select 2 answers
A.Security Groups
B.Internet Gateway
C.Route Tables
D.Network ACLs
E.VPC Peering
AnswersA, D

Correct because security groups act as virtual firewalls for instances.

Why this answer

Option A is correct because Network ACLs provide stateless filtering. Option D is correct because Security Groups provide stateful filtering. Option B is wrong because Route Tables control traffic routing, not security.

Option C is wrong because Internet Gateway provides internet access. Option E is wrong because VPC Peering connects VPCs but does not add security.

12
Multi-Selecteasy

Which TWO are valid methods to secure traffic between a client and an Application Load Balancer?

Select 1 answer
A.Configure a listener on port 443 with an SSL certificate from AWS Certificate Manager.
B.Use a security group that only allows HTTPS traffic from the client's IP.
C.Set up an IPsec VPN connection between the client and the ALB.
D.Configure a network ACL to allow only port 443.
E.Enable the ALB's built-in SSL/TLS encryption without a certificate.
AnswersA

This enables HTTPS encryption between client and ALB.

Why this answer

HTTPS listeners terminate SSL/TLS at the ALB, ensuring encryption between client and ALB. Using an SSL certificate from AWS Certificate Manager (ACM) is required for HTTPS. Option C is incorrect because security groups restrict traffic based on IP, not encryption.

Option D is incorrect because network ACLs are stateless and do not encrypt. Option E is incorrect because a VPN connection is for site-to-site, not client-to-ALB.

13
MCQeasy

A company has an Amazon CloudFront distribution with an S3 bucket as origin. The bucket contains sensitive data. Which configuration ensures that users access the content only through CloudFront and not directly via the S3 URL?

A.Enable S3 server-side encryption
B.Configure an Origin Access Identity (OAI) in CloudFront and update the bucket policy
C.Use CloudFront signed URLs or signed cookies
D.Enable S3 Block Public Access on the bucket
AnswerB

OAI allows CloudFront to access the bucket while blocking direct access.

Why this answer

Option B is correct by using an Origin Access Identity (OAI) to restrict S3 bucket access to only CloudFront. Option A is wrong because blocking public access alone doesn't allow CloudFront access. Option C is wrong because CloudFront signed URLs control access to CloudFront, but the bucket still needs permission.

Option D is wrong because server-side encryption doesn't restrict access paths.

14
MCQmedium

A company has deployed a web application behind an Application Load Balancer (ALB) across multiple Availability Zones. Users in some regions report slow page load times. Which action should the SysOps Administrator take to improve performance for all users?

A.Use AWS Global Accelerator to route traffic over the AWS global network.
B.Increase the ALB capacity by adding more target instances.
C.Enable Amazon CloudFront to cache dynamic content.
D.Move the application to a single Availability Zone to reduce network hops.
AnswerA

Correct because Global Accelerator uses the AWS backbone to improve latency and availability.

Why this answer

Option C is correct because using AWS Global Accelerator can improve performance by directing traffic through the AWS global network and optimizing the path to the application. Option A is wrong because increasing ALB capacity does not address latency from distant users. Option B is wrong because CloudFront is for static content, not dynamic web apps.

Option D is wrong because moving to a single AZ reduces fault tolerance and may not improve latency for all users.

15
MCQhard

A company has a VPC with a public subnet and a private subnet. An Amazon EC2 instance in the private subnet needs to download security patches from the internet, but the instance must not be directly accessible from the internet. The SysOps administrator configured a NAT gateway in the public subnet and added a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. The instance's security group allows all outbound traffic. However, the instance still cannot reach the internet. What is the most likely missing configuration?

A.Attach an Elastic IP to the NAT gateway
B.Enable DNS resolution in the VPC
C.Add a route in the public subnet's route table that directs 0.0.0.0/0 traffic to an internet gateway
D.Modify the network ACL of the private subnet to allow inbound ephemeral ports from the NAT gateway's private IP
AnswerC

The NAT gateway resides in the public subnet; that subnet's route table must have a route to an internet gateway for the NAT gateway to reach the internet.

Why this answer

The NAT gateway is in the public subnet, but for it to route traffic to the internet, the public subnet must have a route table entry that directs 0.0.0.0/0 traffic to an internet gateway (IGW). Without this route, the NAT gateway cannot forward outbound traffic to the IGW, so the private instance's traffic is dropped. Option C correctly identifies this missing route.

Exam trap

The trap here is that candidates assume configuring the private subnet's route table to point to the NAT gateway is sufficient, forgetting that the NAT gateway itself needs a route to the internet via an internet gateway in its own subnet.

How to eliminate wrong answers

Option A is wrong because a NAT gateway automatically gets an Elastic IP assigned at creation; if it were missing, the NAT gateway would fail to provision, not silently fail to route traffic. Option B is wrong because DNS resolution controls the ability to resolve domain names to IP addresses, not the underlying network path for outbound traffic; the instance can still fail to reach the internet even with DNS working. Option D is wrong because the network ACL of the private subnet must allow outbound ephemeral ports for return traffic, not inbound; the default NACL already allows all inbound/outbound traffic, and the issue is the missing route in the public subnet, not NACL rules.

16
MCQmedium

A company has an Application Load Balancer (ALB) that routes traffic to targets in private subnets. The SysOps administrator needs to log detailed information about HTTP requests, including client IP, request path, and response time. Which ALB feature should be enabled?

A.CloudWatch metrics
B.Access logs
C.Connection logs
D.Request tracing
AnswerB

Access logs capture detailed information for each request, including client IP, request path, and response time, fulfilling the requirement.

Why this answer

Access logs capture detailed information about each HTTP request processed by the ALB, including client IP, request path, response time, and many other fields. This feature stores the logs in an S3 bucket, providing a persistent, queryable record of all requests. CloudWatch metrics aggregate data but do not provide per-request details, making access logs the correct choice for the required granularity.

Exam trap

The trap here is that candidates confuse CloudWatch metrics (aggregated data) with access logs (per-request data), or mistakenly think connection logs exist for ALBs when they are specific to NLB, leading to incorrect choices that do not provide the detailed HTTP request logging required.

How to eliminate wrong answers

Option A is wrong because CloudWatch metrics provide aggregated statistics (e.g., request count, latency averages) and do not log individual HTTP request details such as client IP or request path. Option C is wrong because connection logs are not a feature of ALB; they exist for Network Load Balancers to capture TCP connection-level information, not HTTP request-level data. Option D is wrong because request tracing (AWS X-Ray integration) adds trace headers to requests for distributed tracing but does not log the full HTTP request details like client IP and response time in a persistent log file.

17
Multi-Selecthard

A SysOps administrator is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) connected via a VPC Peering connection. An EC2 instance in VPC-A cannot ping an EC2 instance in VPC-B. The route tables and security groups are correctly configured. Which THREE steps should the administrator take to resolve the issue?

Select 3 answers
A.Add a route in VPC-A's subnet route table pointing to the VPC Peering connection for VPC-B's CIDR
B.Configure VPC Peering as a transit gateway
C.Verify that VPC-B does not have a VPN connection to an on-premises network
D.Ensure the VPC Peering connection is in the 'active' state
E.Check the Network ACLs in both VPCs to ensure inbound/outbound ICMP traffic is allowed
AnswersC, D, E

VPC Peering does not support transitive routing; if VPC-B uses a VPN, traffic from VPC-A cannot route to on-premises.

Why this answer

Option A, Option C, and Option E are correct. VPC Peering does not support transitive routing (Option A), so a VPN Gateway is needed for on-premises connectivity. Option C: Network ACLs are stateless and may block ICMP; allowing inbound/outbound ICMP is necessary.

Option E: Check that the VPC Peering connection is in the 'active' state; if not, accept the request. Option B is wrong because VPC Peering does not support transitive routing. Option D is wrong because VPC Peering does not support transitive routing.

18
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application experiences intermittent 502 errors. The SysOps administrator checks the ALB access logs and sees that the error occurs when the target group has 'unhealthy' targets. What is the MOST likely cause of the 502 errors?

A.The SSL certificate on the ALB is expired.
B.The ALB does not have enough capacity to handle the traffic.
C.The client request exceeds the idle timeout.
D.The target instances are not passing health checks.
AnswerD

Unhealthy targets cause 502 errors when the ALB fails to connect.

Why this answer

Option B is correct because unhealthy targets cause the ALB to return 502 errors when it cannot establish a connection or receive a valid response. Option A is wrong because certificate issues cause 503 errors. Option C is wrong because client request timeout causes 408 errors.

Option D is wrong because insufficient capacity causes 503 errors.

19
MCQmedium

An application running on EC2 instances sends large amounts of data to an S3 bucket. The SysOps administrator wants to reduce data transfer costs while ensuring the traffic stays within AWS. What is the most cost-effective solution?

A.Set up an AWS Direct Connect connection.
B.Use S3 Transfer Acceleration.
C.Create a VPC Endpoint for S3 (Gateway type) and use it from the EC2 instances.
D.Route traffic through a NAT Gateway in a public subnet.
AnswerC

VPC Endpoints allow private connectivity to S3 at no additional cost for data transfer.

Why this answer

Option B is correct because using a VPC Endpoint for S3 allows traffic to stay within the AWS network, avoiding internet data transfer costs. Option A is incorrect because NAT Gateways incur charges for data processing and transfer. Option C is incorrect because S3 Transfer Acceleration is for faster uploads, not cost savings.

Option D is incorrect because Direct Connect is a dedicated connection that incurs monthly fees and is overkill for this use case.

20
MCQmedium

A company has a VPC with multiple subnets. An EC2 instance in a public subnet needs to communicate with an RDS database in a private subnet. The RDS security group allows inbound traffic from the EC2 instance's security group. However, the EC2 instance cannot connect. What is the most likely cause?

A.The VPC does not have DNS resolution enabled, so the RDS endpoint cannot be resolved.
B.The network ACL for the private subnet blocks inbound traffic from the public subnet.
C.The security group of the RDS database does not allow outbound traffic.
D.The EC2 instance does not have a public IP address.
AnswerA

Correct because RDS endpoints are DNS names; without DNS resolution, the instance cannot connect.

Why this answer

Option C is correct because if the RDS is in a private subnet, it may not have a route to the internet or to the public subnet, but the issue is likely that the VPC does not have DNS resolution enabled, causing name resolution failure. Option A is wrong because the security group is already configured. Option B is wrong because the instance has a public IP.

Option D is wrong because NACLs are stateless but default allows all.

21
Multi-Selecteasy

A company wants to use Amazon Route 53 to route traffic to multiple endpoints for high availability. Which THREE routing policies can be used for this purpose?

Select 3 answers
A.Geoproximity routing policy
B.Simple routing policy
C.Latency routing policy
D.Weighted routing policy
E.Failover routing policy
AnswersC, D, E

Routes to the endpoint with the lowest latency.

Why this answer

Options A, B, and D are correct. Weighted, Latency, and Failover routing policies distribute traffic across multiple endpoints. Option C (Simple) can only route to a single endpoint.

Option E (Geoproximity) can route to multiple endpoints but is more for location-based routing.

22
MCQmedium

A company is using Amazon CloudFront to distribute content globally. The origin is an S3 bucket. The SysOps administrator notices that cache hit ratio is low. Which configuration change would MOST improve the cache hit ratio?

A.Use query string parameters to differentiate content.
B.Configure custom error responses for 404 errors.
C.Set longer Cache-Control max-age headers on the S3 objects.
D.Enable Origin Shield for the distribution.
AnswerC

Longer cache durations mean objects are stored in edge caches for longer, increasing the likelihood of cache hits.

Why this answer

Option D is correct because setting appropriate Cache-Control headers (like max-age) on the objects tells CloudFront how long to cache them, directly increasing cache hits. Option A is wrong because enabling Origin Shield can reduce load on the origin but does not directly improve cache hit ratio; it aggregates requests. Option B is wrong because using query string parameters can fragment the cache if not configured properly, potentially reducing hit ratio.

Option C is wrong because custom error responses do not affect caching of successful responses.

23
MCQhard

A company is using Amazon CloudFront to serve static content from an S3 bucket. They want to restrict access so that only CloudFront can access the S3 bucket. How should this be configured?

A.Configure Origin Access Control (OAC) with the S3 bucket policy.
B.Use CloudFront signed URLs or cookies.
C.Attach an IAM role to CloudFront that grants S3 read access.
D.Create a bucket policy that allows access only from the CloudFront distribution's IP addresses.
AnswerA

OAC is the recommended way to restrict S3 access to CloudFront.

Why this answer

Option D is correct because Origin Access Control (OAC) ensures only CloudFront can access the bucket. Option A is wrong because bucket policies can be used but OAC is the modern recommended approach. Option B is wrong because CloudFront key pairs are for signed URLs/cookies, not origin access.

Option C is wrong because IAM roles are used for EC2, not for CloudFront access to S3.

24
Multi-Selecteasy

Which TWO of the following are features of Amazon Route 53? (Select TWO.)

Select 2 answers
A.SSL/TLS termination
B.Health checking of resources
C.SSL certificate management
D.Domain name registration
E.Content caching at edge locations
AnswersB, D

Route 53 can health check endpoints and route traffic away from unhealthy ones.

Why this answer

Amazon Route 53 is a DNS web service that provides domain name resolution, domain registration, and health checking of resources. Health checking monitors the availability and performance of endpoints (e.g., web servers) via HTTP/HTTPS/TCP requests, and can automatically failover DNS responses to healthy resources, ensuring high availability.

Exam trap

The trap here is that candidates confuse Route 53's DNS-level health checking with application-layer features like SSL termination or caching, leading them to select options that belong to other AWS services like CloudFront or ALB.

25
MCQhard

A company has a web application behind an Application Load Balancer (ALB) with sticky sessions enabled. The ALB's target group contains EC2 instances in an Auto Scaling group. After a deployment, users report that they are being logged out frequently. What is the most likely cause?

A.The deregistration delay is set too low.
B.The ALB's stickiness cookie is not configured or is being overwritten.
C.Health checks are too frequent and marking instances unhealthy.
D.Cross-zone load balancing is disabled.
AnswerB

Without a valid cookie, sessions are not sticky.

Why this answer

Option C is correct because sticky sessions (session affinity) are based on cookies; if the cookie is not set or is invalid, requests may be routed to different instances, causing logout. Option A is wrong because cross-zone load balancing does not affect session stickiness. Option B is wrong because deregistration delay helps but does not cause logouts.

Option D is wrong because health checks do not affect routing of existing sessions.

26
Multi-Selecthard

Which THREE AWS services can be used to improve security and performance for a web application that uses an Application Load Balancer? (Select three.)

Select 3 answers
A.AWS Shield Advanced
B.AWS WAF
C.Amazon Route 53
D.Amazon CloudFront
E.AWS Direct Connect
AnswersA, B, D

Shield Advanced provides enhanced DDoS protection.

Why this answer

Option A (AWS WAF) is correct for security, protecting against web exploits. Option B (Amazon CloudFront) is correct for performance via caching and DDoS protection. Option D (AWS Shield Advanced) is correct for enhanced DDoS protection.

Option C (AWS Direct Connect) is for dedicated connectivity, not directly related. Option E (Amazon Route 53) is DNS, not directly for security/performance of the ALB.

27
MCQhard

Instances in a private subnet need outbound internet access for software updates. The route table sends 0.0.0.0/0 to a NAT gateway, but updates fail. Which condition should you check first?

A.Confirm the NAT gateway is in a public subnet whose route table has 0.0.0.0/0 to an internet gateway.
B.Attach an internet gateway directly to the private subnet instances.
C.Replace all security groups with network ACLs.
D.Enable VPC peering to another account.
AnswerA

Without an IGW route from the NAT gateway subnet, outbound internet access fails.

Why this answer

A NAT gateway must reside in a public subnet with a route table entry directing 0.0.0.0/0 to an internet gateway (IGW). Without this, the NAT gateway cannot translate private IPs to the IGW's public IP, so outbound traffic from private instances fails. This is the most common root cause for failed internet access through a NAT gateway.

Exam trap

The trap here is that candidates assume any subnet with a NAT gateway automatically has internet access, overlooking the requirement that the NAT gateway itself must be in a public subnet with a default route to an internet gateway.

How to eliminate wrong answers

Option B is wrong because attaching an internet gateway directly to a private subnet is not supported; an IGW can only be attached to a VPC and associated with public subnets, and private subnet instances lack public IPs to use it directly. Option C is wrong because replacing security groups with network ACLs does not solve the routing issue; NACLs are stateless and can filter traffic, but they do not provide internet connectivity. Option D is wrong because VPC peering does not provide internet access; it only enables private connectivity between VPCs, and does not route traffic to the internet.

28
Multi-Selectmedium

Which TWO actions should a SysOps administrator take to improve the availability and reduce latency for a web application hosted on EC2 instances behind an Application Load Balancer?

Select 2 answers
A.Use larger EC2 instance types to handle more traffic.
B.Configure the ALB health check to have a shorter interval.
C.Use an Amazon CloudFront distribution in front of the ALB to cache content at edge locations.
D.Implement Auto Scaling to add instances based on CPU utilization.
E.Deploy EC2 instances in multiple Availability Zones.
AnswersD, E

Auto Scaling adds instances during high demand, reducing latency by distributing load.

Why this answer

Deploying across multiple Availability Zones increases fault tolerance. Using Auto Scaling helps maintain performance during traffic spikes by adding or removing instances. Option C is incorrect because increasing instance size might help but does not provide the same resilience as distributing across AZs.

Option D is incorrect because reducing health check interval increases load but not availability. Option E is incorrect because using a single EBS volume does not improve availability.

29
MCQhard

A company has a VPC with public and private subnets across two Availability Zones. They have a NAT Gateway in each public subnet for high availability. EC2 instances in the private subnets need to access an external service that requires a fixed IP address for whitelisting. The administrator configured the route tables to use the NAT Gateway in the same Availability Zone. However, when the NAT Gateway in AZ-A fails, instances in AZ-A lose internet connectivity. What should the administrator do to ensure high availability with fixed IP addresses?

A.Use a single NAT Gateway with an Elastic IP and create a route table with a route to the NAT Gateway for all private subnets, but also configure a second NAT Gateway in another AZ and update route tables to failover
B.Configure a proxy server in the private subnets and route traffic through it
C.Replace the NAT Gateways with an Internet Gateway in each public subnet
D.Use a VPN connection to the external service instead of the internet
AnswerA

For fixed IP, use a single NAT Gateway; but for HA, use multiple and use a routing failover mechanism like using a Lambda to update route tables.

Why this answer

Option D is correct because using a single NAT Gateway with a Network Load Balancer would not provide a fixed IP; a NAT Gateway provides an Elastic IP. For high availability, you can use multiple NAT Gateways and configure route tables to failover, but that changes the source IP. Using a NAT Gateway per AZ with route tables pointing to the local NAT Gateway is the best practice for HA.

However, if a NAT Gateway fails, instances in that AZ lose internet. To maintain fixed IPs, the administrator could use a single NAT Gateway but that is a single point of failure. Option A is wrong because an Internet Gateway is not a NAT device.

Option B is wrong because a VPN does not provide internet access. Option C is wrong because a proxy would have the same issue.

30
MCQhard

A company has two VPCs in different AWS regions (us-east-1 and eu-west-1) that are peered. Applications in both VPCs need to communicate using private IP addresses. The ping tests are successful, but the latency is significantly higher than expected. Which change is most likely to improve the latency between the VPCs?

A.Enable DNS resolution for the VPC peering connection.
B.Use a Transit Gateway instead of VPC Peering for cross-region connectivity.
C.Increase the MTU on the instances' network interfaces to 9001.
D.Configure ECMP (Equal-Cost Multi-Path) routing on the VPC peering connection.
AnswerA

Correct. When DNS resolution is enabled, instances can resolve private DNS names of instances in the peered VPC, ensuring traffic stays within the AWS backbone and avoids unnecessary hops or public internet routing.

Why this answer

Option A is correct because enabling DNS resolution for the VPC peering connection allows instances to resolve public DNS hostnames to the private IP addresses of the peered VPC. Without this, DNS queries may return public IP addresses, forcing traffic to traverse the internet or NAT gateways, which adds significant latency. By resolving to private IPs, traffic stays within the AWS backbone, reducing latency.

Exam trap

The trap here is that candidates often assume latency is caused by network path or bandwidth issues (leading them to choose Transit Gateway or MTU changes), but the real culprit is DNS resolution misconfiguration forcing traffic over the public internet instead of the private AWS backbone.

How to eliminate wrong answers

Option B is wrong because using a Transit Gateway instead of VPC Peering for cross-region connectivity does not inherently reduce latency; both use the AWS global backbone, and latency is primarily affected by physical distance and routing, not the service type. Option C is wrong because increasing the MTU to 9001 (jumbo frames) improves throughput for large packets but does not reduce latency; in fact, jumbo frames can increase serialization delay for small packets and are not supported over VPC peering connections (MTU is limited to 1500). Option D is wrong because ECMP routing is not configurable on VPC peering connections; VPC peering does not support multiple paths or load balancing, and ECMP is a feature of Transit Gateway or Direct Connect, not VPC peering.

31
MCQmedium

A company has two Amazon VPCs (VPC-A and VPC-B) in the same AWS Region with non-overlapping CIDR blocks. The SysOps administrator needs to establish private IP connectivity between the two VPCs with high throughput and minimal cost. Which solution should the administrator implement?

A.VPC Peering
B.AWS Transit Gateway
C.AWS VPN CloudHub
D.AWS Direct Connect
AnswerA

VPC peering allows private connectivity between two VPCs using AWS's private network. It is simple to set up, has no bandwidth limitations, and incurs no hourly cost. It is the most cost-effective solution for connecting two VPCs in the same region.

Why this answer

VPC Peering is the correct solution because it allows direct private IP connectivity between two VPCs in the same AWS Region using the AWS global network backbone, with no bandwidth bottlenecks, no single point of failure, and no additional cost beyond data transfer charges. Since the VPCs have non-overlapping CIDR blocks, they can be peered without route conflicts, and traffic flows entirely within AWS without traversing the public internet or requiring a transit hub.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing AWS Transit Gateway for its centralized routing features, forgetting that for a simple two-VPC peering scenario with non-overlapping CIDRs, VPC Peering is the most cost-effective and high-performance option without the overhead of a transit hub.

How to eliminate wrong answers

Option B (AWS Transit Gateway) is wrong because it introduces unnecessary complexity and cost (hourly per-attachment charges and data processing fees) for a simple two-VPC scenario where VPC Peering provides the same high throughput at lower cost. Option C (AWS VPN CloudHub) is wrong because it requires VPN connections over the public internet, which adds latency, reduces throughput, and incurs hourly VPN connection charges, making it less performant and more expensive than VPC Peering. Option D (AWS Direct Connect) is wrong because it is designed for hybrid connectivity between on-premises networks and AWS, not for VPC-to-VPC communication, and involves significant setup costs, long lead times, and monthly port fees that are unnecessary for this use case.

32
MCQhard

A company is running a critical application on EC2 instances in a VPC. The instances are in an Auto Scaling group across multiple Availability Zones. The application needs to maintain a fixed, private IP address for each instance. Which approach should be used to ensure each instance receives a consistent private IP address?

A.Use an Elastic Network Interface (ENI) with a predefined private IP and attach it to the instance
B.Configure the DHCP option set to assign a static IP
C.Assign an Elastic IP to each instance and use that as the private IP
D.Use a custom AMI that configures a static private IP address via user data
AnswerA

An ENI has a fixed private IP that can be reassigned to another instance if needed.

Why this answer

Option D is correct because an Elastic Network Interface (ENI) can be created with a specific private IP and attached to an instance; upon instance termination, the ENI can be reattached to a new instance. Option A is wrong because private IP addresses are assigned at launch and released upon termination. Option B is wrong because Elastic IPs are public IPs.

Option C is wrong because DHCP option sets do not assign IP addresses.

33
MCQmedium

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add an IPv6 CIDR block to the VPC and ensure that EC2 instances can communicate over IPv6. Which step is necessary?

A.Attach an internet gateway that supports IPv6.
B.Create a new VPC with an IPv6 CIDR block and migrate resources.
C.Associate an Amazon-provided IPv6 CIDR block with the VPC.
D.Enable DNS64 in the VPC.
AnswerC

Correct. Then assign IPv6 CIDRs to subnets.

Why this answer

To use IPv6, the VPC must be associated with an Amazon-provided IPv6 CIDR block, and subnets must have IPv6 CIDR blocks assigned. Instances must be launched with IPv6 addresses.

34
MCQhard

A company has a VPC with public and private subnets. A NAT Gateway is in the public subnet, and a private EC2 instance needs to download patches from the internet. The instance can reach the internet after a reboot. Which action should the SysOps administrator take to make the internet access persistent?

A.Update the route table of the private subnet to point 0.0.0.0/0 to the NAT Gateway.
B.Attach an internet gateway to the private subnet.
C.Associate an Elastic IP with the NAT Gateway.
D.Enable DNS resolution in the VPC.
AnswerA

Correct. Missing route causes intermittent access.

Why this answer

Route tables must be manually updated after adding a NAT Gateway. The private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway.

35
MCQhard

A company's web application is hosted on EC2 instances behind a Network Load Balancer (NLB) with a static IP address. The application receives a sudden spike in traffic, and some clients report connection timeouts. Which NLB feature should the SysOps administrator configure to handle the increased load?

A.Enable sticky sessions.
B.Enable cross-zone load balancing.
C.Enable deletion protection.
D.Enable health checks to mark unhealthy instances.
AnswerB

Cross-zone load balancing allows distribution across AZs.

Why this answer

Option B is correct. NLB cross-zone load balancing distributes traffic across all registered instances in all AZs, improving capacity. Option A is wrong because health checks help identify unhealthy instances but do not increase capacity.

Option C is wrong because stickiness is for session persistence. Option D is wrong because deletion protection prevents accidental deletion.

36
MCQmedium

A SysOps administrator manages a web application hosted on EC2 instances behind an Application Load Balancer. The application uses sticky sessions (session affinity) based on cookies. Recently, the development team deployed a new version that increases the load time for certain pages. Users report that they are randomly seeing other users' data. The administrator suspects that the sticky session configuration is not working correctly. The ALB target group is configured with stickiness enabled using the AWSALB cookie. What should the administrator do to verify that sticky sessions are being honored?

A.Increase the stickiness duration to 7 days and test again
B.Check the ALB access logs for the presence of the stickiness cookie
C.Use a browser's developer tools to inspect the cookies on the client side and verify the AWSALB cookie is being set and includes the correct target group identifier
D.Check the target group health check settings to ensure all instances are healthy
AnswerC

The AWSALB cookie indicates which target group the client is sticky to.

Why this answer

Option B is correct because using a browser's developer tools to inspect cookies on the client side confirms that the AWSALB cookie is present and contains the correct target group endpoint. Option A is wrong because CloudWatch metrics do not show individual session affinity. Option C is wrong because changing stickiness duration does not verify current behavior.

Option D is wrong because checking target group health does not indicate sticky session behavior.

37
MCQhard

A company uses an Application Load Balancer (ALB) to route traffic to a web application. The security team requires that all traffic be encrypted in transit. The ALB currently uses a TLS certificate from AWS Certificate Manager (ACM). Users report that some browsers show a certificate warning. What is the MOST likely cause?

A.The listener is using a different certificate for each target group.
B.The ALB is configured to use TLS 1.0 only.
C.The certificate is self-signed or issued by an untrusted CA.
D.The ALB is not configured to terminate TLS.
AnswerC

Self-signed certificates cause browser warnings.

Why this answer

Option A is correct because if the certificate is self-signed, browsers will show a warning. Option B is wrong because TLS 1.0 is not supported by modern browsers anyway. Option C is wrong because ALB supports TLS termination.

Option D is wrong because the listener can handle multiple certificates.

38
MCQeasy

A company has an application that requires UDP traffic to be distributed across multiple EC2 instances. Which AWS load balancer type should be used?

A.Network Load Balancer
B.Classic Load Balancer
C.Amazon CloudFront
D.Application Load Balancer
AnswerA

NLB supports TCP, UDP, and TLS.

Why this answer

Option C is correct because Network Load Balancer (NLB) supports UDP traffic. Application Load Balancer (ALB) only supports HTTP/HTTPS. Option A is incorrect because ALB does not support UDP.

Option B is incorrect because Classic Load Balancer supports TCP/SSL but not UDP. Option D is incorrect because CloudFront is a CDN, not a load balancer.

39
MCQmedium

A company uses Amazon CloudFront to deliver static content from an S3 bucket. The SysOps administrator wants to restrict access so that only CloudFront can access the S3 bucket. Which solution should be used?

A.Use pre-signed URLs for all objects.
B.Use an S3 bucket policy that allows access from any AWS service.
C.Generate CloudFront key pairs and configure signed URLs.
D.Configure an origin access control (OAC) and update the S3 bucket policy to allow CloudFront access.
AnswerD

OAC is the current best practice.

Why this answer

Option D is correct because Origin Access Control (OAC) is the recommended method to restrict S3 bucket access exclusively to CloudFront. OAC uses a CloudFront-owned service principal to sign requests, and the S3 bucket policy must explicitly grant the `s3:GetObject` action to that principal, ensuring no direct S3 access from other sources.

Exam trap

The trap here is confusing origin security (restricting S3 bucket access to CloudFront) with viewer security (restricting who can view content via signed URLs or cookies), leading candidates to incorrectly choose signed URLs or key pairs.

How to eliminate wrong answers

Option A is wrong because pre-signed URLs grant temporary access to specific objects but do not restrict the bucket to CloudFront; they are used for individual object access, not for origin access control. Option B is wrong because allowing access from any AWS service would permit any AWS service or principal to access the bucket, violating the requirement to restrict access solely to CloudFront. Option C is wrong because CloudFront key pairs and signed URLs are used to restrict viewer access to content, not to secure the origin; they control who can view content, not which origin can fetch from S3.

40
MCQhard

A web application on EC2 instances behind an ALB experiences increased latency during peak hours. The SysOps administrator notices that the ALB's RequestCount per target is high. What design change should improve performance?

A.Switch to a Network Load Balancer.
B.Add more EC2 instances to the target group.
C.Enable sticky sessions on the ALB.
D.Reduce the idle timeout on the ALB.
AnswerB

Correct. More instances reduce per-target load.

Why this answer

Increasing the number of targets (EC2 instances) spreads the load and reduces latency.

41
MCQmedium

A company has a VPC with public and private subnets across two Availability Zones. An application running on EC2 instances in the private subnets needs to access the internet for updates. Which configuration should be used to provide internet access while minimizing administrative overhead?

A.Assign public IP addresses to the private instances and update route tables accordingly.
B.Set up AWS Direct Connect to an internet gateway.
C.Deploy a NAT Gateway in a public subnet and update private route tables to point to it.
D.Launch a NAT instance in the private subnet and configure routing.
AnswerC

NAT Gateway is a managed service that provides outbound internet for private instances.

Why this answer

Option C is correct because a NAT Gateway, deployed in a public subnet with an Elastic IP, allows instances in private subnets to initiate outbound traffic to the internet (e.g., for updates) while preventing inbound traffic from the internet. This is a fully managed AWS service, so it requires no patching or scaling management, minimizing administrative overhead. The private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway's network interface.

Exam trap

The trap here is that candidates confuse a NAT Gateway with a NAT instance, assuming both require similar administrative effort, or they mistakenly think assigning public IPs to private instances is sufficient for outbound-only internet access.

How to eliminate wrong answers

Option A is wrong because assigning public IP addresses to instances in private subnets would not automatically provide internet access; you would also need an Internet Gateway in the VPC and a route from the private subnet to it, which would expose the instances to inbound traffic, violating the private subnet's purpose. Option B is wrong because AWS Direct Connect is a dedicated private network connection from on-premises to AWS, not a service for providing internet access to VPC resources; it does not replace an Internet Gateway or NAT Gateway for outbound internet traffic. Option D is wrong because a NAT instance is a self-managed EC2 instance that requires manual configuration, patching, and scaling, which increases administrative overhead compared to the managed NAT Gateway.

42
MCQhard

A SysOps Administrator manages a VPC with public and private subnets. The private subnets need to access the internet for software updates. The Administrator creates a NAT Gateway in a public subnet and updates the private subnet route table to point 0.0.0.0/0 to the NAT Gateway. However, instances in the private subnet still cannot reach the internet. What is the MOST likely reason?

A.The security group on the private instances blocks outbound HTTPS traffic.
B.The internet gateway is not attached to the NAT Gateway.
C.The NAT Gateway does not have an Elastic IP address assigned.
D.The NAT Gateway's security group is blocking inbound traffic from the private subnet.
AnswerC

A NAT Gateway requires an Elastic IP to communicate with the internet; without one, it cannot route traffic.

Why this answer

Option B is correct because the NAT Gateway must have a public IP and the route table for the private subnet must point to the NAT Gateway ID. Option A is wrong because security group rules for private instances should allow outbound traffic (e.g., HTTPS), but by default outbound is allowed; the issue is likely the route. Option C is wrong because the NAT Gateway's security group is not used; NAT Gateways do not have security groups.

Option D is wrong because the internet gateway must be attached to the VPC, not to the NAT Gateway.

43
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. The VPC has two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). The VPC has an Internet Gateway (IGW) attached. The public subnets have a route to the IGW, and the private subnets have a route to a NAT Gateway in the public subnet 10.0.1.0/24. The SysOps administrator deploys a new EC2 instance in the private subnet 10.0.4.0/24. The instance needs to download software from the internet, but the download fails. The administrator can successfully ping the NAT Gateway from the instance. What is the MOST likely cause of the failure?

A.The security group for the EC2 instance blocks outbound internet traffic.
B.The route table for the private subnet does not have a default route to the NAT Gateway.
C.The network ACL for the private subnet blocks outbound traffic.
D.The NAT Gateway is not associated with an Elastic IP address.
AnswerB

Missing route prevents internet-bound traffic from reaching the NAT Gateway.

Why this answer

Option D is correct. The route table for the private subnet 10.0.4.0/24 is missing a default route (0.0.0.0/0) to the NAT Gateway. The ping to the NAT Gateway works because it is within the VPC, but internet traffic is not routed.

Option A is wrong because the NAT Gateway is in the public subnet and has internet access. Option B is wrong because the security group only controls inbound/outbound for the instance, not routing. Option C is wrong because the NACL for the private subnet should allow outbound traffic, but the issue is routing.

44
MCQhard

A company has a VPC with public and private subnets. The private subnets need outbound internet access to download software updates while preventing any inbound internet traffic. The SysOps administrator must minimize costs. Which solution should the administrator implement?

A.Create a NAT Gateway in a public subnet and update the private subnet route table to use it
B.Launch a NAT instance in a public subnet with an Elastic IP and disable source/destination check, then update private subnet route tables
C.Attach an Internet Gateway to the VPC and add a default route to the Internet Gateway in the private subnets
D.Use AWS Transit Gateway with a VPN connection to an on-premises data center for internet access
AnswerB

A NAT instance costs less per hour than a NAT Gateway, making it the more cost-effective option when minimizing costs is the primary goal.

Why this answer

Option B is correct because a NAT instance, when launched in a public subnet with an Elastic IP and source/destination check disabled, can route outbound traffic from private subnets to the internet while blocking unsolicited inbound connections. This solution minimizes costs compared to a NAT Gateway, as NAT instances use existing EC2 instance pricing and can be further reduced with spot instances or smaller instance types.

Exam trap

The trap here is that candidates often choose the NAT Gateway (Option A) because it is fully managed and simpler, overlooking the explicit cost-minimization requirement that favors the cheaper, self-managed NAT instance.

How to eliminate wrong answers

Option A is wrong because a NAT Gateway incurs hourly charges and data processing fees, making it more expensive than a NAT instance, which is contrary to the requirement to minimize costs. Option C is wrong because attaching an Internet Gateway directly to private subnets and adding a default route would expose those subnets to inbound internet traffic, violating the security requirement to prevent inbound traffic. Option D is wrong because AWS Transit Gateway with a VPN connection to an on-premises data center is over-engineered and costly for simple outbound internet access, and it does not directly provide internet access without additional routing and infrastructure.

45
MCQeasy

Refer to the exhibit. A SysOps administrator runs the describe-target-health command and sees that an EC2 instance in the target group is unhealthy with a timeout error. What is the most likely cause?

A.The target group is configured with an incorrect port
B.The instance's security group does not allow traffic from the ALB on the health check port
C.The instance is in a private subnet without a NAT gateway
D.The instance does not have a route to the internet
AnswerB

The ALB's health check requests are being blocked, causing timeouts.

Why this answer

Option B is correct because the health check is timing out, which indicates that the instance is not responding to health check requests on port 80. The security group must allow inbound traffic from the ALB on the health check port. Option A is wrong because the target group is configured with port 80, which matches.

Option C is wrong because the route table is less likely to cause a timeout; it would cause unreachability. Option D is wrong because the instance is in a public subnet? Not necessarily; but the health check timeout is most often a security group issue.

46
MCQeasy

A company has a VPC with both IPv4 and IPv6 CIDR blocks. They have a public subnet with an EC2 instance that needs to be accessible over IPv6 from the internet. The instance has an IPv6 address assigned. The SysOps administrator has attached an Internet Gateway (IGW) to the VPC and added a route to the IGW for the public subnet's IPv6 route table. However, the instance is not reachable over IPv6. What is the missing configuration?

A.The instance does not have a public IPv6 address assigned
B.The route table for the subnet does not have a default route (::/0) to the IGW
C.An egress-only Internet Gateway is required for IPv6
D.The security group attached to the instance does not allow inbound IPv6 traffic
AnswerD

By default, security groups deny all inbound traffic; an explicit rule for IPv6 is needed.

Why this answer

Option B is correct because for IPv6 traffic, an egress-only Internet Gateway (EIGW) is required for outbound, but for inbound, an IGW supports both IPv4 and IPv6. Actually, IGW supports IPv6 inbound. The issue might be that the route table needs a route for ::/0 to the IGW.

Option A is correct: The route table must have a route for all IPv6 traffic (::/0) to the IGW. Option B is wrong because EIGW is for outbound only. Option C is wrong because security groups allow inbound by default? No, they block inbound by default.

So the security group must allow IPv6 traffic. Actually, both A and C could be correct. But the stem says they added a route to the IGW, but maybe they added a specific route? The most likely missing configuration is the security group rule.

Let's check: The question says they added a route to the IGW for the public subnet's IPv6 route table. But the route must be for ::/0. If they added a specific route, that might be the issue.

But the most common oversight is the security group. I'll go with Option C as the most likely. Option A is also plausible.

To differentiate, the question says they added a route to the IGW, but doesn't specify if it's a default route. If they added a specific route, the instance might still be unreachable. However, the typical missing step is updating the security group.

So I'll choose C.

47
MCQhard

An application uses Amazon Route 53 weighted routing to distribute traffic across two AWS regions. After a deployment, users in one region are experiencing errors. What should the administrator do to mitigate the issue immediately?

A.Update the alias record to point to a different load balancer.
B.Change the routing policy from weighted to latency-based.
C.Restart the EC2 instances in the affected region.
D.Set the weight of the affected region's record to 0 and verify health checks are configured.
AnswerD

Setting weight to 0 stops traffic to that region, and health checks will fail automatically.

Why this answer

Option D is correct because setting the weight of the unhealthy region to 0 stops traffic to it, and health checks will automatically remove unhealthy endpoints. Option A is wrong because changing routing policy requires DNS propagation time. Option B is wrong because restarting instances may not resolve the issue immediately.

Option C is wrong because changing alias records can cause propagation delays.

48
MCQmedium

A SysOps Administrator is troubleshooting connectivity issues between two EC2 instances in the same VPC but different subnets. The instances can communicate over private IP addresses when security groups are set to allow all traffic, but fail when security groups are configured with specific rules. The Administrator wants to allow HTTP (port 80) and HTTPS (port 443) traffic from the client instance to the server instance. What security group rules are needed?

A.Add inbound rules on the server to allow HTTP and HTTPS from the client security group.
B.Add inbound rules on both the client and server.
C.Add outbound rules on both the client and server.
D.Add inbound rules on the client and outbound rules on the server.
AnswerA

Security groups are stateful; inbound rules on the server allow the request, and the response is automatically allowed.

Why this answer

Option D is correct because security groups are stateful; you only need inbound rules on the server to allow HTTP/HTTPS from the client. The outbound response is automatically allowed. Option A is wrong because outbound rules on the client are not needed for response.

Option B is wrong because inbound rules on the client are not needed. Option C is wrong because outbound rules on the server are not needed for response.

49
MCQmedium

Refer to the exhibit. An EC2 instance is registered with an ALB target group. The health check returns 502. What is the most likely cause?

A.The instance is not reachable from the ALB due to a network ACL.
B.The instance is not registered with the target group.
C.The web server on the instance is returning an HTTP 502 response.
D.The health check path is configured for HTTPS but the instance only supports HTTP.
AnswerC

Correct because the health check receives a 502 from the target application.

Why this answer

Option C is correct because a 502 error from the target indicates the application on the instance is failing or not responding correctly to the health check. Option A is wrong because a 502 is not a connection timeout. Option B is wrong because the health check is on port 80, not 443.

Option D is wrong because the instance is in the target group (but unhealthy).

50
MCQhard

A company has a VPC with public and private subnets. An Application Load Balancer (ALB) is deployed in the public subnets, and an Auto Scaling group of web servers is deployed in the private subnets. The web servers need to frequently make HTTPS requests to an external API. The API provider requires that all requests originate from a consistent set of static IP addresses for whitelisting. The SysOps administrator must ensure that outbound traffic from the web servers has static source IP addresses. Which solution should be implemented?

A.Place the web servers in public subnets and assign each instance an Elastic IP address.
B.Deploy a NAT gateway in a public subnet with an Elastic IP and route outbound traffic from the private subnets through the NAT gateway.
C.Create a VPC endpoint for the external API service.
D.Use AWS Global Accelerator to provide static IP addresses for outbound traffic.
AnswerB

The NAT gateway provides a static Elastic IP for outbound traffic from private instances, fulfilling the requirement securely.

Why this answer

Option B is correct because a NAT gateway placed in a public subnet with an Elastic IP provides a consistent, static source IP for all outbound traffic from instances in private subnets. The web servers route their outbound HTTPS requests through the NAT gateway, which performs source NAT (SNAT) using the Elastic IP, satisfying the API provider's whitelisting requirement. This design keeps the web servers in private subnets for security while ensuring a fixed public IP for outbound traffic.

Exam trap

The trap here is that candidates confuse AWS Global Accelerator's static IPs for inbound traffic with the need for static outbound IPs, or mistakenly think VPC endpoints can be used for any external service, when they only work with supported AWS services.

How to eliminate wrong answers

Option A is wrong because placing web servers in public subnets with Elastic IPs would expose them directly to the internet, bypassing the ALB and compromising security; it also requires managing individual Elastic IPs per instance, which is not scalable for an Auto Scaling group. Option C is wrong because a VPC endpoint is used for private connectivity to AWS services (e.g., S3, DynamoDB) via the AWS network, not for reaching external HTTPS APIs over the internet; it does not provide static IP addresses for outbound traffic to third-party endpoints. Option D is wrong because AWS Global Accelerator provides two static Anycast IP addresses for inbound traffic to your application endpoints (e.g., ALB, NLB), not for outbound traffic from instances; it does not affect the source IP of outbound requests from web servers.

51
MCQeasy

A company has a VPC that requires DNS resolution for custom domain names within the VPC. They want to use a private hosted zone in Amazon Route 53. Which resource is required to associate the private hosted zone with the VPC?

A.A resolver rule
B.A public hosted zone
C.A VPC
D.A CNAME record
AnswerC

A private hosted zone must be associated with one or more VPCs to be accessible within those VPCs.

Why this answer

To associate a private hosted zone with a VPC in Amazon Route 53, you must specify the VPC ID and the AWS Region of the VPC. The VPC itself is the required resource because the private hosted zone is scoped to one or more VPCs, enabling DNS resolution for custom domain names only within those VPCs. Without a VPC association, the private hosted zone cannot serve DNS queries.

Exam trap

The trap here is that candidates often confuse the resource needed for association (the VPC) with DNS record types or resolver configurations, mistakenly thinking a CNAME record or resolver rule is required to link the hosted zone to the VPC.

How to eliminate wrong answers

Option A is wrong because a resolver rule is used with Route 53 Resolver to forward DNS queries to or from on-premises networks, not to associate a private hosted zone with a VPC. Option B is wrong because a public hosted zone is used for DNS resolution over the internet, not for private DNS within a VPC, and it cannot be associated with a VPC. Option D is wrong because a CNAME record is a DNS record type that maps an alias to a canonical name, not a resource that associates a hosted zone with a VPC.

52
MCQhard

A company uses Amazon CloudFront to serve static content from an S3 bucket. The S3 bucket is configured as an origin with RestrictBucketAccess set to Yes, and the origin access identity (OAI) is configured. Users can access the content via CloudFront, but direct S3 URLs return Access Denied. However, some users report that they can still access the content directly via S3 URLs. What is the most likely reason?

A.The OAI is not properly associated with the CloudFront distribution.
B.The S3 bucket policy allows public read access in addition to the OAI.
C.The CloudFront distribution is using a custom origin instead of S3.
D.CloudFront is using pre-signed URLs that are being shared.
AnswerB

If the bucket policy allows public read, direct access is possible despite OAI.

Why this answer

Option B is correct because if the bucket policy allows public read access, it overrides the OAI restriction. The OAI only restricts access if the bucket policy explicitly denies all principals except the OAI. Option A is wrong because the OAI is properly set up.

Option C is wrong because CloudFront does not use pre-signed URLs for OAI. Option D is wrong because if the OAI is not in the bucket policy, the default is public access if the bucket is public.

53
Multi-Selectmedium

A company is using Amazon CloudFront to distribute content globally. They want to restrict access to their content so that only users from specific countries can access it. Which TWO actions can be taken to achieve this?

Select 2 answers
A.Configure an S3 bucket policy with a condition for aws:SourceIp.
B.Configure CloudFront geo restriction (whitelist or blacklist) at the distribution level.
C.Use IAM policies to restrict access based on the user's location.
D.Use AWS WAF associated with CloudFront to create a rule that blocks requests based on geographic origin.
E.Set up an Application Load Balancer rule to deny traffic from certain IP ranges.
AnswersB, D

CloudFront can restrict based on country.

Why this answer

Option B is correct because CloudFront geo restriction allows you to whitelist or blacklist countries at the distribution level, directly controlling access based on the geographic location of the viewer's IP address. This is a native CloudFront feature that does not require additional services, making it a straightforward solution for country-based access control.

Exam trap

The trap here is that candidates often confuse the ability to use S3 bucket policies with aws:SourceIp for CloudFront-distributed content, not realizing that CloudFront acts as a proxy and the source IP seen by S3 is the CloudFront edge IP, not the end user's IP.

54
MCQmedium

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application uses sticky sessions (session affinity) based on cookies. Recently, the SysOps team noticed that user sessions are being lost intermittently, causing users to be logged out. The team checks the ALB configuration and finds that the stickiness is enabled with a cookie name 'AWSALB' and duration of 1 hour. The application also sets its own cookie. What is the most likely cause of session loss?

A.The ALB's health check interval is too short, causing instances to be marked unhealthy
B.The application cookie is overwriting the ALB's stickiness cookie
C.Cross-zone load balancing is disabled on the ALB
D.The application's session cookie has a shorter expiration than the ALB's stickiness duration
AnswerD

If the application cookie expires, the session is lost even though the ALB still routes to the same instance.

Why this answer

Option A is correct because if the application's cookie is set to expire before the ALB's stickiness duration, the session may be lost when the application cookie expires. Option B is wrong because cross-zone load balancing does not affect stickiness. Option C is wrong because health checks do not remove stickiness unless the instance becomes unhealthy.

Option D is wrong because the ALB generates its own cookie; the application setting a cookie does not interfere unless it overwrites.

55
MCQhard

A SysOps Administrator is configuring a VPC with a public subnet and a private subnet. The public subnet has an Internet Gateway. An EC2 instance in the private subnet needs to access an S3 bucket. What is the MOST secure way to provide this access?

A.Attach an Internet Gateway to the private subnet.
B.Create a VPC Gateway Endpoint for S3 in the private subnet's route table.
C.Use a VPC peering connection to an S3 bucket.
D.Create a NAT Gateway in the public subnet and route traffic through it.
AnswerB

Correct because a Gateway Endpoint provides secure, private access to S3.

Why this answer

Option D is correct because a VPC Gateway Endpoint for S3 provides private connectivity without traversing the internet. Option A is wrong because a NAT Gateway with a public subnet is less secure and incurs costs. Option B is wrong because an Internet Gateway would expose the instance.

Option C is wrong because VPC peering does not provide S3 access.

56
MCQeasy

A SysOps administrator has deployed an Application Load Balancer (ALB) that distributes traffic to a fleet of Amazon EC2 instances. The administrator notices that the ALB is sending all traffic to instances in a single Availability Zone (AZ), ignoring instances in other AZs. The ALB was created with default settings. Which action should the administrator take to ensure traffic is distributed evenly across all AZs?

A.Enable cross-zone load balancing on the ALB.
B.Enable connection draining on the target group.
C.Enable sticky sessions (session stickiness) on the target group.
D.Configure health checks on the target group to ensure unhealthy instances are not used.
AnswerA

Cross-zone load balancing distributes incoming traffic across all instances in all AZs where the ALB is enabled. By default, it is enabled for Application Load Balancers, but if the administrator created the ALB with an older API or modified it, it may have been disabled. Enabling it will spread traffic evenly.

Why this answer

By default, an Application Load Balancer distributes traffic evenly across the registered targets in each enabled Availability Zone, but it does not distribute traffic evenly across zones. This means if one AZ has more healthy targets than another, traffic is still split 50/50 between AZs, not across all instances equally. Enabling cross-zone load balancing on the ALB ensures that traffic is distributed evenly across all healthy targets in all enabled AZs, regardless of the number of instances in each zone.

Exam trap

The trap here is that candidates often assume ALB distributes traffic evenly across all instances by default, but the default behavior is to distribute traffic evenly across Availability Zones, not across individual instances.

How to eliminate wrong answers

Option B is wrong because connection draining (also known as deregistration delay) is used to complete in-flight requests before an instance is deregistered or becomes unhealthy, not to distribute traffic across AZs. Option C is wrong because sticky sessions (session stickiness) bind a client's requests to a specific target instance, which can actually prevent even distribution across AZs by concentrating traffic on a single instance. Option D is wrong because health checks only mark unhealthy instances as out of service; they do not influence how traffic is distributed across AZs—traffic would still be sent to healthy instances in the same AZ even if other AZs have healthy instances.

57
MCQeasy

Which AWS service can be used to create a private, dedicated connection between an on-premises data center and AWS?

A.AWS Site-to-Site VPN
B.AWS Transit Gateway
C.VPC Peering
D.AWS Direct Connect
AnswerD

Dedicated private connection from on-prem to AWS.

Why this answer

Option C is correct because AWS Direct Connect provides a dedicated private connection. Option A is wrong because VPN provides encrypted tunnels over the internet, not dedicated. Option B is wrong because VPC Peering connects VPCs.

Option D is wrong because Transit Gateway connects multiple VPCs and on-premises via VPN or Direct Connect.

58
Multi-Selectmedium

A SysOps administrator is planning a VPC design with high availability for an application that must tolerate the failure of an entire Availability Zone. Which TWO configurations should be implemented? (Select TWO.)

Select 2 answers
A.Use a single NAT Gateway for all private subnets.
B.Deploy a NAT Gateway in each Availability Zone.
C.Launch EC2 instances in at least two Availability Zones.
D.Use a placement group to ensure instances are in different AZs.
E.Use only one public subnet and one private subnet.
AnswersB, C

Provides AZ-level redundancy for outbound traffic.

Why this answer

Option B is correct because deploying a NAT Gateway in each Availability Zone ensures that private subnets in each AZ have a route to the internet via a NAT Gateway that resides in the same AZ, preventing cross-AZ data transfer costs and maintaining high availability if an entire AZ fails. Option C is correct because launching EC2 instances in at least two Availability Zones provides fault tolerance at the compute layer, allowing the application to continue serving traffic even if one AZ becomes unavailable.

Exam trap

The trap here is that candidates often think a single NAT Gateway is sufficient for high availability because it is a managed service, but they overlook that it is still tied to a single AZ and will fail if that AZ fails, making per-AZ deployment essential for AZ-level fault tolerance.

59
MCQmedium

Refer to the exhibit. A SysOps administrator is troubleshooting connectivity issues for a web application that uses an ALB. The ALB sends health check requests to targets on port 443. The network ACL shown is associated with the target subnet. Based on the exhibit, what is causing the health checks to fail?

A.The network ACL allows inbound HTTPS (443) from 0.0.0.0/0, which includes the ALB, so this should work. The issue is likely elsewhere.
B.The network ACL does not allow inbound traffic from the ALB on ephemeral ports.
C.The network ACL is blocking inbound traffic from the internet, but health checks come from the ALB.
D.The network ACL does not allow inbound HTTP (port 80) from the ALB.
AnswerA

The NACL rules seem to allow health checks, so the problem might be elsewhere.

Why this answer

Option A is correct because the network ACL has an inbound rule (Rule 120) that denies all traffic (protocol -1) after allowing specific ports. However, health checks originate from the ALB's private IP addresses, which are not 0.0.0.0/0? Actually, the ALB's health check traffic comes from the ALB's subnet IPs, which might be in the same VPC or different? The NACL rule 100 allows TCP 443 from 0.0.0.0/0, which should include the ALB's IPs. But the deny rule 120 will block traffic not matching the allow rules.

However, health check traffic on port 443 should be allowed by rule 100. The issue might be that the NACL is stateless, and the ephemeral ports for response are not allowed. But the question is about health checks failing.

Option B is wrong because the ALB does not send health checks on port 80 unless configured. Option C is wrong because health checks originate from ALB, not internet. Option D is wrong because the NACL allows inbound 443 from 0.0.0.0/0.

60
MCQhard

An organization has a VPC with public and private subnets. The private subnets need to access the internet for software updates. A NAT gateway is deployed in a public subnet and the private subnet route table has a route for 0.0.0.0/0 pointing to the NAT gateway. However, instances in the private subnet cannot reach the internet. What could be the issue?

A.The NAT gateway's subnet does not have a route to an internet gateway
B.The private subnet's network ACL blocks outbound HTTPS traffic
C.The security group attached to the NAT gateway does not allow outbound traffic
D.The private instances do not have a public IP address assigned
AnswerA

The NAT gateway needs a route to the IGW to reach the internet.

Why this answer

Option C is correct because the NAT gateway must be in a public subnet with an internet gateway route; if the route table for the NAT gateway's subnet does not have a default route to the IGW, the NAT gateway cannot reach the internet. Option A is wrong because security groups for the NAT gateway do not affect internet access; NAT gateways are managed services. Option B is wrong because the private instances need a route to the NAT gateway, not a public IP.

Option D is wrong because the NAT gateway is in a public subnet, so the private subnet does not need a public IP.

61
MCQeasy

A SysOps administrator needs to allow traffic from a specific IP address range (203.0.113.0/24) to access an Amazon EC2 instance in a VPC. Which configuration step should be performed?

A.Create an IAM policy that allows inbound traffic from 203.0.113.0/24.
B.Add a rule to the network ACL associated with the subnet to allow inbound traffic from 203.0.113.0/24.
C.Modify the route table of the subnet to include a route for 203.0.113.0/24 to the internet gateway.
D.Add an inbound rule to the security group associated with the EC2 instance allowing traffic from 203.0.113.0/24.
AnswerD

Security groups act as a virtual firewall for the instance, and stateful rules are appropriate.

Why this answer

Option B is correct because a security group inbound rule allows traffic from the specified CIDR. Option A is wrong because network ACLs are stateless and less granular; security groups are preferred for host-level control. Option C is wrong because route tables control traffic flow between subnets, not access to instances.

Option D is wrong because IAM policies do not control network traffic.

62
MCQhard

A company has a VPC with multiple subnets across two Availability Zones. The company wants to set up a Network Load Balancer (NLB) to handle TCP traffic to a fleet of EC2 instances. The instances are in private subnets. Which configuration is necessary to ensure the NLB can route traffic to the instances?

A.Ensure the NLB is deployed in subnets that can route to the target subnets
B.Assign security groups to the NLB to allow inbound traffic
C.Configure a NAT gateway in each Availability Zone for the NLB to access the instances
D.Attach an internet gateway to the VPC and add a route to the NLB subnets
AnswerA

NLB must be in subnets that have routes to the target subnets; since targets are in private subnets, the NLB subnets must have appropriate routing.

Why this answer

Option D is correct because NLB targets can be instances in private subnets as long as the NLB has a subnet in each AZ where targets reside. Option A is wrong because NLB does not require an internet gateway. Option B is wrong because security groups are not used for NLB traffic.

Option C is wrong because NAT gateway is for outbound traffic.

63
Multi-Selecteasy

A company has an Application Load Balancer (ALB) that distributes traffic to EC2 instances. The company wants to enable path-based routing to send requests to different target groups. Which TWO resources must be created to achieve this?

Select 2 answers
A.Subnet for the ALB
B.Target group for each backend service
C.Network Load Balancer (NLB)
D.Listener rule with a path pattern condition
E.Security group for the ALB
AnswersB, D

Target groups group the instances for each service.

Why this answer

Option B (Listener rule) and Option D (Target group) are correct. A listener rule with conditions (e.g., path pattern) routes requests to the appropriate target group. Option A is wrong because a Network Load Balancer is not used.

Option C is wrong because a security group is for traffic filtering, not routing. Option E is wrong because a subnet is a network component, not a routing construct.

64
MCQmedium

A company runs an application across multiple Availability Zones. The application servers are in private subnets and need outbound internet access to download software updates and patches. The SysOps administrator needs a highly available, fully managed solution to provide this outbound connectivity. Which solution should be used?

A.Deploy a NAT instance in each private subnet
B.Deploy a single NAT Gateway in one public subnet
C.Deploy a NAT Gateway in each public subnet
D.Attach an Internet Gateway directly to the private subnets
AnswerC

By deploying a NAT Gateway in each Availability Zone's public subnet and configuring private subnets to use the NAT Gateway in the same AZ, the solution is both fully managed and highly available. If one AZ fails, the other AZ's NAT Gateway continues to provide internet access.

Why this answer

Option C is correct because deploying a NAT Gateway in each public subnet provides a highly available, fully managed solution for outbound internet access from private subnets. NAT Gateways are managed by AWS, automatically scale, and are resilient within an Availability Zone; using one per AZ ensures that if one AZ fails, the others continue to provide outbound connectivity. This meets the requirement for high availability without the operational overhead of managing NAT instances.

Exam trap

The trap here is that candidates often confuse NAT Gateways with NAT instances or assume a single NAT Gateway is sufficient for high availability, overlooking the need for one per Availability Zone to achieve true fault tolerance.

How to eliminate wrong answers

Option A is wrong because NAT instances are self-managed EC2 instances that require manual patching, scaling, and failover configuration, which contradicts the 'fully managed' requirement and introduces a single point of failure if only one instance is used per subnet. Option B is wrong because a single NAT Gateway in one public subnet creates a single point of failure; if that Availability Zone becomes unavailable, all private subnets lose outbound internet access, violating the high availability requirement. Option D is wrong because attaching an Internet Gateway directly to private subnets would expose those subnets to inbound internet traffic, defeating the purpose of a private subnet and violating security best practices; Internet Gateways are designed for public subnets only.

65
MCQhard

A SysOps administrator is setting up a Network Load Balancer (NLB) to handle millions of requests per second. The target group consists of EC2 instances that are in a single Availability Zone. Which of the following is a potential issue?

A.If the single AZ becomes unavailable, the NLB will fail over to other AZs automatically.
B.The NLB cannot be associated with only one Availability Zone.
C.The NLB cannot preserve the source IP address of the client.
D.The NLB will not be able to handle the traffic volume due to the single AZ limitation.

Why this answer

NLB is a regional service but cross-zone load balancing is disabled by default. If all targets are in one AZ, and cross-zone is off, traffic is distributed only to that AZ. However, if the NLB is in multiple AZs, it can still send traffic to targets in one AZ.

Option A is not a problem. Option B is not a problem because NLB supports high throughput. Option D is not a problem because NLB supports static IP.

66
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. They need to connect to an on-premises network using a site-to-site VPN. The on-premises network uses 10.0.0.0/16 as well. Which solution avoids routing conflicts?

A.Attach an Internet Gateway and use public IPs for communication.
B.Set up a second VPN connection to a different virtual private gateway.
C.Create a VPC peering connection between the VPC and on-premises network.
D.Use a NAT instance to translate addresses for overlapping ranges.
AnswerD

NAT can translate overlapping IPs.

Why this answer

Option D is correct because a NAT instance can translate the overlapping IP addresses from the on-premises network (10.0.0.0/16) to a different IP range within the VPC, allowing communication without routing conflicts. The NAT instance performs destination NAT (DNAT) for inbound traffic and source NAT (SNAT) for outbound traffic, effectively hiding the overlap. This is a common workaround when both networks use the same CIDR block and cannot be renumbered.

Exam trap

The trap here is that candidates often assume a second VPN connection or VPC peering can solve overlapping CIDR issues, but AWS requires unique, non-overlapping IP ranges for both VPN route propagation and VPC peering, making NAT the only viable option among the choices.

How to eliminate wrong answers

Option A is wrong because attaching an Internet Gateway and using public IPs does not resolve the routing conflict within the VPC; the VPC's route tables still have a local route for 10.0.0.0/16, which will conflict with the on-premises route, and traffic destined for the on-premises network would be incorrectly routed locally. Option B is wrong because setting up a second VPN connection to a different virtual private gateway does not address the overlapping CIDR; both VPN connections would still require unique, non-overlapping IP ranges for the route tables, and the conflict persists. Option C is wrong because VPC peering does not support overlapping CIDR blocks; AWS explicitly prohibits peering connections between VPCs with overlapping or identical IP ranges, and on-premises networks cannot be peered directly with a VPC.

67
MCQhard

A company has three VPCs in the same AWS region: VPC A (production), VPC B (development), and VPC C (shared services). The VPCs have overlapping CIDR blocks (e.g., VPC A: 10.0.0.0/16, VPC B: 10.0.0.0/16, VPC C: 10.1.0.0/16). The SysOps administrator needs to enable private IP communication between VPC A and VPC C, and between VPC B and VPC C, but not between VPC A and VPC B. The solution must also support a growing number of VPCs in the future. Which AWS service should be used?

A.Use AWS Transit Gateway with attachment route tables that isolate traffic between VPCs, ensuring that VPC A and VPC B routes are separate.
B.Use AWS PrivateLink by creating a Network Load Balancer in VPC C and configuring VPC endpoints in VPC A and VPC B to access the services.
C.Create two VPC peering connections: one between VPC A and VPC C, and one between VPC B and VPC C.
D.Set up two AWS Site-to-Site VPN connections from VPC C to VPC A and VPC B using virtual private gateways.
AnswerB

AWS PrivateLink allows you to expose services in VPC C via a Network Load Balancer, and VPC A and VPC B can create interface VPC endpoints to connect to those services privately. This works even with overlapping CIDRs because the endpoints are assigned specific private IP addresses from the VPC's subnet and traffic is directed using endpoint-specific routing. It also scales well with additional VPCs.

Why this answer

AWS Transit Gateway (Option A) cannot be used because the VPCs have overlapping CIDR blocks (10.0.0.0/16 for both VPC A and VPC B), which prevents Transit Gateway from routing traffic correctly due to route conflicts. AWS PrivateLink (Option B) solves this by allowing VPC A and VPC B to access services in VPC C via VPC endpoints and a Network Load Balancer, without requiring direct IP routing between the VPCs, thus avoiding CIDR overlap issues and supporting future VPC growth.

Exam trap

The trap here is that candidates assume Transit Gateway or VPC peering can handle overlapping CIDRs through route table isolation, but AWS explicitly requires non-overlapping CIDRs for both services to function correctly, making PrivateLink the only viable option for this scenario.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway requires non-overlapping CIDR blocks for proper route propagation and routing; overlapping CIDRs (VPC A and VPC B both using 10.0.0.0/16) cause route conflicts that prevent Transit Gateway from distinguishing traffic between them. Option C is wrong because VPC peering does not support transitive routing and requires non-overlapping CIDRs to establish direct routes; overlapping CIDRs between VPC A and VPC B would prevent successful peering with VPC C due to route table conflicts. Option D is wrong because AWS Site-to-Site VPN connections also require non-overlapping CIDRs for the virtual private gateway to route traffic correctly; overlapping CIDRs would cause routing ambiguity and connectivity failures.

68
MCQmedium

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application needs to serve HTTPS content. The SysOps administrator wants to offload SSL termination to the ALB and automatically renew the certificate before expiration. Which solution should the administrator implement?

A.Use AWS Certificate Manager (ACM) to request a public certificate and associate it with the ALB.
B.Upload a third-party certificate to IAM and associate it with the ALB.
C.Store the certificate in Amazon S3 and configure the ALB to read from S3.
D.Use a self-signed certificate on each EC2 instance and configure the ALB for TCP passthrough.
AnswerA

Correct. ACM public certificates are automatically renewed, and SSL termination is offloaded to the ALB.

Why this answer

AWS Certificate Manager (ACM) integrates natively with Application Load Balancers to handle SSL/TLS termination. ACM can automatically renew public certificates issued by Amazon's trusted certificate authority, eliminating the need for manual renewal. By associating the ACM certificate with the ALB's HTTPS listener, the administrator offloads SSL termination and ensures automatic certificate renewal before expiration.

Exam trap

The trap here is that candidates may confuse ACM's automatic renewal with manual certificate upload methods (IAM or S3) or incorrectly think self-signed certificates can be used with ACM, when in fact ACM only manages certificates from its own public CA or imported certificates that must be manually renewed.

How to eliminate wrong answers

Option B is wrong because uploading a third-party certificate to IAM is a legacy approach that does not support automatic renewal; IAM certificates must be manually re-uploaded before expiration. Option C is wrong because Amazon S3 cannot be used as a certificate store for ALB; ALB does not support reading certificates from S3. Option D is wrong because using a self-signed certificate on each EC2 instance with TCP passthrough would require the instances to handle SSL termination, defeating the requirement to offload SSL to the ALB, and self-signed certificates are not trusted by browsers and cannot be automatically renewed by ACM.

69
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to connect to an on-premises network with a CIDR of 10.0.0.0/8. What is the issue?

A.The on-premises CIDR is private and cannot be used with AWS.
B.AWS does not support /8 CIDR blocks.
C.The CIDR blocks overlap, causing routing conflicts.
D.The VPC CIDR is too large.
AnswerC

Overlapping CIDRs cause ambiguous routing.

Why this answer

Overlapping CIDR blocks prevent VPC peering or VPN connections because routes conflict. Option A is not the issue. Option B is not the primary issue.

Option D is not directly a problem.

70
MCQeasy

A company wants to provide low-latency access to static content (images, CSS) for global users. The content is stored in an S3 bucket. Which service should be used to cache content at edge locations?

A.Amazon ElastiCache
B.Amazon CloudFront
C.S3 Transfer Acceleration
D.AWS Global Accelerator
AnswerB

CloudFront is a content delivery network (CDN) that caches at edge locations.

Why this answer

Option A is correct because Amazon CloudFront is a CDN that caches content at edge locations for low-latency delivery. Option B is incorrect because S3 Transfer Acceleration speeds up uploads, not downloads. Option C is incorrect because Global Accelerator improves TCP/UDP performance but does not cache content.

Option D is incorrect because ElastiCache is a caching layer for databases, not for static content delivery.

71
MCQeasy

A company has deployed a web application across multiple Availability Zones using an Application Load Balancer. The application experiences increased latency during peak hours. Which action would be MOST effective in reducing latency?

A.Add more EC2 instances to the target group.
B.Update the health check to use a more frequent interval.
C.Enable cross-zone load balancing on the ALB.
D.Increase the deregistration delay for the target group.
AnswerA

Adding more instances increases capacity, reducing load per instance and thus reducing latency.

Why this answer

Option C is correct because enabling connection idle timeout can help free up resources by closing idle connections, but the most effective for latency is to add more targets. Option A is wrong because enabling cross-zone load balancing is already default and helps distribute traffic evenly. Option B is wrong because increasing the deregistration delay does not reduce latency.

Option D is wrong because updating health checks does not directly reduce latency.

72
MCQmedium

A SysOps administrator notices that traffic to an Amazon EC2 instance is being blocked even though the security group allows all inbound traffic. The subnet's network ACL allows all inbound and outbound traffic. What could be the issue?

A.The instance's operating system firewall is blocking the traffic.
B.The network ACL is not associated with the subnet correctly.
C.VPC Flow Logs are misconfigured.
D.The route table does not have a default route to an internet gateway.
AnswerA

OS-level firewalls (e.g., iptables, Windows Firewall) can block traffic even if AWS firewalls allow it.

Why this answer

Option C is correct because the operating system's firewall can block traffic at the instance level. Option A is wrong because NACLs are permissive. Option B is wrong because route tables do not block traffic.

Option D is wrong because VPC Flow Logs only log traffic, they do not block it.

73
Multi-Selecthard

Which THREE components are required to set up a site-to-site VPN connection between a VPC and an on-premises network? (Choose three.)

Select 3 answers
A.Virtual private gateway or transit gateway
B.NAT Gateway
C.VPN connection
D.Customer gateway
E.Internet gateway
AnswersA, C, D

AWS side endpoint for VPN.

Why this answer

A virtual private gateway or transit gateway is required as the AWS-side VPN concentrator that terminates the VPN tunnels and routes traffic between the VPC and the on-premises network. It provides the target for the VPN connection and must be attached to the VPC to enable site-to-site VPN functionality.

Exam trap

The trap here is that candidates often confuse a NAT Gateway or Internet Gateway as necessary for VPN connectivity, but neither is involved in IPsec tunnel establishment; the correct components are the virtual private gateway (or transit gateway), the VPN connection, and the customer gateway.

74
MCQmedium

A SysOps administrator notices that traffic from an Application Load Balancer to targets is failing intermittently. The targets are EC2 instances in an Auto Scaling group. The health check settings on the target group are: ping path '/health', healthy threshold 2, unhealthy threshold 2, timeout 5 seconds, interval 30 seconds. Which change would most likely improve the stability of the health checks?

A.Increase the interval to 60 seconds.
B.Decrease the healthy threshold to 1.
C.Decrease the timeout to 2 seconds.
D.Increase the unhealthy threshold to 5.
AnswerD

Requires more failures to mark unhealthy, reducing flapping.

Why this answer

Option D is correct because increasing the unhealthy threshold reduces flapping; currently 2 consecutive failures mark an instance unhealthy, which may be too sensitive. Option A is wrong because a longer interval would delay detection. Option B is wrong because a shorter timeout may cause false positives.

Option C is wrong because decreasing healthy threshold increases sensitivity.

75
MCQeasy

A company has two VPCs: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). The VPCs are in the same AWS region. The SysOps administrator needs to enable private IP connectivity between the two VPCs so that an EC2 instance in VPC-A can communicate with an EC2 instance in VPC-B using their private IP addresses. The administrator wants a simple, low-cost solution with high throughput. Which AWS service should be used?

A.VPC Peering
B.AWS Transit Gateway
C.AWS Direct Connect
D.Internet Gateway
AnswerA

VPC peering is the simplest and cheapest way to connect two VPCs in the same region, enabling private IP communication with low latency and high throughput.

Why this answer

VPC Peering is the correct choice because it enables direct, private IP connectivity between two VPCs in the same AWS region using the existing AWS network infrastructure, with no bandwidth bottlenecks, no single point of failure, and no additional cost beyond data transfer. It meets the requirements for simplicity, low cost, and high throughput, as traffic stays within the AWS backbone and does not require a separate transit hub or VPN.

Exam trap

The trap here is that candidates often choose AWS Transit Gateway for any multi-VPC connectivity, overlooking that VPC Peering is simpler and cheaper for a two-VPC scenario, and that Transit Gateway’s benefits (centralized routing, transitive peering) are only cost-effective with many VPCs.

How to eliminate wrong answers

Option B (AWS Transit Gateway) is wrong because it introduces unnecessary complexity and cost (hourly charges per attachment) for a simple two-VPC scenario; it is designed for hub-and-spoke topologies with many VPCs. Option C (AWS Direct Connect) is wrong because it provides dedicated on-premises connectivity to AWS, not connectivity between two VPCs, and involves significant setup cost and latency overhead. Option D (Internet Gateway) is wrong because it enables internet-bound traffic, not private VPC-to-VPC communication, and would require public IPs and route traffic over the public internet, violating the private IP requirement.

Page 1 of 4 · 268 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Networking and Content Delivery questions.