CCNA Networking and Content Delivery Questions

75 of 268 questions · Page 2/4 · Networking and Content Delivery · Answers revealed

76
MCQhard

A company has an Amazon VPC with a CIDR block of 10.0.0.0/16 and an AWS Site-to-Site VPN connection to an on-premises data center. The on-premises DNS servers host a private domain 'corp.example.com'. The SysOps administrator needs to enable EC2 instances in the VPC to resolve DNS names for 'corp.example.com' using the on-premises DNS servers. Which Route 53 feature should be configured?

A.Route 53 Resolver inbound endpoints
B.Route 53 Resolver outbound endpoints with forwarding rules
C.VPC peering between the VPC and the on-premises network
D.Route 53 private hosted zone for corp.example.com
AnswerB

Outbound endpoints forward DNS queries from the VPC to on-premises DNS servers for specified domain names.

Why this answer

Option B is correct because Route 53 Resolver outbound endpoints allow EC2 instances in a VPC to forward DNS queries for a specific domain (e.g., corp.example.com) to on-premises DNS servers via the Site-to-Site VPN connection. By creating a forwarding rule on the outbound endpoint, DNS queries for corp.example.com are sent to the on-premises DNS resolvers, enabling resolution of private DNS names without exposing the VPC to inbound traffic.

Exam trap

The trap here is that candidates often confuse inbound and outbound endpoints: inbound endpoints are for on-premises to query AWS DNS, while outbound endpoints are for AWS to query on-premises DNS, and the question specifically requires EC2 instances to resolve on-premises names, which is an outbound scenario.

How to eliminate wrong answers

Option A is wrong because Route 53 Resolver inbound endpoints are used to allow on-premises DNS resolvers to forward queries to Route 53 Resolver in the VPC, not for EC2 instances to query on-premises DNS servers. Option C is wrong because VPC peering is used to connect VPCs within AWS, not to connect a VPC to an on-premises network; the VPN connection already provides the network path, and peering does not enable DNS resolution across the VPN. Option D is wrong because a Route 53 private hosted zone for corp.example.com would require the domain to be hosted in Route 53, but the question states the domain is hosted on on-premises DNS servers; a private hosted zone would not forward queries to on-premises resolvers.

77
MCQhard

A company has a VPC with multiple subnets. The SysOps administrator wants to ensure that EC2 instances in a private subnet can access Amazon S3 without going through a NAT Gateway or internet gateway. Which solution meets this requirement?

A.Set up a NAT Gateway in a public subnet and route traffic through it.
B.Create a VPC Gateway Endpoint for S3.
C.Use S3 Transfer Acceleration.
D.Create a VPC Interface Endpoint for S3.
AnswerB

Gateway Endpoint provides private access to S3.

Why this answer

Option D is correct. VPC Gateway Endpoint for S3 allows private access to S3 without internet. Option A is wrong because NAT Gateway requires an internet gateway.

Option B is wrong because S3 Transfer Acceleration is for speed, not private access. Option C is wrong because VPC Interface Endpoint is for other services, but Gateway Endpoint is more cost-effective for S3.

78
MCQhard

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The data center has multiple VLANs that need to connect to separate VPCs in AWS. The company wants to maintain isolation between the VPCs while maximizing bandwidth utilization. Which solution should the SysOps administrator recommend?

A.Use AWS Transit Gateway to connect all VPCs and the Direct Connect gateway, then configure route tables to isolate traffic.
B.Configure a single Direct Connect connection with multiple private virtual interfaces, each tagged with a different VLAN ID and associated with a different VPC.
C.Provision multiple Direct Connect connections, one for each VPC, and use a different VLAN on each connection.
D.Establish a single Direct Connect connection and use IPsec VPN tunnels over it to connect to each VPC.
AnswerB

This uses VLAN tagging to isolate traffic per VPC on a single connection.

Why this answer

Option B is correct because a single Direct Connect connection can support multiple private virtual interfaces (VIFs), each tagged with a unique 802.1Q VLAN ID. This allows the on-premises data center to connect to separate VPCs while maintaining traffic isolation via VLAN tagging, and it maximizes bandwidth utilization by sharing the single connection's capacity across all VIFs.

Exam trap

The trap here is that candidates often assume multiple VPCs require multiple Direct Connect connections, but AWS allows multiple private virtual interfaces on a single connection, each with its own VLAN ID, to achieve isolation and maximize bandwidth utilization.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway does not eliminate the need for separate virtual interfaces; it aggregates routing but still requires either a Direct Connect gateway with multiple VIFs or a single VIF with transit VIF, and it does not directly address the requirement to use multiple VLANs for isolation. Option C is wrong because provisioning multiple Direct Connect connections is unnecessary and wasteful; a single connection can support multiple VIFs, and using separate connections would increase cost without improving isolation or bandwidth utilization. Option D is wrong because IPsec VPN tunnels over Direct Connect add unnecessary complexity and overhead, and they do not natively support multiple VLANs; the requirement is for private virtual interfaces with VLAN tagging, not encrypted tunnels.

79
Multi-Selecteasy

Which TWO statements about Amazon CloudFront origins are correct? (Choose two.)

Select 2 answers
A.CloudFront only supports HTTP origins, not HTTPS.
B.CloudFront can only use S3 buckets as origins.
C.CloudFront can use an Application Load Balancer as an origin.
D.CloudFront origins must be in the same region as the distribution.
E.CloudFront can use an S3 bucket configured as a static website as an origin.
AnswersC, E

ALB can be a custom origin.

Why this answer

Option C is correct because CloudFront can use an Application Load Balancer (ALB) as a custom origin. This allows you to distribute traffic from a web application running behind an ALB, enabling dynamic content delivery with CloudFront's edge caching and HTTPS termination.

Exam trap

The trap here is that candidates often assume CloudFront origins are limited to S3 buckets, but the service supports a wide variety of custom origins, including ALBs, EC2 instances, and external HTTP servers.

80
MCQeasy

A SysOps administrator is troubleshooting an issue where an Amazon EC2 instance cannot connect to the internet. The instance is in a public subnet with a route table that has a route to an internet gateway (IGW). The instance has a public IP assigned. What should the administrator check next?

A.Check the security group rules to ensure outbound traffic is allowed
B.Verify the network ACL associated with the subnet allows inbound traffic from the internet
C.Confirm that the route table has a route to the IGW for 0.0.0.0/0
D.Ensure the instance has a public IP address
AnswerA

Security groups are stateful and control outbound traffic.

Why this answer

The instance has a public IP and is in a public subnet with a route to an IGW, so network-level routing and addressing are already configured. The most common remaining cause for no internet connectivity is that the security group's outbound rules are blocking traffic. Security groups are stateful, so even if inbound rules allow return traffic, outbound rules must explicitly permit the instance to initiate connections to the internet (e.g., outbound HTTPS on port 443 or all traffic).

Exam trap

The trap here is that candidates often overlook security group outbound rules because they assume outbound traffic is always allowed by default, but the default security group allows all outbound traffic only if not modified; a custom security group may block outbound traffic, causing internet connectivity failure even with correct routing and public IP.

How to eliminate wrong answers

Option B is wrong because network ACLs are stateless and must allow both inbound and outbound traffic for a connection to work, but the question states the instance cannot connect to the internet, implying outbound traffic is the issue; however, the administrator should check security groups first as they are the instance-level firewall. Option C is wrong because the question already states the route table has a route to the IGW, so re-verifying it is redundant and not the next logical step. Option D is wrong because the question explicitly states the instance has a public IP assigned, so this is already confirmed and not the cause of the issue.

81
MCQmedium

A company has an internal Application Load Balancer (ALB) in a VPC. The ALB is used by an on-premises application via AWS Direct Connect. The on-premises application needs to resolve the ALB's DNS name. The VPC has Route 53 private hosted zone associated with the VPC. The on-premises DNS servers are configured to forward queries for the company's domain to the VPC's Route 53 inbound resolver endpoints. However, the on-premises application cannot resolve the ALB's DNS name. What is the likely cause?

A.The ALB's security group blocks inbound traffic from the on-premises CIDR.
B.The ALB is internal and does not have a public DNS name.
C.The ALB's DNS name is not in the Route 53 private hosted zone.
D.The Route 53 inbound resolver is not configured to forward queries to the public internet.
AnswerC

The on-premises DNS forwards to the inbound resolver, which only answers for the private hosted zone domain. The ALB's DNS name is a public domain (e.g., internal-alb-123456.elb.amazonaws.com) and is not in the private zone, so the resolver cannot resolve it.

Why this answer

The ALB's DNS name is a public DNS name, not a private one. The Route 53 private hosted zone only contains records for the private hosted zone's domain. To resolve public DNS names on-premises via Direct Connect, the on-premises DNS servers need to forward queries to the Route 53 inbound resolver, but the resolver may not be configured to resolve public DNS names unless the private hosted zone is associated with the VPC and the record is private.

Actually, the ALB's DNS name is public, so the on-premises DNS should resolve it via the public internet or via the Route 53 inbound resolver if the resolver is configured to forward queries to the public internet. The likely cause is that the ALB's DNS name is not in the private hosted zone. Option B is incorrect because the ALB is internal, meaning it has a private IP, but its DNS name is still public.

Option C is incorrect because the inbound resolver is not required to resolve public names unless configured to do so. Option D is incorrect because the ALB's security group does not affect DNS resolution.

82
MCQeasy

A SysOps administrator needs to monitor network traffic to and from an EC2 instance for troubleshooting. Which AWS feature captures IP traffic information at the VPC level?

A.VPC Flow Logs
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.AWS Config
AnswerA

VPC Flow Logs capture IP traffic metadata.

Why this answer

VPC Flow Logs capture IP traffic information for network interfaces within a VPC, including source/destination IPs, ports, protocols, and packet accept/reject decisions. This feature operates at the VPC level and is specifically designed for network traffic monitoring and troubleshooting, making it the correct choice for capturing IP traffic information to and from an EC2 instance.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs with CloudWatch Logs or CloudTrail, mistakenly thinking that CloudTrail captures network traffic or that CloudWatch Logs is the primary service for network monitoring, when in fact VPC Flow Logs are the dedicated feature for IP traffic capture at the VPC level.

How to eliminate wrong answers

Option B (Amazon CloudWatch Logs) is wrong because it is a service for storing, monitoring, and accessing log files from AWS resources, but it does not natively capture IP traffic information at the VPC level; it can only store VPC Flow Logs if they are published to it, but it is not the feature that captures the traffic. Option C (AWS CloudTrail) is wrong because it records API activity and user actions within your AWS account, not network traffic or IP packet-level information at the VPC level. Option D (AWS Config) is wrong because it evaluates and records configuration changes to AWS resources, providing compliance and resource inventory, but it does not capture IP traffic data.

83
MCQhard

A company uses Amazon CloudFront to distribute content to users worldwide. The origin is an Application Load Balancer (ALB) that routes to EC2 instances. The SysOps administrator notices that some users are receiving cached responses even though the content has been updated on the origin. The administrator needs to ensure that users always receive the latest version of the content. What should the administrator do?

A.Configure the ALB to send a Cache-Control: no-cache header.
B.Set up a Lambda@Edge function to change the origin request path.
C.Use CloudFront cache invalidation to remove the old objects after updating the origin.
D.Reduce the CloudFront TTL to 0 seconds.
AnswerC

Cache invalidation allows you to remove specific files from edge caches, ensuring users get the latest version.

Why this answer

Configuring CloudFront to forward the 'Origin' header to the ALB with different values for different requests can create cache behaviors based on the header. However, this does not guarantee no caching. The best approach is to use versioned filenames or cache invalidation.

Among the options, using cache invalidation is a direct way to clear cached content. Option A is incorrect because decreasing TTL affects performance. Option B is incorrect because CloudFront does not revalidate every request unless configured with 'no-cache' headers.

Option D is incorrect because Lambda@Edge can modify headers but does not automatically invalidate cache.

84
MCQmedium

Users are intermittently reporting 502 Bad Gateway errors when accessing the application through an Application Load Balancer. The team needs to identify which target IPs are associated with the failures and the request processing time for those requests. Application logs on instances do not capture failures before the ALB connection. What should be enabled?

A.Enable ALB access logs, specify an S3 bucket destination, and query the logs to filter on elb_status_code=502
B.Enable AWS X-Ray on the ALB to trace each request end-to-end from client to target
C.Configure a VPC Flow Log on the subnets containing the ALB to capture all network traffic
D.Install an agent on the application instances that logs all incoming connection attempts from the ALB
AnswerA

Access logs capture every ALB request including 502s. Each log entry contains the target_ip:target_port field identifying which instance handled (or failed to handle) the request, and request_processing_time and target_processing_time values for performance analysis. This data is available without any changes to instance-side software.

Why this answer

ALB access logs capture detailed information about each request, including the target IP address, request processing time, and the HTTP status code returned by the ALB. By enabling these logs and querying for `elb_status_code=502`, you can identify which target IPs were associated with the failures and the `request_processing_time` for those requests. This directly addresses the need to correlate failures with specific targets and timing, without relying on application instance logs that miss pre-connection failures.

Exam trap

The trap here is that candidates often confuse ALB access logs with VPC Flow Logs or X-Ray, assuming any logging mechanism that captures network traffic or traces will include HTTP-level details like status codes and request processing times, but only ALB access logs provide the specific fields needed to correlate 502 errors with target IPs and timing.

How to eliminate wrong answers

Option B is wrong because AWS X-Ray traces requests end-to-end, but it requires the application to be instrumented with the X-Ray SDK and does not capture failures that occur before the ALB establishes a connection to the target (e.g., connection timeouts or TLS handshake failures that result in a 502). Option C is wrong because VPC Flow Logs capture metadata about network traffic (source/destination IP, ports, protocol, and packet counts) but do not include HTTP status codes, request processing times, or ALB-specific error codes like 502. Option D is wrong because installing an agent on the application instances would only log connection attempts that reach the instance; it would not capture failures that occur before the ALB successfully connects to the target (e.g., connection refused or health check failures), which are the very failures causing the 502 errors.

85
MCQhard

An EC2 instance in the subnet associated with the network ACL above cannot receive HTTP traffic (port 80) from the internet. The instance has a security group allowing HTTP inbound. What is the cause?

A.The NACL allows HTTP inbound on rule 300, but the outbound rule does not allow the return traffic
B.The NACL inbound rule for HTTP is using the wrong protocol (6 instead of 17)
C.The NACL has a deny all rule (rule 400) that blocks all inbound traffic, overriding the allow rules
D.The security group does not allow HTTP inbound
AnswerC

Rule 400 denies all inbound traffic, so even though rule 300 allows HTTP, it is overridden.

Why this answer

Option C is correct. Network ACLs are stateless and rules are evaluated in order by rule number. Rule 400 denies all inbound traffic, and since it has a higher rule number than rules 100 and 300, it is evaluated later and overrides the allows.

Rule 400 denies all inbound traffic, so HTTP (port 80) is denied. Option A is wrong because rule 300 allows port 80 inbound from 0.0.0.0/0, so HTTP is allowed by that rule, but rule 400 denies all. Option B is wrong because the outbound rule allows all traffic.

Option D is wrong because the security group allows HTTP inbound but the NACL blocks it.

86
Multi-Selectmedium

A company has a VPC with a public subnet and a private subnet. The private subnet hosts a database. Which TWO components are required to allow an EC2 instance in the public subnet to connect to the database?

Select 2 answers
A.A NAT Gateway in the public subnet.
B.A network ACL rule on the private subnet allowing inbound traffic from the public subnet CIDR.
C.An Internet Gateway attached to the VPC.
D.A VPC Endpoint for the database service.
E.A security group rule on the database allowing inbound traffic from the EC2 instance's security group.
AnswersB, E

Network ACLs provide stateless filtering at the subnet level.

Why this answer

Options A and D are correct. The security group of the database must allow inbound traffic from the EC2 instance's security group or IP, and the network ACL of the private subnet must allow inbound traffic from the public subnet. Option B is incorrect because a NAT Gateway is for outbound internet, not inbound.

Option C is incorrect because an Internet Gateway is for internet traffic, not VPC internal traffic. Option E is incorrect because a VPC Endpoint is for accessing AWS services, not EC2-to-RDS.

87
MCQmedium

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download software patches from the internet. Which component should be used to provide internet access to the instance?

A.NAT Gateway in a public subnet
B.AWS Site-to-Site VPN
C.Internet Gateway attached to the VPC
D.VPC Endpoint for Amazon S3
AnswerA

NAT Gateway enables outbound internet connectivity for private subnets.

Why this answer

Option B is correct because a NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic. Option A is incorrect because an Internet Gateway is used for public subnets, not private. Option C is incorrect because a VPC Endpoint is for accessing AWS services privately.

Option D is incorrect because a VPN connection is for on-premises connectivity, not internet access.

88
MCQmedium

A company has an Amazon VPC with public and private subnets across two Availability Zones. The company hosts a web application on EC2 instances in the private subnets. The application needs to access an Amazon S3 bucket to upload and download files. The SysOps administrator must ensure that traffic to S3 does not traverse the internet and minimizes data transfer costs. Which solution should the administrator implement?

A.Create an S3 VPC Gateway Endpoint in the VPC and associate it with the route tables of the private subnets.
B.Create an S3 VPC Interface Endpoint in the VPC and associate it with the security groups of the private subnets.
C.Set up a NAT Gateway in the public subnets and add a route to the private subnets' route tables pointing to the NAT Gateway for S3 traffic.
D.Use AWS PrivateLink with an S3 endpoint service hosted in a different VPC.
AnswerA

Gateway Endpoints provide private connectivity to S3 at no additional cost (only standard data transfer rates apply). By adding a route for the S3 prefix list to the private subnet route tables, traffic destined for S3 is routed through the endpoint.

Why this answer

Option A is correct because an S3 VPC Gateway Endpoint provides a private, cost-effective connection to S3 from within the VPC without traversing the internet. By associating the endpoint with the route tables of the private subnets, traffic destined for S3 is routed directly through AWS's internal network, avoiding data transfer costs and internet egress charges.

Exam trap

The trap here is that candidates often confuse Gateway Endpoints with Interface Endpoints, assuming both are equally suitable for S3, but Gateway Endpoints are free and optimized for S3 and DynamoDB, while Interface Endpoints incur costs and are better for other AWS services.

How to eliminate wrong answers

Option B is wrong because an S3 VPC Interface Endpoint uses AWS PrivateLink with an elastic network interface, incurring per-hour and per-GB data processing costs, which is more expensive than a Gateway Endpoint and unnecessary for S3 access. Option C is wrong because a NAT Gateway routes traffic through the internet to reach S3, incurring data transfer costs and internet egress charges, violating the requirement to avoid internet traversal. Option D is wrong because AWS PrivateLink with an S3 endpoint service hosted in a different VPC is not a standard or supported method for accessing S3; S3 Gateway Endpoints are designed for direct VPC-to-S3 connectivity without cross-VPC complexity.

89
MCQhard

A company uses AWS Global Accelerator to improve the performance of a web application hosted in multiple AWS regions. The application uses an Application Load Balancer (ALB) in each region as the endpoint. Users report that traffic is not being routed to the closest region. What could be the cause?

A.The Global Accelerator is not configured with a custom routing accelerator.
B.The ALBs are not configured to allow cross-region communication.
C.The health checks for the ALBs are failing, so traffic is diverted to other regions.
D.The endpoints are configured in the same AWS region.
AnswerC

Unhealthy endpoints are excluded from routing.

Why this answer

Global Accelerator uses health checks to determine endpoint availability. If the health checks for an ALB in a user's closest region are failing, Global Accelerator will consider that endpoint unhealthy and route traffic to the next closest healthy region. This causes users to be directed to a region farther away, even though a closer region exists.

Exam trap

The trap here is that candidates often overlook the impact of health checks on routing decisions and assume the issue is a misconfiguration of the accelerator or endpoints, rather than a failure in endpoint health monitoring.

How to eliminate wrong answers

Option A is wrong because custom routing accelerators are used for specific use cases like gaming or VoIP where you need to control traffic routing per client, not for standard HTTP/HTTPS traffic to ALBs; the default routing accelerator is appropriate here. Option B is wrong because ALBs do not need cross-region communication for Global Accelerator to route traffic to the closest region; Global Accelerator itself handles cross-region routing independently of ALB configuration. Option D is wrong because if all endpoints were in the same region, traffic would still be routed to that region, not to a different one, and the reported issue is traffic not going to the closest region, which implies multiple regions are configured.

90
MCQmedium

A company runs a web application on Amazon EC2 instances in private subnets across multiple Availability Zones. The instances need to download software patches from the internet. The SysOps administrator requires a highly available, fully managed solution for outbound internet connectivity. Which solution should be implemented?

A.Deploy a NAT gateway in each Availability Zone and update the route tables for each private subnet to point to the NAT gateway in the same Availability Zone.
B.Attach an Internet Gateway to the VPC and add a default route (0.0.0.0/0) to the Internet Gateway in the private subnet route tables.
C.Create a VPC endpoint for Amazon S3 and route traffic through it.
D.Set up an AWS Direct Connect connection and route all internet-bound traffic through it.
AnswerA

This configuration provides highly available outbound connectivity: if one AZ fails, instances in other AZs continue to have internet access through their local NAT gateway.

Why this answer

A NAT gateway in each Availability Zone provides highly available outbound internet connectivity for instances in private subnets. By placing a NAT gateway in each AZ and routing private subnet traffic to the NAT gateway in the same AZ, you eliminate a single point of failure and ensure that internet-bound traffic remains within the same AZ for low latency and fault tolerance. This is a fully managed AWS service that handles scaling and failover automatically.

Exam trap

The trap here is that candidates often confuse NAT gateways with Internet Gateways, thinking that a single NAT gateway in one AZ provides high availability, but the correct design requires a NAT gateway in each AZ to avoid cross-AZ data transfer costs and single points of failure.

How to eliminate wrong answers

Option B is wrong because attaching an Internet Gateway to the VPC and adding a default route to it in private subnet route tables would allow direct outbound traffic from private instances, but private subnets do not have a route to the Internet Gateway by design; instances in private subnets cannot reach the Internet Gateway directly without a NAT device or a transit gateway. Option C is wrong because a VPC endpoint for Amazon S3 only provides private connectivity to S3, not general internet access for downloading software patches from arbitrary internet hosts. Option D is wrong because AWS Direct Connect is a dedicated private connection to AWS, not a solution for outbound internet connectivity; it does not provide a route to the public internet unless combined with a NAT device or a virtual private gateway with internet access.

91
Multi-Selecthard

Which THREE components are required to set up a site-to-site VPN connection between an on-premises network and an AWS VPC? (Choose three.)

Select 3 answers
A.Virtual private gateway
B.Internet gateway
C.VPN connection
D.Customer gateway
E.Direct Connect virtual interface
AnswersA, C, D

AWS-side endpoint for the VPN.

Why this answer

A site-to-site VPN requires a virtual private gateway (or transit gateway) attached to the VPC, a customer gateway representing the on-premises device, and a VPN connection that ties them together. The VPN connection includes two tunnels.

92
MCQhard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They have a public subnet 10.0.1.0/24 and a private subnet 10.0.2.0/24. They launch an EC2 instance in the private subnet and need it to have a predictable, static private IP address for database replication. Which action should be taken?

A.Modify the subnet's IP assignment settings to make all IPs static.
B.Create an Elastic IP and associate it with the primary network interface of the instance.
C.Use a custom DHCP option set to assign a static IP.
D.Enable auto-assign public IP on the private subnet.
AnswerB

Elastic IP is static and can be associated with an ENI for a fixed private IP.

Why this answer

Option B is correct because an Elastic IP attached to an ENI in the private subnet provides a static private IP (through the ENI). Option A is wrong because auto-assign public IP does not affect private IP. Option C is wrong because DHCP option set does not assign static IP.

Option D is wrong because modifying the subnet does not assign a specific IP to an instance.

93
MCQeasy

EC2 instances in private subnets need to access S3 buckets. Currently the instances use a NAT Gateway to reach S3 over the internet. The team wants to keep S3 traffic private (within the AWS network) and reduce NAT Gateway data processing costs. What is the correct solution?

A.Create an S3 Gateway VPC endpoint and add it to the private subnet's route table; S3 traffic will bypass the NAT Gateway
B.Create an S3 Interface VPC endpoint in the private subnet to route S3 traffic privately
C.Add a route in the private subnet's route table directing all traffic (0.0.0.0/0) to an Internet Gateway
D.Use S3 Transfer Acceleration to route traffic over AWS edge locations instead of NAT
AnswerA

After the Gateway endpoint is created and the route table updated, the AWS networking layer automatically routes S3 API calls from instances in those subnets through the private endpoint path. The NAT Gateway processes zero S3 bytes, eliminating the per-GB data processing cost for S3 traffic. No code changes are required.

Why this answer

Option A is correct because an S3 Gateway VPC endpoint allows EC2 instances in private subnets to access S3 privately using AWS’s internal network, bypassing the NAT Gateway entirely. This eliminates NAT data processing costs and keeps traffic within the AWS backbone, as the endpoint is added to the private subnet’s route table with a prefix list for S3, directing traffic directly to S3 without internet routing.

Exam trap

The trap here is that candidates confuse Gateway VPC endpoints with Interface VPC endpoints, assuming both incur costs, but S3 Gateway endpoints are free and designed specifically for S3 and DynamoDB, while Interface endpoints are for other AWS services and have associated charges.

How to eliminate wrong answers

Option B is wrong because an S3 Interface VPC endpoint uses AWS PrivateLink with an elastic network interface in the subnet, incurring hourly charges and per-GB data processing costs, which does not reduce costs compared to a NAT Gateway and is unnecessary for S3 access when a Gateway endpoint (free of charge) is available. Option C is wrong because adding a route directing all traffic (0.0.0.0/0) to an Internet Gateway would expose private instances directly to the internet, violating security requirements and not keeping traffic private within AWS. Option D is wrong because S3 Transfer Acceleration uses AWS edge locations and the public internet to speed up uploads, but it does not keep traffic private within the AWS network and still requires internet connectivity, failing to reduce NAT Gateway costs.

94
MCQmedium

A SysOps administrator needs to ensure that all traffic to an Amazon S3 bucket is encrypted in transit. Which configuration should be used?

A.Use Amazon CloudFront with the S3 bucket as origin and require HTTPS.
B.Create a VPC endpoint for S3 and route all traffic through it.
C.Enable default encryption on the S3 bucket.
D.Add a bucket policy that denies requests where aws:SecureTransport is false.
AnswerD

This condition ensures all requests use HTTPS.

Why this answer

Option B is correct because an S3 bucket policy with a condition for aws:SecureTransport enforces HTTPS. Option A is wrong because encryption at rest does not enforce encryption in transit. Option C is wrong because CloudFront does not enforce end-to-end encryption.

Option D is wrong because VPC endpoints do not guarantee encryption in transit.

95
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: subnet-A (10.0.1.0/24) and subnet-B (10.0.2.0/24). An EC2 instance in subnet-A needs to send traffic to an EC2 instance in subnet-B. Both instances are in the same VPC and have appropriate security group rules. However, traffic is not reaching the destination. What is the MOST likely cause?

A.The route table for subnet-A does not have a route for subnet-B's CIDR.
B.The network ACL associated with subnet-B is denying inbound traffic from subnet-A.
C.The security group on the destination instance does not allow inbound traffic from the source instance.
D.The VPC peering connection is not established between the two subnets.
AnswerB

Network ACLs are stateless; if the inbound rule does not allow traffic from subnet-A, it will be blocked.

Why this answer

Option C is correct because network ACLs are stateless and must allow both inbound and outbound traffic for ephemeral ports. If the NACL on subnet-B does not allow inbound traffic from subnet-A, the traffic will be blocked. Option A is wrong because VPC peering is not needed; both subnets are in the same VPC.

Option B is wrong because the route table already has a local route for the VPC CIDR, so no additional routes are needed. Option D is wrong because security groups are stateful; if outbound is allowed, return traffic is automatically allowed.

96
Multi-Selecteasy

A SysOps administrator needs to ensure high availability for a web application running on EC2 instances across multiple Availability Zones. Which TWO actions should the administrator take?

Select 2 answers
A.Launch EC2 instances in at least two different Availability Zones.
B.Place a CloudFront distribution in front of the instances.
C.Launch all EC2 instances in a single Availability Zone for consistency.
D.Register the instances with an Application Load Balancer that has health checks enabled.
E.Attach an EBS volume to each instance and replicate data in real-time.
AnswersA, D

Distributing instances across AZs provides fault tolerance.

Why this answer

Options A and C are correct. Distributing instances across multiple AZs and registering them with a load balancer that routes to healthy instances ensures high availability. Option B is incorrect because a single instance in one AZ is a single point of failure.

Option D is incorrect because EBS volumes are tied to a single AZ. Option E is incorrect because CloudFront does not replace a load balancer for high availability.

97
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application uses a custom domain name, 'app.example.com'. The SysOps team configured Amazon Route 53 with an alias record to the ALB DNS name. Users report that occasionally they are directed to a different website. The team suspects DNS resolution issues. They check the Route 53 hosted zone and find the alias record is correctly configured. The ALB is healthy. What is the most likely cause of the intermittent misdirection?

A.There is a conflicting DNS record for 'app.example.com' in the same hosted zone, such as a CNAME pointing elsewhere.
B.The alias record is not of type A but type CNAME.
C.The TTL on the alias record is set too low, causing DNS changes to propagate slowly.
D.The ALB is configured to redirect traffic to another domain.
AnswerA

Conflicting records can cause intermittent resolution to different targets.

Why this answer

Option B is correct. If the alias record points to the ALB DNS name, Route 53 will resolve to the ALB's IP addresses. However, if there is another DNS record (e.g., a CNAME) that is cached or has a different TTL, it may cause misdirection.

Option A is wrong because a missing A record would cause failure, not misdirection. Option C is wrong because ALB does not redirect to other sites. Option D is wrong because TTL being too low would cause frequent changes, but not misdirection.

98
Multi-Selecthard

A company uses a Network Load Balancer (NLB) with a static IP address. The SysOps administrator needs to enable client IP preservation for the NLB so that backend instances see the original client IP. Which TWO conditions are required for client IP preservation to work?

Select 2 answers
A.The target group must be of type 'instance'.
B.The NLB must have TLS listeners.
C.Proxy protocol must be enabled on the target group.
D.The NLB must not be integrated with AWS Global Accelerator.
E.Cross-zone load balancing must be enabled.
AnswersA, D

Instance targets preserve client IP; IP targets do not.

Why this answer

Option A is correct because client IP preservation for a Network Load Balancer (NLB) requires the target group to be of type 'instance'. When the target group is instance-based, the NLB can forward packets with the original source IP address intact, allowing backend instances to see the client's IP directly. This is not supported when the target group is of type 'IP' because the NLB must perform NAT to route to the specified IP addresses.

Exam trap

The trap here is that candidates often confuse client IP preservation with Proxy Protocol, thinking that Proxy Protocol must be enabled for client IP preservation to work, when in fact Proxy Protocol is a separate mechanism used when the target group is of type 'IP' or when preservation is not supported.

99
MCQmedium

A company is using an Application Load Balancer (ALB) to distribute traffic to a set of EC2 instances. Users report intermittent 503 errors. Which of the following is the MOST likely cause?

A.The health check interval is set too low, causing the ALB to mark instances as unhealthy prematurely.
B.The SSL certificate on the ALB has expired.
C.The security group for the ALB is blocking incoming traffic.
D.The target instances are not healthy or are overloaded.
AnswerD

Unhealthy or overloaded targets cause the ALB to return 503 errors because no healthy targets are available to handle the request.

Why this answer

Option C is correct because 503 errors from an ALB typically indicate that the target instances are not healthy or are overwhelmed, causing the ALB to return a 503 Service Unavailable response. Option A is wrong because security group rules blocking traffic would result in 504 errors, not 503. Option B is wrong because incorrect health check configuration can cause targets to be marked unhealthy, but the symptom is still 503; however, the most direct cause is unhealthy targets.

Option D is wrong because SSL certificate issues cause 502 errors, not 503.

100
MCQmedium

A company has deployed an Application Load Balancer (ALB) in a VPC. The ALB is configured with a target group pointing to EC2 instances in a private subnet. Clients receive HTTP 503 errors. What is the likely cause?

A.The ALB does not have an Elastic IP address.
B.The security group for the ALB does not allow inbound HTTP traffic.
C.The target instances are unhealthy and the target group has zero healthy hosts.
D.The route table for the private subnet does not have a route to the ALB.
AnswerC

Correct because 503 Service Unavailable indicates no healthy targets.

Why this answer

Option B is correct because 503 indicates the target group has no healthy instances. Option A is wrong because security group not allowing HTTP would cause timeout or 502. Option C is wrong because a missing route table would cause no connectivity at all.

Option D is wrong because the ALB does not need an Elastic IP.

101
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The connection is redundant with two virtual interfaces (VIFs). Recently, one VIF failed, and the administrator notices that traffic is not automatically failing over. What must be configured to enable automatic failover?

A.Configure BGP metrics to prefer the primary VIF.
B.Create a VPN connection as a backup and configure route propagation with a lower priority.
C.Place both VIFs in the same VLAN.
D.Enable equal-cost multi-path (ECMP) routing.
AnswerB

Correct. A VPN backup with BGP metrics ensures automatic failover.

Why this answer

AWS Direct Connect does not automatically failover. Using BGP with AS_PATH prepending or using a Direct Connect gateway with multiple VIFs can help, but the simplest approach is to use a VPN as a backup or configure BGP metrics. However, the question implies the need for active/backup.

The common solution is to use a VPN connection as a backup and configure route propagation.

102
MCQhard

A company has a VPC with public and private subnets. The private subnets host application servers that need to make outbound HTTPS connections to the internet. The SysOps administrator must implement a solution that provides outbound internet connectivity while preventing inbound connections from the internet. Additionally, the solution must allow the company to control which domains the application servers can access. Which solution should the administrator implement?

A.Configure a NAT Gateway and use security group outbound rules to restrict destinations.
B.Configure a NAT instance with proxy software and use route tables to direct traffic from private subnets to the NAT instance.
C.Configure an egress-only Internet Gateway and route private subnet traffic to it.
D.Configure a VPC endpoint for HTTPS and route private subnet traffic to it.
AnswerB

A NAT instance can run proxy software (e.g., Squid) that allows domain-based access control. It provides outbound connectivity while preventing inbound traffic, meeting all requirements.

Why this answer

Option B is correct because a NAT instance with proxy software (e.g., Squid) allows outbound HTTPS connections from private subnets while blocking inbound connections, and the proxy software can enforce domain-level access control via allow/deny lists. This meets the requirement to restrict which domains the application servers can access, which a standard NAT Gateway cannot do because it only translates IP addresses and cannot filter by domain name.

Exam trap

The trap here is that candidates often assume a NAT Gateway with security group rules can control domain access, but security groups cannot filter by domain name—only by IP address—so the proxy-based NAT instance is required for domain-level restriction.

How to eliminate wrong answers

Option A is wrong because a NAT Gateway translates private IPs to a public IP for outbound traffic, but security group outbound rules can only filter by IP address or CIDR, not by domain name, so it cannot control which domains are accessed. Option C is wrong because an egress-only Internet Gateway is used for IPv6 traffic only, and the question does not specify IPv6; it also cannot filter by domain. Option D is wrong because a VPC endpoint for HTTPS (e.g., interface endpoint) provides private connectivity to specific AWS services (like S3 or DynamoDB) via AWS PrivateLink, not general internet access, and cannot route traffic to arbitrary internet domains.

103
MCQeasy

A company has deployed a static website on Amazon S3 with public read access. They want to use Amazon CloudFront to serve the content with HTTPS. They create a CloudFront distribution with the S3 bucket as an origin. After configuring the distribution, users report that they are unable to access the website via the CloudFront URL. The CloudFront distribution status is 'Deployed'. The S3 bucket policy allows GetObject for any principal. What is the most likely reason for the issue?

A.The S3 bucket is not configured for static website hosting; CloudFront should use the bucket's website endpoint as the origin.
B.The S3 bucket policy does not grant CloudFront access.
C.The CloudFront distribution is not configured to use HTTPS.
D.The CloudFront distribution is not associated with an origin access identity (OAI).
AnswerA

For static website hosting, the origin must be the S3 website endpoint, not the bucket's REST endpoint.

Why this answer

Option A is correct. By default, CloudFront does not cache HTTPS traffic from S3 if the origin protocol policy is set to 'Match Viewer'. If the viewer uses HTTP, CloudFront will use HTTP to fetch from S3, but S3 does not support HTTPS for static website hosting unless configured.

However, the most common issue is that the CloudFront distribution does not have an SSL certificate for the custom domain. But the question says 'CloudFront URL', so likely the default CloudFront domain (xxxx.cloudfront.net) is used. That domain supports HTTPS by default.

The actual issue is that the S3 bucket is configured for static website hosting, and the CloudFront origin domain name should be the S3 website endpoint, not the bucket's REST endpoint. If they used the bucket endpoint, CloudFront might not be able to access it properly. Option B is wrong because the bucket policy allows public read.

Option C is wrong because CloudFront automatically encrypts to S3 if using HTTPS. Option D is wrong because CloudFront can serve content from S3 without OAI.

104
MCQhard

A company has a VPC with public and private subnets in two Availability Zones. An Application Load Balancer (ALB) in the public subnets routes traffic to EC2 instances in the private subnets. The EC2 instances need to access the internet for software updates. Which solution is MOST secure and cost-effective?

A.Deploy a NAT Gateway in a public subnet and add a route in the private subnet route tables pointing 0.0.0.0/0 to the NAT Gateway.
B.Set up a VPN connection to an on-premises network and route internet traffic through it.
C.Assign public IP addresses to the EC2 instances and route traffic directly.
D.Attach an internet gateway to the private subnets and route 0.0.0.0/0 to it.
AnswerA

NAT Gateway provides secure outbound internet access without inbound access.

Why this answer

A NAT Gateway in a public subnet allows EC2 instances in private subnets to initiate outbound connections to the internet (e.g., for software updates) while preventing inbound connections from the internet. This is the most secure and cost-effective solution because it uses a managed AWS service that scales automatically and incurs charges only for usage and hourly uptime, avoiding the need for a bastion host or VPN.

Exam trap

The trap here is that candidates often confuse NAT Gateways with Internet Gateways, assuming an IGW can be attached to private subnets, or they overlook that assigning public IPs to private instances breaks the subnet's isolation and security model.

How to eliminate wrong answers

Option B is wrong because routing internet traffic through a VPN to an on-premises network adds unnecessary latency, complexity, and cost (e.g., VPN connection charges, bandwidth costs) and is not designed for general internet access—it is intended for hybrid connectivity. Option C is wrong because assigning public IP addresses to EC2 instances in private subnets exposes them directly to the internet, violating the security principle of private subnets and increasing the attack surface; it also requires managing Elastic IPs and security groups. Option D is wrong because an internet gateway (IGW) cannot be attached to private subnets—IGWs are attached to VPCs and route traffic only from subnets with route tables pointing to the IGW; attaching an IGW to a private subnet would require making the subnet public, defeating its purpose.

105
MCQeasy

A company hosts a static website on Amazon S3 with public read access enabled. The website is accessed via a custom domain name that uses Amazon Route 53. The domain name points to the S3 bucket's website endpoint. Users report that they can access the website using the S3 bucket URL but not the custom domain name. What is the most likely cause?

A.The S3 bucket policy does not allow public access.
B.The website does not support HTTPS and the browser blocks it.
C.The Route 53 alias record points to the S3 bucket's regional endpoint instead of the website endpoint.
D.The DNS TTL is too long and the changes have not propagated.
AnswerC

For static website hosting, the alias target must be the S3 website endpoint (e.g., bucket-name.s3-website-region.amazonaws.com), not the bucket's regional endpoint (s3.amazonaws.com).

Why this answer

The Route 53 alias record must point to the S3 website endpoint, not the bucket's regional endpoint. Option A is incorrect because DNS resolution might be working but the record points to the wrong target. Option C is incorrect because the bucket policy allows public reads.

Option D is incorrect because S3 website hosting does not require HTTPS by default.

106
MCQeasy

A SysOps administrator is configuring Amazon CloudFront to serve content from an Amazon S3 bucket. The content is sensitive and should be encrypted at rest. Which option ensures that content is encrypted at rest in S3?

A.Enable server-side encryption (SSE-S3) on the S3 bucket
B.Enable CloudFront HTTPS-only access to the S3 bucket
C.Configure signed URLs for the distribution
D.Use CloudFront field-level encryption
AnswerA

SSE-S3 encrypts objects at rest in S3.

Why this answer

Option D is correct because enabling SSE-S3 on the S3 bucket encrypts objects at rest. CloudFront does not handle encryption at rest. Option A is wrong because CloudFront does not provide encryption at rest; it encrypts data in transit.

Option B is wrong because field-level encryption is for encrypting specific fields at the edge. Option C is wrong because signed URLs control access, not encryption at rest.

107
Multi-Selectmedium

Which TWO actions can be taken to improve the availability of a web application hosted on EC2 instances behind an Application Load Balancer? (Select two.)

Select 2 answers
A.Configure an Auto Scaling group with health checks to replace unhealthy instances.
B.Use larger EC2 instance types.
C.Deploy the EC2 instances across multiple Availability Zones.
D.Use a single AWS Region for all instances.
E.Place all EC2 instances in a single subnet.
AnswersA, C

Auto Scaling automatically replaces unhealthy instances.

Why this answer

Option A is correct because multi-AZ deployment distributes instances across Availability Zones for fault tolerance. Option B is correct because an Auto Scaling group can replace unhealthy instances automatically. Option C is wrong because a single subnet is a single point of failure.

Option D is wrong because a larger instance type improves performance, not availability. Option E is wrong because a single region is more susceptible to regional failures.

108
MCQmedium

A company hosts a web application behind an Application Load Balancer (ALB) in us-east-1. Users in Europe report high latency. The SysOps administrator decides to use AWS Global Accelerator to improve performance by directing traffic to the closest edge location. However, the application logs require the original client IP addresses of users. The ALB currently provides the client IP via the X-Forwarded-For header, but the development team warns that Global Accelerator may change the source IP. Which configuration should the administrator choose to meet both performance and logging requirements?

A.Configure Global Accelerator with an endpoint group that points directly to the ALB. The ALB will continue to receive the original client IP in the X-Forwarded-For header.
B.Place a Network Load Balancer (NLB) in front of the ALB, and configure Global Accelerator to point to the NLB. The NLB preserves the client IP, and the ALB can still see it in the X-Forwarded-For header.
C.Enable Proxy Protocol v2 on the ALB to ensure client IP addresses are preserved through Global Accelerator.
D.Use Amazon CloudFront instead of Global Accelerator and configure it to forward the client IP in a custom header.
AnswerB

Global Accelerator preserves the client source IP when the endpoint is an NLB. The NLB passes traffic to the ALB, which can see the original client IP in the X-Forwarded-For header. This satisfies both performance (using Global Accelerator) and logging requirements.

Why this answer

Option B is correct because placing a Network Load Balancer (NLB) in front of the ALB allows Global Accelerator to terminate the TCP connection at the edge, then forward traffic to the NLB. The NLB preserves the original client IP address by default (since it operates at Layer 4 and does not terminate the connection), and the ALB can still read the client IP from the X-Forwarded-For header. This setup meets both the performance requirement (via Global Accelerator's edge routing) and the logging requirement (preserving the original client IP).

Exam trap

The trap here is that candidates assume Global Accelerator preserves the client IP like a transparent proxy, but in reality it terminates the TCP connection at the edge, so the source IP changes unless an NLB is used to preserve it.

How to eliminate wrong answers

Option A is wrong because Global Accelerator terminates the TCP connection at the edge location and then creates a new connection to the ALB, so the source IP seen by the ALB becomes the Global Accelerator's internal IP, not the original client IP; the X-Forwarded-For header will contain the Global Accelerator's IP, not the user's IP. Option C is wrong because Proxy Protocol v2 is a feature of Network Load Balancers and TCP listeners, not Application Load Balancers; ALBs do not support Proxy Protocol v2, and enabling it on the ALB would not preserve client IP through Global Accelerator. Option D is wrong because CloudFront does not preserve the original client IP in the X-Forwarded-For header by default; it adds the CloudFront edge IP as the last entry, and while you can forward a custom header, this requires additional configuration and does not guarantee the original client IP is preserved in the same way as the NLB+ALB solution.

109
MCQmedium

A company has an on-premises data center connected to AWS via an AWS Direct Connect private virtual interface (VIF). The SysOps administrator needs to ensure that all traffic between the on-premises network and Amazon S3 in the same AWS Region stays within the AWS network and does not traverse the internet. Which solution should the administrator implement?

A.Use a Direct Connect gateway and a public VIF with a route to S3 prefix lists
B.Use a Direct Connect gateway and a private VIF with VPC endpoints for S3
C.Use a VPN connection over Direct Connect to access S3
D.Use a Transit Gateway with a private VIF and route S3 traffic through a NAT instance
AnswerB

VPC Gateway Endpoints for S3 allow private connectivity from within the VPC. Combined with a private VIF, traffic to S3 stays within the AWS network without internet.

Why this answer

Option B is correct because a private VIF with VPC endpoints for S3 (Gateway Endpoints) ensures that traffic from on-premises to S3 stays within the AWS network. The private VIF provides connectivity to the VPC, and the Gateway Endpoint routes S3 traffic through the AWS backbone without traversing the internet. This combination meets the requirement of keeping traffic within the AWS network.

Exam trap

The trap here is that candidates often confuse public VIF with private VIF, thinking a public VIF is required for AWS service access, but Gateway Endpoints allow private VIF to access S3 without internet exposure.

How to eliminate wrong answers

Option A is wrong because a public VIF with a route to S3 prefix lists would still route traffic over the public internet (via the Direct Connect public VIF), which does not guarantee that traffic stays within the AWS network; it also requires routing over the internet gateway. Option C is wrong because a VPN connection over Direct Connect would encrypt traffic but still uses the public VIF or internet path, and it does not inherently keep traffic within the AWS network; it adds unnecessary complexity and does not meet the requirement of staying within the AWS network. Option D is wrong because a Transit Gateway with a private VIF and routing S3 traffic through a NAT instance would force traffic through a NAT instance, which typically uses an internet gateway to reach S3, thus traversing the internet; this violates the requirement.

110
MCQeasy

A company hosts a web application on EC2 instances behind an Application Load Balancer. Users report intermittent 503 errors. Which step should the SysOps administrator take to troubleshoot the issue?

A.Verify the target group health check settings.
B.Enable cross-zone load balancing.
C.Increase the idle timeout on the load balancer.
D.Add more subnets to the load balancer.
AnswerA

Correct. Unhealthy targets cause 503 errors.

Why this answer

The 503 error indicates the load balancer cannot connect to the targets. Checking the target group health check configuration is the first step to identify if targets are marked unhealthy.

111
MCQmedium

A company has two Amazon VPCs: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16) in the same AWS Region. The SysOps administrator needs to enable private IP connectivity between the two VPCs without using the public internet. The solution must be simple, low-cost, and provide high throughput. Which AWS service should the administrator use?

A.VPC peering
B.AWS Site-to-Site VPN
C.AWS Direct Connect
D.AWS Transit Gateway
AnswerA

VPC peering establishes a direct, private network connection between two VPCs using the AWS backbone. It is simple to set up, has low cost (no hourly fees, only data transfer charges), and provides high throughput with no bandwidth constraints.

Why this answer

VPC peering is the correct choice because it enables direct private IP connectivity between two VPCs using the AWS global network, without requiring internet gateways, VPNs, or physical connections. It is simple to set up (no additional hardware or software), low-cost (no per-hour charges, only data transfer costs), and provides high throughput (bandwidth is limited only by the instance types, not by the peering connection itself).

Exam trap

The trap here is that candidates often over-engineer the solution by choosing AWS Transit Gateway (Option D) for its advanced features, forgetting that for a simple two-VPC connection, VPC peering is the most cost-effective and straightforward option without unnecessary complexity.

How to eliminate wrong answers

Option B (AWS Site-to-Site VPN) is wrong because it requires a virtual private gateway on each VPC and an on-premises VPN endpoint, adding complexity and cost (per-hour charges) while throughput is limited by the VPN tunnel (typically up to 1.25 Gbps per tunnel). Option C (AWS Direct Connect) is wrong because it is designed for dedicated on-premises to AWS connectivity, not for VPC-to-VPC peering, and involves high cost, long provisioning times, and physical infrastructure. Option D (AWS Transit Gateway) is wrong because while it can connect multiple VPCs, it introduces additional cost (per-hour and per-GB charges) and complexity (requires transit gateway attachments and route table management) that is unnecessary for a simple two-VPC scenario.

112
Multi-Selecteasy

A company wants to use Amazon CloudFront to distribute content globally with low latency. Which TWO features of CloudFront help achieve this?

Select 2 answers
A.Regional edge caches that provide additional caching layers
B.Edge locations that cache content near users
C.Use of S3 Transfer Acceleration
D.VPC peering to connect to origins
E.Integration with AWS Global Accelerator
AnswersA, B

Regional edge caches sit between edge locations and the origin to improve cache hit ratio.

Why this answer

Options A and D are correct. CloudFront uses a global network of edge locations and regional edge caches to cache content close to users. Option B is wrong because CloudFront does not use AWS Global Accelerator; they are separate services.

Option C is wrong because S3 Transfer Acceleration is for uploading to S3, not for CloudFront distribution. Option E is wrong because VPC peering is for network connectivity, not content delivery.

113
MCQmedium

A company uses Amazon CloudFront to deliver its static website hosted on Amazon S3. The security team notices that users are able to access the S3 bucket directly via the S3 endpoint, bypassing CloudFront. What should be done to ensure that content is only accessible through CloudFront?

A.Create an origin access identity (OAI) and update the S3 bucket policy to grant access only to the OAI
B.Use AWS WAF to block requests that do not include the CloudFront distribution's domain name
C.Create an AWS Lambda@Edge function to validate headers
D.Use S3 Block Public Access to prevent all public access
AnswerA

This restricts S3 bucket access to CloudFront only.

Why this answer

Option C is correct because configuring an origin access identity (OAI) and updating the S3 bucket policy to allow access only to the OAI prevents direct S3 access. Option A is wrong because disabling public access on the S3 bucket using S3 Block Public Access would also block legitimate CloudFront requests if not combined with OAI. Option B is wrong because Lambda@Edge can modify requests/responses but does not enforce access control at the bucket level.

Option D is wrong because AWS WAF can filter requests but does not prevent direct S3 access.

114
MCQmedium

A web application is deployed in us-east-1 (primary) and eu-west-1 (standby). Under normal conditions, all traffic should go to us-east-1. If the us-east-1 health check fails, traffic must automatically redirect to eu-west-1 within 30 to 60 seconds. What Route 53 configuration implements this?

A.Create failover routing records for the domain: a Primary record pointing to us-east-1 with a Route 53 health check, and a Secondary record pointing to eu-west-1 with no health check
B.Use weighted routing with 100 weight for us-east-1 and 0 weight for eu-west-1; update the weights via Lambda when a CloudWatch alarm fires
C.Enable Route 53 latency routing with records for both regions; Route 53 will automatically switch to eu-west-1 when us-east-1 becomes unavailable
D.Configure Route 53 geolocation routing to send all US traffic to us-east-1 and all European traffic to eu-west-1
AnswerA

When the health check on the Primary record fails for the configured number of consecutive intervals, Route 53 removes the Primary from DNS responses and serves the Secondary. DNS TTL on the records should be set low (60 seconds or less) to minimize client-side caching delay. The failover is automatic, with no manual intervention or Lambda functions required.

Why this answer

Option A is correct because Route 53 failover routing records, combined with a health check on the primary record, automatically redirect traffic to the secondary (standby) record when the primary health check fails. The health check interval and failure threshold can be configured to detect failure within 30–60 seconds, meeting the requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse failover routing with latency or geolocation routing, assuming that Route 53 automatically considers health in those routing policies, but only failover routing explicitly supports active-passive failover with health checks.

How to eliminate wrong answers

Option B is wrong because weighted routing with 0 weight for eu-west-1 would never send traffic there, even if us-east-1 fails, unless the weights are updated externally; this approach cannot achieve automatic failover within 30–60 seconds without additional automation and introduces latency. Option C is wrong because latency routing selects the region with the lowest latency for each user, not based on health; if us-east-1 is unhealthy but still has low latency, traffic would continue to be sent there, failing the failover requirement. Option D is wrong because geolocation routing directs traffic based on the user's geographic location, not health; it would not redirect traffic from us-east-1 to eu-west-1 if us-east-1 fails, as users outside Europe would still be routed to the unhealthy primary region.

115
MCQeasy

A company has multiple on-premises branch offices, each with a site-to-site VPN connection to a single VPC in AWS. The SysOps administrator needs to enable communication between the branch offices using the AWS cloud as a hub. Which configuration should be implemented to achieve this with the least operational overhead?

A.Configure static routes in the VPC route table pointing to each VPN connection.
B.Use dynamic routing (BGP) on all VPN connections and enable route propagation on the virtual private gateway (VGW).
C.Create a separate Transit VPC with EC2-based VPN appliances to route traffic between branch offices.
D.Place all branch offices in the same IPsec tunnel by configuring identical pre-shared keys.
AnswerB

Dynamic routing with BGP and route propagation on the VGW allows the VPC to automatically exchange routes between VPN connections, enabling branch-to-branch communication without manual intervention.

Why this answer

Option B is correct because enabling dynamic routing (BGP) on all VPN connections and propagating routes from the virtual private gateway (VGW) into the VPC route table allows each branch office to learn the CIDR blocks of all other branch offices automatically. This eliminates the need for manual static route entries and ensures that traffic between branch offices is routed through the VPC hub with minimal operational overhead, as BGP handles failover and route updates dynamically.

Exam trap

The trap here is that candidates often assume static routes are simpler and sufficient for hub-and-spoke communication, overlooking that BGP route propagation on the VGW provides automated, scalable route exchange with minimal ongoing management, which is the key to reducing operational overhead.

How to eliminate wrong answers

Option A is wrong because configuring static routes in the VPC route table pointing to each VPN connection would require manual updates whenever a branch office subnet changes or a VPN connection is added/removed, increasing operational overhead and not scaling well. Option C is wrong because creating a separate Transit VPC with EC2-based VPN appliances introduces significant complexity, cost, and maintenance overhead compared to using the native VGW with BGP route propagation. Option D is wrong because placing all branch offices in the same IPsec tunnel by configuring identical pre-shared keys is not a valid configuration; each site-to-site VPN connection must have unique tunnel settings, and this approach would cause routing conflicts and security issues, not enable inter-branch communication.

116
MCQmedium

An organization uses Amazon CloudFront to serve static content from an S3 bucket. The content is updated frequently, but users are seeing stale files. What is the most efficient way to invalidate the cache for updated objects?

A.Create a CloudFront invalidation for the updated files.
B.Use the S3 console to set a new cache-control header.
C.Change the origin path in the CloudFront distribution.
D.Delete and recreate the CloudFront distribution.
AnswerA

Correct. Invalidation removes cached objects.

Why this answer

CloudFront supports file invalidation to remove objects from edge caches. Using the console or API to create an invalidation for the specific paths is the direct method.

117
MCQmedium

An organization has a VPC peering connection between VPC A and VPC B. Instances in VPC A can reach instances in VPC B, but not vice versa. What is the most likely cause?

A.The route table in VPC B does not have a route to VPC A's CIDR.
B.DNS resolution is not enabled for the VPC peering connection.
C.Security groups in VPC B block inbound traffic from VPC A.
D.The VPC peering connection is in a 'pending-acceptance' state.
AnswerA

Correct because peering requires routes in both directions.

Why this answer

Option C is correct because VPC peering requires route table entries in both VPCs for bidirectional traffic. Option A is wrong because security groups are stateful but only affect inbound/outbound; the issue is routing. Option B is wrong because the peering connection is already established.

Option D is wrong because DNS resolution settings don't affect basic connectivity.

118
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer (ALB). Users report intermittent timeouts. The web server logs show HTTP 503 errors. Which configuration is MOST likely causing the issue?

A.The ALB idle timeout is set too low.
B.The target group is not configured with enough capacity.
C.The target group health checks are misconfigured or the instances are unhealthy.
D.The security group for the ALB does not allow inbound traffic on port 80.
AnswerC

Unhealthy targets cause ALB to stop routing traffic, resulting in 503.

Why this answer

HTTP 503 errors from an ALB indicate that the load balancer cannot route requests to healthy targets. Misconfigured health checks or unhealthy instances cause the ALB to mark targets as unhealthy, leading to 503 responses even if the instances are running. This is the most direct cause of intermittent timeouts when the web server logs show 503 errors.

Exam trap

The trap here is that candidates often confuse HTTP 503 errors with capacity issues (Option B) or timeout settings (Option A), but the specific presence of 503 errors in web server logs points directly to health check failures or unhealthy targets, not general capacity or idle timeout misconfigurations.

How to eliminate wrong answers

Option A is wrong because the ALB idle timeout controls how long the load balancer keeps a connection open without data transfer; a low idle timeout would cause 504 (gateway timeout) errors, not 503 (service unavailable) errors. Option B is wrong because insufficient target group capacity (e.g., too few instances or undersized instance types) would cause 503 errors only if all targets are overwhelmed, but the question describes intermittent timeouts and 503 errors specifically tied to health check failures, not capacity exhaustion. Option D is wrong because if the ALB security group did not allow inbound traffic on port 80, the ALB would not accept any traffic at all, resulting in connection timeouts or 504 errors, not intermittent 503 errors with web server logs showing 503 responses.

119
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. Users report slow load times. The SysOps team notices that all traffic goes to a single availability zone. Which action should be taken to improve performance and reliability?

A.Configure the ALB to use subnets in at least two Availability Zones
B.Add more EC2 instances in the same Availability Zone
C.Replace the ALB with a Network Load Balancer (NLB)
D.Enable cross-zone load balancing on the ALB
AnswerA

This ensures the ALB can route traffic to instances in multiple AZs, improving performance and fault tolerance.

Why this answer

The correct action is to configure the ALB to use subnets in at least two Availability Zones. An ALB is a regional service that requires subnets in multiple AZs to distribute incoming traffic across healthy targets in those zones. When all traffic goes to a single AZ, it indicates the ALB is only attached to one subnet, creating a single point of failure and limiting the pool of EC2 instances that can serve traffic, which directly causes slow load times and reduced reliability.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing (which distributes traffic across instances within an AZ) with multi-AZ subnet configuration (which enables the ALB to route traffic to instances in different AZs), leading them to incorrectly select option D.

How to eliminate wrong answers

Option B is wrong because adding more EC2 instances in the same Availability Zone does not address the root cause—the ALB is only routing traffic to one AZ, so all new instances would still be in that same AZ, failing to distribute load or improve fault tolerance. Option C is wrong because replacing the ALB with a Network Load Balancer (NLB) does not solve the single-AZ issue; an NLB also requires subnets in multiple AZs for high availability, and the problem is about AZ configuration, not load balancer type. Option D is wrong because cross-zone load balancing on an ALB is enabled by default and controls distribution of traffic across instances within the same AZ, not across AZs; it does not fix the issue of the ALB only having subnets in one AZ.

120
Multi-Selectmedium

A SysOps administrator needs to troubleshoot connectivity between two EC2 instances in the same VPC but different subnets. The instances cannot communicate. Which THREE checks should the administrator perform? (Choose three.)

Select 3 answers
A.Verify that the network ACLs for both subnets allow the required traffic
B.Enable VPC Flow Logs to analyze traffic
C.Verify that the security groups of both instances allow inbound/outbound traffic on the required ports
D.Verify that the NAT Gateway is configured correctly
E.Verify that the route tables for both subnets have routes to each other's CIDR
AnswersA, C, E

Network ACLs are stateless and filter traffic at the subnet boundary.

Why this answer

Correct answers: A, B, and D. Option A is correct because security groups control traffic at the instance level. Option B is correct because network ACLs control traffic at the subnet level.

Option D is correct because route tables determine if the subnets can route to each other. Option C is wrong because NAT Gateways are for internet access, not internal VPC communication. Option E is wrong because flow logs are for monitoring, not a direct cause.

121
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB) across three Availability Zones. Each AZ has one public and one private subnet. The EC2 instances are in the private subnets. The ALB is internet-facing. Recently, during a traffic spike, some users experienced intermittent timeouts. The SysOps administrator reviews the ALB access logs and finds that the timeouts correspond to periods when the target group had 'unhealthy' instances. The health check is configured to check a health endpoint on port 80 with a path of '/health'. The SysOps administrator checks the EC2 instances and finds that the health endpoint responds correctly. However, the health checks are failing intermittently. The administrator notices that the security group for the EC2 instances allows inbound traffic from the ALB's security group on port 80. The network ACL for the private subnets allows inbound HTTP and outbound ephemeral ports. What is the MOST likely cause of the health check failures?

A.The health check endpoint on the EC2 instances is not responding correctly.
B.The security group on the EC2 instances is blocking health check traffic from the ALB.
C.The ALB does not have cross-zone load balancing enabled.
D.The network ACL for the private subnets is blocking the return traffic from health checks.
AnswerD

NACL must allow inbound ephemeral ports for health check responses.

Why this answer

Option B is correct. The NACL is stateless and must allow inbound ephemeral ports for the return traffic from health checks. The current NACL allows inbound HTTP (port 80) but does not explicitly allow inbound ephemeral ports (1024-65535) from the ALB's IP range.

This causes the health check responses to be dropped. Option A is wrong because the security group is configured correctly. Option C is wrong because the health endpoint works when tested locally.

Option D is wrong because cross-zone load balancing does not affect health checks.

122
MCQeasy

A company needs to resolve DNS names for on-premises servers from AWS. They have set up a DHCP options set with the on-premises DNS server IP. Which additional step is required?

A.Create a VPC peering connection and use the on-premises DNS IP as the DHCP option set.
B.Configure Route 53 Resolver outbound endpoint to forward queries to on-premises DNS.
C.Create a VPC peering connection to the on-premises network.
D.Configure Route 53 Resolver inbound endpoint to forward DNS queries from on-premises to AWS.
AnswerD

Inbound endpoint allows on-premises DNS to forward queries.

Why this answer

Option D is correct because the scenario requires resolving DNS names for on-premises servers from AWS. A Route 53 Resolver inbound endpoint allows on-premises DNS servers to forward queries to AWS, enabling resolution of AWS-hosted DNS names from on-premises. The DHCP options set already provides the on-premises DNS server IP to AWS resources, but the missing step is the reverse path: allowing on-premises to query AWS DNS, which the inbound endpoint facilitates.

Exam trap

The trap here is confusing the direction of DNS resolution; candidates often pick the outbound endpoint (Option B) thinking it forwards queries to on-premises, but the requirement is to resolve on-premises names from AWS, which actually requires an inbound endpoint to allow on-premises DNS to query AWS.

How to eliminate wrong answers

Option A is wrong because a VPC peering connection does not inherently forward DNS queries; it only enables network connectivity between VPCs, and using the on-premises DNS IP as a DHCP option set is already done. Option B is wrong because a Route 53 Resolver outbound endpoint forwards queries from AWS to on-premises, which is the opposite direction needed; the requirement is to resolve on-premises DNS names from AWS, not the other way. Option C is wrong because a VPC peering connection cannot be established to an on-premises network; VPC peering is only between VPCs, not between a VPC and an on-premises data center.

123
MCQeasy

Refer to the exhibit. A SysOps Administrator runs the above command and sees that an EC2 instance is unhealthy. The health check is configured to check the HTTP endpoint '/health' on port 80. The instance's security group allows inbound HTTP traffic from the ALB's security group. What is the MOST likely cause?

A.The instance is not associated with the target group.
B.The application on the instance is not configured to respond to the '/health' path.
C.The target group is configured to use port 8080 instead of port 80.
D.The security group on the instance does not allow inbound traffic from the ALB.
AnswerB

The health check is hitting '/health' but the application may not have that endpoint, causing a non-200 response.

Why this answer

Option B is correct because the health check path is '/health', but the application might not have that endpoint. Option A is wrong because the security group allows inbound traffic from ALB. Option C is wrong because the target group is configured with port 80.

Option D is wrong because the instance is running.

124
Multi-Selecthard

A company has a VPC with public and private subnets in two Availability Zones. The private subnets need outbound internet access for EC2 instances to download updates. Which THREE components are required to achieve this? (Choose three.)

Select 3 answers
A.Route table in the private subnets with a default route pointing to the NAT Gateway
B.Internet Gateway attached to the VPC
C.Egress-only Internet Gateway
D.NAT Gateway in a public subnet
E.AWS Site-to-Site VPN connection
AnswersA, B, D

This routes outbound traffic to the NAT Gateway.

Why this answer

Option A is correct because a route table associated with private subnets must have a default route (0.0.0.0/0) pointing to a NAT Gateway to direct outbound internet traffic from EC2 instances through the NAT device. This allows instances in private subnets to initiate outbound connections to the internet (e.g., for software updates) while preventing unsolicited inbound connections from the internet.

Exam trap

The trap here is that candidates often confuse the Egress-Only Internet Gateway (IPv6 only) with the NAT Gateway (IPv4) or think a VPN connection can provide internet access, when in fact a NAT Gateway in a public subnet plus an Internet Gateway are required for IPv4 outbound connectivity from private subnets.

125
MCQhard

A company is using Amazon CloudFront with an S3 bucket as the origin. The S3 bucket contains sensitive data that should only be accessible via CloudFront. The SysOps administrator has configured an Origin Access Identity (OAI) and updated the bucket policy to allow access only to the OAI. However, users are still able to access the S3 bucket directly via the S3 URL. What is the most likely reason?

A.The bucket policy does not include a condition to require the OAI.
B.The bucket policy allows public read access in addition to the OAI access.
C.The OAI is not properly associated with the CloudFront distribution.
D.The S3 bucket is configured as a static website.
AnswerB

If the bucket policy grants public read access (e.g., Principal: "*"), users can bypass CloudFront and access the bucket directly. The policy should only allow the OAI and deny all others.

Why this answer

The OAI restricts access to the bucket when accessed via CloudFront, but if the bucket policy allows public read access, users can still access the bucket directly. The OAI restriction must be the only means of access; the bucket policy must deny all other principals. Option B is incorrect because the OAI is properly associated.

Option C is incorrect because the bucket is not set to static website hosting. Option D is incorrect because the bucket policy does not need to include a condition if it denies everyone except the OAI.

126
MCQhard

A SysOps administrator is configuring an Application Load Balancer to route traffic to multiple target groups based on the URL path. The ALB is not routing traffic correctly. Which listener rule configuration should be used to route requests with path /api/* to target group A and all other requests to target group B?

A.Create a rule with a host header condition matching 'api.example.com' and forward to target group A, and a default rule forward to target group B.
B.Create one rule with a condition that matches /api/* and forward to target group A, and another condition in the same rule for /* to forward to target group B.
C.Create a rule with path pattern /api/* and forward to target group A with priority 10, and a default rule with path pattern /* and forward to target group B with priority 20.
D.Create two rules with path patterns /api/* and /*, and set priority based on the pattern length.
AnswerC

This ensures /api/* is matched first, and /* acts as a catch-all.

Why this answer

Option C is correct because the ALB listener rules are evaluated in order; the first rule with a path pattern /api/* will match, and then a default rule (catch-all) is needed for all other paths. Option A is incorrect because order is not automatically prioritized by pattern. Option B is incorrect because a single rule cannot have two conditions with different paths to different target groups.

Option D is incorrect because wildcards are not allowed in condition keys.

127
MCQhard

A company uses AWS Global Accelerator to improve performance of a TCP application. Users in Asia report higher latency than users in Europe. The endpoints are all in us-east-1. What is the BEST solution?

A.Create a VPC peering connection between us-east-1 and an Asia region.
B.Add more endpoints in us-east-1 to distribute load.
C.Switch to Amazon CloudFront for the TCP application.
D.Deploy additional endpoints in an Asia region and configure Global Accelerator to route traffic to the closest endpoint.
AnswerD

Global Accelerator uses anycast IPs to route to nearest endpoint region.

Why this answer

Option D is correct because Global Accelerator can route traffic to endpoints in multiple regions; adding endpoints in Asia reduces latency. Option A is wrong because CloudFront is for HTTP/HTTPS, not TCP. Option B is wrong because increasing endpoints in us-east-1 doesn't help.

Option C is wrong because VPC peering doesn't change Global Accelerator routing.

128
MCQmedium

A company is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application needs to maintain user session state. Which configuration ensures session stickiness with minimal performance impact?

A.Use Amazon CloudFront with origin stickiness enabled.
B.Use a Network Load Balancer (NLB) with target group stickiness.
C.Enable sticky sessions on the Application Load Balancer using a load balancer-generated cookie.
D.Store session state in Amazon DynamoDB and have each instance read from DynamoDB.
AnswerC

ALB sticky sessions with a generated cookie are designed for this purpose and have minimal overhead.

Why this answer

Option B is correct because ALB sticky sessions use a cookie to bind a user's session to a specific target, which is the simplest and most efficient method. Option A is incorrect because an NLB does not natively support sticky sessions with cookies. Option C is incorrect because DynamoDB would add latency and complexity.

Option D is incorrect because CloudFront is for content delivery, not session stickiness.

129
MCQmedium

An application running on an EC2 instance is unable to connect to an Amazon RDS database in the same VPC. The security groups allow traffic from the EC2 instance. What is the most likely cause?

A.The IAM role attached to the EC2 instance does not have permissions to access RDS.
B.VPC Flow Logs are not enabled.
C.The route table does not have a route to the RDS subnet.
D.The network ACL is blocking the traffic.
AnswerC

Without a route in the subnet's route table to the destination subnet, traffic cannot reach RDS.

Why this answer

Option C is correct because security groups are stateful; if inbound is allowed, outbound response is automatically allowed. Option A is wrong because NACLs are stateless but inbound/outbound rules must allow traffic; however, security group statefulness means the issue is likely elsewhere. Option B is wrong because IAM permissions do not affect network connectivity.

Option D is wrong because VPC flow logs are for monitoring, not connectivity.

130
MCQhard

A SysOps administrator receives an alert that a VPN connection between a VPC and an on-premises network is down. The VPN uses static routing. After verifying the on-premises side is functioning, what should the administrator check in AWS?

A.Check the BGP session status.
B.Reboot the virtual private gateway.
C.Ensure the route table has a route to the virtual private gateway.
D.Verify that the customer gateway device is configured with the correct IP address.
AnswerD

Correct. The customer gateway IP is critical for the VPN tunnel.

Why this answer

For static VPNs, the tunnel status and BGP (if dynamic) are irrelevant. The VPN connection's tunnel details and route propagation need to be checked. The most common issue is that the tunnel is down due to misconfiguration or network issues.

131
Multi-Selectmedium

Which TWO actions can a SysOps administrator take to improve the availability of a web application using an Application Load Balancer (ALB) and EC2 instances? (Choose two.)

Select 2 answers
A.Place all instances in a single subnet to reduce latency
B.Configure health checks on the target group
C.Deploy EC2 instances in multiple Availability Zones
D.Use larger instance types to handle more traffic
E.Increase the deregistration delay (connection draining) timeout
AnswersB, C

Health checks allow the ALB to stop sending traffic to unhealthy instances.

Why this answer

Options B and C are correct: Deploying EC2 instances in multiple Availability Zones provides high availability, and configuring health checks allows the ALB to route traffic only to healthy instances. Option A is wrong because using a larger instance type improves performance, not availability. Option D is wrong because a single subnet is a single point of failure.

Option E is wrong because increasing the deregistration delay does not improve availability; it only affects connection draining.

132
MCQeasy

A company wants to host a static website on AWS with high availability and low latency for global users. Which service should be used to serve the static content?

A.AWS Lambda with API Gateway.
B.Amazon Route 53 with a simple routing policy.
C.EC2 instances behind an Application Load Balancer.
D.Amazon S3 bucket configured for static website hosting, with Amazon CloudFront.
AnswerD

S3 + CloudFront is the recommended architecture for static websites.

Why this answer

Option B is correct because S3 can host static websites and CloudFront provides CDN with low latency and high availability. Option A is wrong because EC2 is not necessary for static content. Option C is wrong because Route 53 is DNS, not content delivery.

Option D is wrong because Lambda is for compute, not serving static files.

133
MCQeasy

A company wants to allow its employees to access internal applications using a custom domain name (app.example.com) that resolves to an internal ALB. Which AWS service should be used?

A.AWS Global Accelerator
B.Application Load Balancer
C.Amazon Route 53
D.Amazon CloudFront
AnswerC

Route 53 provides DNS resolution for custom domains.

Why this answer

Option A is correct because Route 53 is the DNS service to route traffic to internal resources. Option B is wrong because CloudFront is for content delivery, not DNS resolution. Option C is wrong because Global Accelerator improves performance but is not primarily for internal DNS.

Option D is wrong because ALB does not provide DNS resolution.

134
MCQeasy

A company wants to distribute content with low latency to users globally. The content is static and stored in an S3 bucket. Which AWS service should be used?

A.Application Load Balancer
B.AWS Global Accelerator
C.Amazon CloudFront
D.S3 Transfer Acceleration
AnswerC

Correct because CloudFront caches static content at edge locations.

Why this answer

Option A is correct because Amazon CloudFront is a content delivery network (CDN) that caches content at edge locations for low latency. Option B is wrong because S3 Transfer Acceleration is for fast uploads. Option C is wrong because Global Accelerator is for dynamic content and TCP/UDP traffic.

Option D is wrong because an ALB is for load balancing, not caching.

135
MCQmedium

A company has multiple VPCs in the same account that need to communicate with each other. The VPCs are in the same region. Which solution provides the simplest and most scalable connectivity?

A.Set up AWS Direct Connect and route through a single VPC.
B.Use AWS PrivateLink to connect the VPCs.
C.Create a Transit Gateway and attach all VPCs.
D.Create VPC Peering connections between each pair of VPCs.
AnswerC

Transit Gateway acts as a hub-and-spoke model for scalable VPC connectivity.

Why this answer

Option A is correct because a Transit Gateway allows you to connect multiple VPCs and on-premises networks through a central hub, simplifying management. Option B is incorrect because VPC Peering is a one-to-one connection and becomes complex with many VPCs. Option C is incorrect because Direct Connect is for on-premises connectivity, not VPC-to-VPC.

Option D is incorrect because PrivateLink is for exposing services, not general VPC connectivity.

136
MCQmedium

A company has an Application Load Balancer (ALB) that routes traffic to Amazon EC2 instances in private subnets of a VPC. The SysOps administrator needs to ensure that the EC2 instances can download software updates from the internet, but they must not be directly accessible from the internet. The solution should minimize operational overhead. Which solution should the administrator implement?

A.Place the EC2 instances in a public subnet and configure security group inbound rules to block all traffic.
B.Attach a NAT Gateway to a public subnet and configure the private subnet route table to send 0.0.0.0/0 traffic to the NAT Gateway.
C.Launch a NAT instance in a public subnet with an Elastic IP address and configure route tables accordingly.
D.Attach an Internet Gateway to the VPC and add a route to the private subnet route table pointing 0.0.0.0/0 to the Internet Gateway.
AnswerB

A NAT Gateway enables outbound internet connectivity for instances in private subnets while blocking unsolicited inbound connections. It is fully managed, reducing operational overhead.

Why this answer

A NAT Gateway (option B) allows EC2 instances in private subnets to initiate outbound connections to the internet (e.g., for software updates) while preventing any unsolicited inbound connections from the internet. It is a fully managed AWS service that automatically scales and requires no patching, minimizing operational overhead compared to a NAT instance. The private subnet route table directs 0.0.0.0/0 traffic to the NAT Gateway, which is placed in a public subnet with an Elastic IP address to enable internet access.

Exam trap

The trap here is that candidates may confuse a NAT Gateway with a NAT instance, thinking the latter is acceptable, but the question explicitly requires minimizing operational overhead, which disqualifies the self-managed NAT instance in favor of the fully managed NAT Gateway.

How to eliminate wrong answers

Option A is wrong because placing EC2 instances in a public subnet with security group rules blocking all inbound traffic still leaves them with public IP addresses, making them theoretically reachable from the internet (security groups are stateful and can be misconfigured), and it violates the requirement that instances must not be directly accessible from the internet. Option C is wrong because launching a NAT instance requires manual management (patching, scaling, high availability setup), increasing operational overhead, which contradicts the 'minimize operational overhead' requirement. Option D is wrong because adding a route to the private subnet route table pointing 0.0.0.0/0 to an Internet Gateway would make the private subnet effectively public, allowing direct inbound internet access to the EC2 instances, which violates the requirement that they must not be directly accessible from the internet.

137
MCQmedium

A SysOps administrator needs to ensure that all traffic between an on-premises data center and the AWS VPC is encrypted and goes over the internet. Which AWS service should be used?

A.AWS Site-to-Site VPN
B.VPC Peering
C.AWS Transit Gateway
D.AWS Direct Connect
AnswerA

VPN encrypts traffic over the internet.

Why this answer

AWS Site-to-Site VPN creates an encrypted tunnel between an on-premises data center and an AWS VPC using IPsec (IKEv1/IKEv2) over the public internet. This meets the requirement for encryption and internet-based connectivity, as the VPN traffic traverses the internet but is secured by IPsec tunnels.

Exam trap

The trap here is that candidates often confuse AWS Site-to-Site VPN with AWS Direct Connect, assuming Direct Connect provides encryption by default, but Direct Connect is a private connection that does not include encryption unless a VPN is layered on top.

How to eliminate wrong answers

Option B (VPC Peering) is wrong because it connects VPCs within AWS using private AWS infrastructure, not over the internet, and does not support encryption by default. Option C (AWS Transit Gateway) is wrong because it is a network transit hub that connects VPCs and on-premises networks, but it does not itself provide encryption; it requires a Site-to-Site VPN or Direct Connect for on-premises connectivity. Option D (AWS Direct Connect) is wrong because it uses a dedicated private network connection, not the internet, and does not inherently encrypt traffic unless combined with a VPN.

138
MCQeasy

An organization wants to block traffic from specific IP addresses at the edge of the AWS network before it reaches the application. Which service should be used?

A.AWS WAF
B.Security groups
C.AWS Shield Advanced
D.Network ACLs
AnswerA

Correct. AWS WAF can block IPs at the edge when used with CloudFront or ALB.

Why this answer

AWS WAF integrates with CloudFront and ALB to filter traffic based on IP addresses. For edge blocking, CloudFront with WAF is the best choice.

139
MCQhard

A company uses Amazon Route 53 as its DNS service. They have a domain example.com with an alias record pointing to an Application Load Balancer (ALB). Recently, they updated the ALB's DNS name, but the Route 53 record was not updated. Users are still being directed to the old ALB, which has been decommissioned. The SysOps administrator updates the alias record to point to the new ALB DNS name. However, users still experience errors for several hours. What is the most likely reason?

A.Route 53 requires time to propagate changes globally
B.The alias record was not saved correctly
C.The TTL on the DNS record is set too high, causing client-side caching
D.The domain is using DNSSEC, which delays updates
AnswerC

A high TTL means clients cache the old IP until the TTL expires.

Why this answer

Option D is correct because the TTL (Time to Live) on the DNS record determines how long resolvers cache the response. If the TTL is high, clients and intermediate DNS resolvers will continue to use the old IP for the duration of the TTL. Option A is wrong because the alias record was updated.

Option B is wrong because propagation is instant for alias records. Option C is wrong because DNSSEC does not cause caching issues.

140
MCQmedium

A company has a CloudFront distribution with an S3 bucket as the origin. The S3 bucket contains sensitive data that should only be accessible through CloudFront. Which configuration is required to ensure that direct access to the S3 bucket is blocked?

A.Attach an IAM role to CloudFront that allows S3 access
B.Set the S3 bucket policy to deny all access except from CloudFront's IP ranges
C.Create an Origin Access Identity (OAI) and add a bucket policy that grants access only to the OAI
D.Use signed URLs for all requests
AnswerC

The OAI is a virtual identity that CloudFront uses to access S3; the bucket policy restricts access to only that OAI.

Why this answer

Option A is correct because Origin Access Identity (OAI) prevents direct S3 access by allowing only CloudFront to access the bucket. Option B is wrong because signed URLs control viewer access, not origin access. Option C is wrong because bucket policies alone can restrict access, but OAI is the standard way.

Option D is wrong because CloudFront does not use IAM roles for origin access.

141
MCQhard

A SysOps administrator notices that an EC2 instance is not receiving traffic from an Application Load Balancer (ALB). The ALB is healthy and the target group shows the instance as healthy. The exhibit shows the network interface attached to the instance. What is the likely cause of the issue?

A.The source/destination check is enabled on the network interface
B.The network interface is in a private subnet
C.The instance's security group does not allow inbound traffic from the ALB
D.The network ACL of the subnet denies inbound traffic
AnswerC

If the instance's security group blocks traffic from the ALB, the ALB will receive 503 errors.

Why this answer

Option A is correct because the source/destination check is enabled (true) on the ENI. When an ALB sends traffic to an instance, the instance must have source/destination check disabled if it is acting as a NAT or routing device, but in this case the ALB's ENI is attached to the instance. Actually, the exhibit shows the ENI of the ALB? Wait, the description says "ELB app/alb-..." which indicates it's an ALB ENI.

The issue is that the ALB's ENI has source/dest check enabled, which is normal for ALB? No, ALB ENIs are managed by AWS and source/dest check is typically disabled. However, the question states that the instance is not receiving traffic. The correct answer is that the security group of the instance may be blocking traffic.

But the exhibit shows the ENI group is "default". Option A is correct because the source/destination check being enabled on the instance's ENI could cause the instance to drop traffic if it's not the intended destination. But more likely, the security group of the instance (sg-12345678) may not allow traffic from the ALB.

However, given the options, Option A is the only one that fits. Let's choose A. Explanation: The source/destination check must be disabled for the instance to accept traffic from the ALB? Actually, that's wrong.

The source/destination check is for the instance to process traffic that isn't destined to its own IP. For ALB traffic, the destination IP is the instance's IP, so source/dest check doesn't matter. The real issue is that the security group of the instance does not allow traffic from the ALB.

But the exhibit shows the ENI's group is "default", which likely doesn't allow HTTP/HTTPS. Option C is also plausible. To align with the exhibit, let's pick Option C.

I'll correct: The exhibit shows the network interface of the ALB, not the instance. The instance's ENI is not shown. The ALB ENI has source/dest check enabled, which is normal.

The issue is that the instance's security group may not allow traffic. Option C is correct: The instance's security group is blocking traffic. Explanation: Option C is correct because the security group associated with the instance must allow inbound traffic from the ALB.

Option A is wrong because source/dest check on the ALB ENI is fine. Option B is wrong because the ALB ENI is in a public subnet? Not necessarily. Option D is wrong because network ACLs are stateless and if inbound is allowed, outbound must also be allowed.

142
MCQeasy

A company wants to use Amazon CloudFront to serve content from an Application Load Balancer (ALB) that is internet-facing. Which type of origin should be configured in CloudFront?

A.S3 origin with the ALB's DNS name as the bucket name.
B.Custom origin with Origin Access Identity (OAI) to restrict access.
C.Custom origin (HTTP/HTTPS) pointing to the ALB DNS name.
D.Custom origin pointing to the ALB's private IP address.
AnswerC

CloudFront can use any HTTP server as a custom origin.

Why this answer

CloudFront requires a custom origin (HTTP/HTTPS) when the origin is an Application Load Balancer (ALB) because ALBs are not S3 buckets and do not support S3 origin configurations. The custom origin type allows CloudFront to forward requests to the ALB's public DNS name, which resolves to the ALB's IP addresses, enabling proper load balancing and content delivery.

Exam trap

The trap here is that candidates may mistakenly think an ALB can be configured as an S3 origin or that OAI applies to non-S3 origins, but CloudFront strictly requires a custom origin for ALBs and OAI is only valid for S3 bucket origins.

How to eliminate wrong answers

Option A is wrong because an S3 origin expects an S3 bucket endpoint, not an ALB DNS name; using an ALB DNS name as a bucket name would cause a configuration error. Option B is wrong because Origin Access Identity (OAI) is used exclusively with S3 origins to restrict access to S3 content, not with ALB origins; for ALBs, you would use custom headers or AWS WAF to restrict access. Option D is wrong because CloudFront cannot use private IP addresses as origins; the ALB must be internet-facing with a public DNS name for CloudFront to reach it over the internet.

143
MCQhard

Refer to the exhibit. An S3 bucket policy is configured for a CloudFront distribution using an OAI. The policy allows the OAI to get objects. Additionally, it allows anyone from the IP range 203.0.113.0/24 to get objects directly. Users from other IPs report they can still access objects directly via S3 URLs. What is the most likely cause?

A.The policy allows public access from the specified IP range, overriding the OAI restriction.
B.The OAI is not correctly associated with the CloudFront distribution.
C.The CloudFront distribution is using a custom origin instead of S3.
D.The S3 bucket has a bucket ACL that grants public read access.
AnswerD

Bucket ACLs can grant public access even if the policy restricts.

Why this answer

Option C is correct because the policy allows the OAI, but the second statement allows all principals from a specific IP. The issue is that the policy does not explicitly deny public access; it only allows the OAI and a specific IP range. However, the OAI statement allows the OAI, but if the bucket is not properly configured to block public access, the default may allow public read.

Actually, the bucket policy has two Allow statements. The second statement allows all principals from the IP range, but for other IPs, there is no explicit allow or deny. The default is implicit deny, so other IPs should not have access.

However, the exhibit shows that users from other IPs can still access. This suggests that the bucket ACL might allow public read, or the bucket policy is not the only access control. Option A is wrong because the OAI is specified.

Option B is wrong because the OAI is allowed. Option D is wrong because the policy is valid.

144
Matchingmedium

Match each AWS database service to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Relational database

NoSQL key-value and document

In-memory caching

Data warehousing

Graph database

Why these pairings

These are the primary AWS database services.

145
Multi-Selectmedium

A company is designing a highly available architecture using an Application Load Balancer (ALB) with multiple target groups. Which TWO statements are correct regarding ALB routing?

Select 2 answers
A.An ALB can route requests based on the client IP address.
B.An ALB can route requests based on the source TCP port.
C.An ALB can only be configured with an IPv4 listener.
D.An ALB can route requests to different target groups based on the URL path.
E.An ALB can route requests to different target groups based on the host header.
AnswersD, E

Path-based routing is a supported feature of ALB.

Why this answer

Option D is correct because an Application Load Balancer (ALB) supports path-based routing, allowing you to define rules that forward requests to different target groups based on the URL path (e.g., /api to one group and /images to another). Option E is correct because ALB also supports host-based routing, enabling you to route traffic based on the Host header in the HTTP/HTTPS request, which is essential for multi-domain or multi-tenant architectures.

Exam trap

The trap here is that candidates often confuse ALB's Layer 7 capabilities with Network Load Balancer (NLB) features, mistakenly thinking ALB can route based on IP or port, or that ALB is IPv4-only, when in fact ALB supports IPv6 via dual-stack mode and only routes on application-layer content.

146
MCQeasy

A company has an EC2 instance that needs to have a static public IP address that does not change even if the instance is stopped and started. Which AWS resource should be attached to the instance?

A.An Elastic IP address
B.An automatically assigned public IP address
C.A secondary private IP address
D.A static private IP address
AnswerA

An Elastic IP is a static public IPv4 address that can be associated with an instance.

Why this answer

Option C is correct because an Elastic IP address is a static public IP that can be associated with an instance and remains with the account until released. Option A is wrong because public IPs assigned by AWS change when the instance is stopped. Option B is wrong because private IPs are not public.

Option D is wrong because a secondary private IP is not public.

147
MCQmedium

A company has an Application Load Balancer (ALB) in the us-east-1 region. Users in Asia report high latency. The SysOps administrator wants to use AWS Global Accelerator to improve performance by directing traffic to the closest edge location. Which step is required to integrate Global Accelerator with the ALB?

A.Create a CloudFront distribution and point it to the ALB as an origin.
B.Configure the ALB as an endpoint group in a Global Accelerator accelerator.
C.Set up a Route 53 geoproximity routing policy for the ALB.
D.Use AWS WAF to allow traffic from Global Accelerator edge locations.
AnswerB

Global Accelerator uses endpoint groups that contain endpoints such as ALBs, NLBs, or EC2 instances. Adding the ALB as an endpoint in an endpoint group registers it for traffic routing.

Why this answer

AWS Global Accelerator uses the AWS global network to route traffic to the closest edge location, then forwards it over the AWS backbone to the ALB endpoint. To integrate, you must configure the ALB as an endpoint in an endpoint group within the accelerator, which allows Global Accelerator to direct traffic to the ALB based on proximity and health. This reduces latency for users in Asia by minimizing internet hops.

Exam trap

The trap here is that candidates often confuse Global Accelerator with CloudFront or Route 53 routing policies, assuming any CDN or DNS-based solution can achieve the same latency reduction, but Global Accelerator uniquely provides static IP addresses and optimized network pathing without caching or DNS caching delays.

How to eliminate wrong answers

Option A is wrong because CloudFront is a content delivery network (CDN) optimized for caching static and dynamic content, not for TCP/UDP traffic acceleration to an ALB; it adds unnecessary complexity and does not provide the anycast IP-based global acceleration that Global Accelerator offers. Option C is wrong because Route 53 geoproximity routing is a DNS-based routing policy that can direct users to different endpoints based on geographic location, but it does not provide the static anycast IP addresses or the optimized network path that Global Accelerator uses to reduce latency; DNS-based routing is also subject to client-side caching and does not offer the same performance improvements. Option D is wrong because AWS WAF is a web application firewall that filters HTTP/S traffic based on rules, not a mechanism to integrate or allow traffic from Global Accelerator edge locations; Global Accelerator automatically handles traffic routing without requiring WAF configuration for integration.

148
MCQhard

A company has a web application behind an Application Load Balancer (ALB) in a VPC. The application needs to authenticate users using an external identity provider (IdP). The SysOps Administrator recommends using Amazon Cognito as an identity broker. Which ALB action should be configured to authenticate users before forwarding requests to the target group?

A.An authenticate action using Amazon Cognito as the user pool.
B.A fixed-response action to return a 401 status code.
C.A redirect action to the IdP login page.
D.A forward action to the target group.
AnswerA

ALB supports an authenticate action that integrates with Cognito to handle user authentication.

Why this answer

Amazon Cognito integrates directly with Application Load Balancers via an authenticate action. When you configure an ALB rule with an authenticate action using a Cognito user pool, the ALB handles the OAuth 2.0 / OpenID Connect flow with the external IdP, obtains tokens, and only forwards authenticated requests to the target group. This eliminates the need for custom authentication logic in the application.

Exam trap

The trap here is that candidates may think a simple redirect action (Option C) is sufficient, but they miss that the ALB must actively participate in the token exchange and validation, which only the authenticate action provides.

How to eliminate wrong answers

Option B is wrong because a fixed-response action returning a 401 status code would simply reject all requests without any authentication flow, failing to integrate with the external IdP. Option C is wrong because a redirect action to the IdP login page would send users to the IdP but the ALB would not handle the callback or validate tokens, leaving authentication incomplete and unmanaged. Option D is wrong because a forward action to the target group would bypass authentication entirely, allowing unauthenticated requests to reach the application.

149
MCQmedium

A SysOps administrator notices that traffic to an Application Load Balancer (ALB) is being rejected. The ALB has a security group that allows inbound HTTP (80) and HTTPS (443) from 0.0.0.0/0. The target group health checks are failing. What could be the issue?

A.The target instances' security group does not allow inbound traffic from the ALB security group.
B.The ALB security group does not allow outbound traffic to the targets.
C.The ALB’s security group is blocking health check traffic from the targets.
D.The target instances' security group does not allow inbound HTTP/HTTPS from the internet.
AnswerA

The target security group must allow inbound from the ALB for health checks to succeed.

Why this answer

Option C is correct because the ALB security group must allow inbound traffic from clients, but the target instances' security group must allow inbound traffic from the ALB security group. If the target security group does not allow traffic from the ALB, health checks fail. Option A is wrong because health checks come from the ALB, not the internet.

Option B is wrong because the ALB does not have a security group on the target side. Option D is wrong because the ALB's security group already allows HTTP/S.

150
MCQhard

A company has a VPC with public and private subnets. A NAT Gateway is deployed in the public subnet. Private EC2 instances need to download patches from the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, the instances cannot reach the internet. What is the most likely cause?

A.The private subnet’s network ACL is blocking outbound traffic.
B.The NAT Gateway is not placed in a public subnet with a route to an internet gateway.
C.The security group for the private instances does not allow outbound HTTPS.
D.The NAT Gateway does not have an Elastic IP address assigned.
AnswerB

NAT Gateway must be in a public subnet with IGW route to translate and forward traffic.

Why this answer

Option C is correct because the NAT Gateway must be in a public subnet with an internet gateway route. If the NAT Gateway's subnet's route table does not have a default route to an internet gateway, the NAT Gateway cannot forward traffic to the internet. Option A is wrong because the NAT Gateway does not need a public IP for outbound-only traffic (though it helps).

Option B is irrelevant to internet access. Option D is wrong because security groups for private instances should allow outbound traffic.

← PreviousPage 2 of 4 · 268 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Networking and Content Delivery questions.