CCNA Networking and Content Delivery Questions

43 of 268 questions · Page 4/4 · Networking and Content Delivery · Answers revealed

226
MCQhard

A company has deployed a global web application using AWS CloudFront with an Application Load Balancer (ALB) as the origin. The ALB is in a single AWS region. Users in different geographic regions report high latency, and some users are unable to access the application. The SysOps administrator verifies that the CloudFront distribution is configured correctly and that the ALB is healthy. The administrator also confirms that the ALB's security group allows traffic from the CloudFront IP ranges. What is the most likely cause of the issue?

A.The ALB is overwhelmed by the number of concurrent connections from CloudFront
B.CloudFront is not caching content, causing all requests to go to the origin
C.The CloudFront distribution is using TCP instead of HTTP, causing higher latency
D.The SSL/TLS certificate on the ALB is not trusted by CloudFront
AnswerA

CloudFront aggregates requests from many edge locations, potentially overwhelming the ALB if not scaled.

Why this answer

Option B is correct because if the ALB is not configured to handle the volume of requests from CloudFront's edge locations, it can become overwhelmed, causing latency and errors. Option A is wrong because CloudFront caches content, reducing load on the origin. Option C is wrong because CloudFront uses HTTP/HTTPS, not TCP/UDP.

Option D is wrong because while SSL/TLS adds overhead, it is not the primary cause of regional access issues.

227
MCQeasy

A company has an application running on EC2 instances in a VPC. The application needs to access an S3 bucket in the same AWS region. Which configuration provides the MOST secure and cost-effective access?

A.Make the S3 bucket publicly accessible and use the public endpoint from the EC2 instances.
B.Set up a NAT Gateway in a public subnet and route traffic from the EC2 instances through it to the S3 endpoint.
C.Create a VPC Gateway Endpoint for S3 and update the route tables for the private subnets.
D.Create an Internet Gateway and route traffic from the EC2 instances through it to a public S3 endpoint.
AnswerC

Gateway Endpoint provides private, secure, and free connectivity to S3 within the same region.

Why this answer

Option C is correct because a VPC Gateway Endpoint for S3 allows EC2 instances in private subnets to access S3 directly over the AWS network without traversing the internet, eliminating the need for a NAT Gateway or Internet Gateway. This provides the most secure and cost-effective access by keeping traffic within the AWS backbone and avoiding data transfer costs associated with NAT Gateways or public endpoints.

Exam trap

The trap here is that candidates often confuse VPC Gateway Endpoints with VPC Interface Endpoints (powered by AWS PrivateLink), but for S3, a Gateway Endpoint is the correct and most cost-effective choice because it does not require an Elastic Network Interface or incur hourly charges, unlike an Interface Endpoint.

How to eliminate wrong answers

Option A is wrong because making the S3 bucket publicly accessible exposes it to the entire internet, violating security best practices and potentially leading to unauthorized access or data breaches. Option B is wrong because a NAT Gateway incurs hourly charges and data processing costs, and it routes traffic through the internet unnecessarily, making it less cost-effective and less secure than a VPC Gateway Endpoint. Option D is wrong because an Internet Gateway is designed for public internet access, and routing EC2 traffic through it to a public S3 endpoint exposes the traffic to the internet, increasing latency and security risks while adding unnecessary complexity and cost.

228
MCQmedium

A company runs a gaming application that uses Amazon EC2 instances to handle real-time multiplayer sessions. The application requires low-latency communication with users around the world. The SysOps administrator needs to accelerate content delivery for non-cacheable, dynamic content (such as real-time game state updates) and also provide static asset delivery. The solution must support both TCP and UDP traffic. Which AWS service should be used?

A.AWS Global Accelerator
B.Amazon CloudFront with origins configured for both dynamic and static content
C.AWS Shield Advanced
D.AWS App Mesh
AnswerA

Global Accelerator uses the AWS global network to optimize the path from users to applications. It supports both TCP and UDP traffic, making it suitable for real-time gaming applications that require low latency for both dynamic data and static assets (if static assets are served from the same endpoint).

Why this answer

AWS Global Accelerator is the correct choice because it uses the AWS global network and Anycast IPs to route TCP and UDP traffic to the optimal endpoint, providing low-latency performance for non-cacheable dynamic content like real-time game state updates. It also supports static asset delivery by directing traffic to origins such as Application Load Balancers or EC2 instances, and it handles both TCP and UDP protocols natively, which is essential for real-time multiplayer gaming.

Exam trap

The trap here is that candidates often assume CloudFront can handle all content delivery scenarios, but it does not support UDP traffic and is designed for cacheable HTTP/HTTPS content, making it unsuitable for real-time multiplayer games that require low-latency UDP communication.

How to eliminate wrong answers

Option B is wrong because Amazon CloudFront is a content delivery network (CDN) optimized for cacheable content (HTTP/HTTPS) and does not support UDP traffic; it cannot accelerate non-cacheable dynamic content with low-latency UDP requirements. Option C is wrong because AWS Shield Advanced is a DDoS protection service that provides mitigation against volumetric attacks, but it does not accelerate content delivery or handle TCP/UDP traffic routing for performance. Option D is wrong because AWS App Mesh is a service mesh for microservices communication within a cluster (e.g., ECS/EKS) and does not provide global traffic acceleration or support for UDP traffic at the edge.

229
Multi-Selectmedium

Which TWO methods can be used to secure an S3 bucket that is used as an origin for Amazon CloudFront? (Select two.)

Select 2 answers
A.Write a bucket policy that allows only the CloudFront distribution’s OAI.
B.Use bucket ACLs to grant public read access.
C.Enable S3 server-side encryption.
D.Configure an origin access identity (OAI) and restrict bucket access.
E.Generate pre-signed URLs for all objects.
AnswersA, D

Bucket policy can restrict access to the OAI.

Why this answer

Option A is correct because OAI ensures only CloudFront can access the bucket. Option C is correct because a bucket policy can restrict access to CloudFront. Option B is wrong because bucket ACLs are legacy.

Option D is wrong because pre-signed URLs grant temporary access, not a security method for the origin. Option E is wrong because encryption protects data at rest, not access control.

230
MCQeasy

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. Which configuration ensures that traffic is distributed evenly across all healthy targets?

A.Enable cross-zone load balancing on the ALB
B.Configure sticky sessions (session affinity) on the target group
C.Use a Network Load Balancer with path-based routing
D.Enable connection draining on the target group
AnswerA

Cross-zone load balancing distributes traffic evenly across all registered targets in all AZs.

Why this answer

Cross-zone load balancing enables the ALB to distribute incoming traffic evenly across all healthy targets in all enabled Availability Zones, rather than sending traffic only to targets within the same zone as the requesting client. By default, ALBs distribute traffic equally across zones first, then round-robin within each zone, which can lead to uneven load if target counts differ per zone. Enabling cross-zone load balancing overrides this behavior, ensuring each healthy target receives an equal share of requests regardless of its zone.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing with sticky sessions or connection draining, assuming that session affinity or graceful termination will improve distribution, when in fact only cross-zone load balancing ensures even traffic spread across all healthy targets.

How to eliminate wrong answers

Option B is wrong because sticky sessions (session affinity) bind a client to a specific target for the duration of its session, which can cause uneven traffic distribution and does not ensure even distribution across all healthy targets. Option C is wrong because a Network Load Balancer (NLB) does not support path-based routing; path-based routing is a feature of Application Load Balancers, and using an NLB would not address the requirement for even distribution across healthy targets. Option D is wrong because connection draining (deregistration delay) allows in-flight requests to complete before a target is removed from service, but it does not influence how traffic is distributed among healthy targets during normal operation.

231
MCQmedium

A company uses Amazon CloudFront to serve static content from an S3 bucket. They want to restrict access to content based on geographic location. Some countries should be blocked entirely. The administrator configured a CloudFront geographic restriction (whitelist/blacklist) and updated the S3 bucket policy to allow only CloudFront access via Origin Access Identity (OAI). However, users from blocked countries are still able to access some content. What is the most likely cause?

A.CloudFront geographic restrictions only block access to the CloudFront distribution, but the S3 bucket is still publicly accessible
B.The S3 bucket policy does not include a condition to restrict access to only CloudFront
C.The geographic restriction is configured as a whitelist instead of a blacklist
D.CloudFront geographic restrictions are applied at the edge location, but some edge locations may not have the restriction updated
AnswerA

If the S3 bucket is publicly accessible, users can bypass CloudFront and access directly.

Why this answer

Option C is correct because CloudFront geographic restrictions only apply to edge locations; if the content is cached at an edge location, the restriction is enforced at that edge. However, if the origin is directly accessible (bypassing CloudFront), the restriction is not applied. But the question says users from blocked countries can access some content, suggesting that the OAI might not be configured correctly or the bucket policy allows direct access.

Option A is wrong because the S3 bucket policy is correct. Option B is wrong because geographic restriction is global. Option D is wrong because the bucket policy is set correctly.

232
Multi-Selecteasy

Which TWO security measures should be implemented to protect a VPC from DDoS attacks? (Choose two.)

Select 2 answers
A.Use AWS WAF with rate-based rules
B.Enable AWS Shield Advanced
C.Apply network ACLs with deny rules
D.Use restrictive security groups
E.Enable VPC Flow Logs
AnswersA, B

Rate-based rules can block DDoS traffic.

Why this answer

AWS Shield Advanced provides DDoS protection. Using a web application firewall (WAF) at the edge helps filter malicious traffic. Security groups and NACLs are not effective against DDoS at scale.

233
MCQeasy

A company wants to host a static website on AWS with high availability and low latency for global users. Which combination of services should be used?

A.Amazon EC2 and Elastic Load Balancing
B.Amazon S3 and Amazon CloudFront
C.Amazon Route 53 and Amazon S3
D.Elastic Load Balancing and Amazon CloudFront
AnswerB

S3 hosts static content and CloudFront distributes it globally with low latency.

Why this answer

Option A is correct because Amazon S3 can host static websites and Amazon CloudFront provides a CDN with edge locations for low latency and high availability. Option B is wrong because EC2 instances are not ideal for static websites and require more management. Option C is wrong because ELB is for dynamic content and not needed for static sites.

Option D is wrong because Route 53 is a DNS service, not for hosting content.

234
MCQmedium

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. The company wants to connect two subnets: one in the VPC (10.0.1.0/24) and one in an on-premises network (192.168.1.0/24) via a Site-to-Site VPN. The VPN connection is established. However, instances in the VPC subnet cannot ping the on-premises server at 192.168.1.10. What is a possible cause?

A.The VPN tunnel is not in the UP state
B.The route table for the VPC subnet does not have a route to the on-premises network via the VPN gateway
C.The security group for the VPC instances does not allow ICMP traffic
D.The VPC does not have a VPC endpoint for the VPN service
AnswerB

Without a route to 192.168.1.0/24 pointing to the virtual private gateway, traffic will not be sent through the VPN.

Why this answer

Option B is correct because the VPC subnet's route table must have a route for the on-premises CIDR pointing to the VPN gateway. Option A is wrong because the VPN connection uses the internet, not a VPC endpoint. Option C is wrong because security groups control traffic to/from instances, but the route is missing.

Option D is wrong because the VPN is established, so tunnel is up.

235
MCQeasy

A company wants to provide low-latency access to a web application for users in North America and Europe. The application runs on EC2 instances in us-east-1 and eu-west-1. Which AWS service should be used to route users to the nearest region?

A.Application Load Balancer with cross-region load balancing
B.Amazon CloudFront
C.AWS Global Accelerator
D.Amazon Route 53 with latency-based routing
AnswerD

Latency-based routing directs traffic to the region that provides the lowest latency for the user.

Why this answer

Option D is correct because Amazon Route 53 with latency-based routing directs traffic to the region with the lowest latency for the user. Option A is wrong because Global Accelerator improves performance but does not route based on latency to nearest region; it uses Anycast. Option B is wrong because CloudFront is a CDN for content delivery, not for routing to regional endpoints.

Option C is wrong because ALB is region-specific and cannot route across regions.

236
MCQeasy

A company is using an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The company needs to ensure that the ALB sends requests to instances that are healthy and can serve traffic. Which feature should be used to monitor the health of the instances?

A.Health checks
B.Sticky sessions
C.Cross-zone load balancing
D.Connection draining
AnswerA

Health checks periodically send requests to instances and mark them unhealthy if they fail.

Why this answer

Option B is correct because health checks are used by the ALB to determine if an instance is healthy. Option A is wrong because stickiness is about session persistence. Option C is wrong because cross-zone load balancing distributes traffic across zones.

Option D is wrong because connection draining ensures in-flight requests complete before instance deregistration.

237
MCQmedium

A company has a web application that uses Amazon CloudFront and an Application Load Balancer as origin. The application requires HTTPS between CloudFront and the ALB. The ALB uses a certificate from AWS Certificate Manager (ACM) for the custom domain. The administrator notices that CloudFront returns HTTP 502 errors occasionally. The ALB target group shows healthy instances. What is the most likely cause of the 502 errors?

A.The ALB is not configured to support HTTPS
B.The CloudFront origin response timeout is set too low
C.The ALB security group denies traffic from CloudFront IP addresses
D.The SSL/TLS certificate on the ALB does not match the origin domain name configured in CloudFront
AnswerD

CloudFront validates the certificate against the origin domain name.

Why this answer

Option A is correct because a mismatch in the SSL/TLS certificate domain name will cause CloudFront to fail to connect to the origin. Option B is wrong because the origin response timeout of 30 seconds is generous; if the application responds within that, it should be fine. Option C is wrong because if the ALB is healthy, it can handle requests.

Option D is wrong because CloudFront can connect to ALB over HTTPS.

238
MCQmedium

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The SysOps administrator needs to restrict access to the ALB so that it only accepts requests from CloudFront. Which solution should the administrator implement?

A.Replace the ALB with a Network Load Balancer and use a VPC endpoint
B.Create an origin access identity (OAI) and attach it to the CloudFront distribution
C.Add a security group rule to the ALB that allows traffic only from the CloudFront IP ranges
D.Configure CloudFront to add a custom HTTP header to requests, and configure the ALB to only forward requests that contain that header
AnswerD

This ensures only CloudFront requests reach the ALB.

Why this answer

Option D is correct because it uses a shared secret mechanism: CloudFront is configured to add a custom HTTP header (e.g., X-Origin-Verify) to all requests, and the ALB's listener rule is configured to only forward requests that contain that specific header value. This ensures that only requests originating from your CloudFront distribution reach the ALB, as the header is not present in direct client requests. This approach is recommended by AWS for restricting ALB access to CloudFront when the origin is an ALB, because CloudFront does not support Origin Access Identity (OAI) with ALB origins.

Exam trap

The trap here is that candidates often confuse Origin Access Identity (OAI) as a universal CloudFront feature, not realizing it only works with S3 origins, and they overlook the impracticality of using CloudFront IP ranges in security groups due to their dynamic nature.

How to eliminate wrong answers

Option A is wrong because replacing the ALB with a Network Load Balancer (NLB) and using a VPC endpoint does not inherently restrict access to CloudFront; a VPC endpoint is used for private connectivity, not for authenticating the source of traffic, and NLB does not support custom header-based filtering natively. Option B is wrong because Origin Access Identity (OAI) is a feature specific to Amazon S3 origins, not Application Load Balancers; OAI cannot be attached to a CloudFront distribution with an ALB origin. Option C is wrong because CloudFront does not have a fixed set of IP ranges; its IP addresses change frequently and are published via a public list, making it impractical and insecure to maintain a security group rule that only allows CloudFront IP ranges, as the list is large and dynamic.

239
MCQeasy

A company wants to establish a dedicated, low-latency, private connection between its on-premises data center and an AWS VPC. The company does not want to use the public internet. Which AWS service should be used to meet this requirement?

A.AWS Direct Connect
B.AWS Virtual Private Gateway
C.AWS Transit Gateway
D.VPC Peering
AnswerA

Correct. AWS Direct Connect provides a dedicated private connection between on-premises and AWS, avoiding the public internet.

Why this answer

AWS Direct Connect is the correct service because it provides a dedicated, private, low-latency network connection from an on-premises data center to AWS, bypassing the public internet entirely. It uses industry-standard 802.1Q VLANs to create a private virtual interface (VIF) that connects directly to a VPC, ensuring consistent network performance and reduced latency.

Exam trap

The trap here is that candidates often confuse AWS Virtual Private Gateway (a required attachment for Direct Connect) with the Direct Connect service itself, or they assume VPC Peering can extend to on-premises networks, but VPC Peering is strictly limited to inter-VPC connectivity within AWS.

How to eliminate wrong answers

Option B (AWS Virtual Private Gateway) is wrong because it is a logical component that attaches to a VPC to enable VPN or Direct Connect connections, but it is not a service that itself provides a dedicated private connection; it requires Direct Connect or a VPN to function. Option C (AWS Transit Gateway) is wrong because it is a network transit hub used to interconnect multiple VPCs and on-premises networks, but it does not provide the dedicated physical connection itself; it relies on Direct Connect or VPN for the on-premises link. Option D (VPC Peering) is wrong because it only connects two VPCs within AWS using the AWS global network, and it cannot be used to connect an on-premises data center to a VPC.

240
Multi-Selectmedium

A company has a VPC with a public subnet and a private subnet. The private subnet contains an EC2 instance that must access the internet for software updates. Which TWO actions are required to enable this? (Choose TWO.)

Select 2 answers
A.Add an Internet Gateway to the private subnet's route table.
B.Deploy a NAT Gateway in a public subnet.
C.Assign a public IP address to the EC2 instance.
D.Attach an Internet Gateway to the NAT Gateway.
E.Add a route in the private subnet's route table pointing to the NAT Gateway for 0.0.0.0/0.
AnswersB, E

Correct because the NAT Gateway must be in a public subnet to access the internet.

Why this answer

Option A is correct because a NAT Gateway must be in a public subnet. Option C is correct because the private subnet's route table must have a default route to the NAT Gateway. Option B is wrong because the NAT Gateway does not need an Internet Gateway; the public subnet does.

Option D is wrong because the EC2 instance does not need a public IP. Option E is wrong because an Internet Gateway is for public subnets, not private.

241
MCQhard

A company has multiple VPCs in the same AWS account and Region, each with overlapping CIDR blocks (10.0.0.0/16). The SysOps administrator needs to establish connectivity between all VPCs and the on-premises network via AWS Transit Gateway. Additionally, certain VPCs must be isolated from each other while still reaching on-premises. How should the administrator configure the Transit Gateway to meet these requirements?

A.Create a single Transit Gateway route table and add routes for all VPCs and the on-premises network.
B.Create multiple Transit Gateway route tables: one for each group of VPCs that need to communicate, and associate each VPC attachment with the appropriate route table. Add static routes to the on-premises network in each route table.
C.Use VPC peering instead of Transit Gateway to connect VPCs, and use Direct Connect Gateway for on-premises connectivity.
D.Configure VPN connections between each VPC and the on-premises network, bypassing Transit Gateway.
AnswerB

Correct. This allows isolation by route table, and overlapping CIDRs are handled by attaching VPCs to separate route tables. On-premises routes can be added to each.

Why this answer

Option B is correct because AWS Transit Gateway supports multiple route tables, allowing you to isolate VPC attachments from each other while still providing a common route to the on-premises network. By creating separate route tables for each group of VPCs that need to communicate, and associating the appropriate VPC attachments with those tables, you can enforce isolation between groups. Adding static routes to the on-premises network in each route table ensures all VPCs can reach on-premises, even when they cannot communicate with each other.

Exam trap

The trap here is that candidates assume a single Transit Gateway route table is sufficient for all VPCs, overlooking the need for isolation between specific VPC groups when overlapping CIDRs are present.

How to eliminate wrong answers

Option A is wrong because a single Transit Gateway route table would allow all VPC attachments to communicate with each other, violating the requirement to isolate certain VPCs. Option C is wrong because VPC peering does not support transitive routing and cannot be used with overlapping CIDR blocks; additionally, Direct Connect Gateway alone does not provide the required VPC-to-VPC isolation and connectivity. Option D is wrong because configuring VPN connections between each VPC and on-premises bypasses the Transit Gateway, failing to centralize connectivity and making it impossible to manage isolation and routing efficiently across multiple VPCs.

242
MCQhard

A company uses AWS Direct Connect to connect its on-premises network to AWS. The SysOps team notices that traffic from the on-premises network to a VPC is not using the Direct Connect connection but instead is going over the internet. The VPC has a virtual private gateway attached and the on-premises router is advertising a specific route. What is the most likely cause?

A.The on-premises network does not have a route to the VPC CIDR.
B.The VPC route table has a more specific route (e.g., 0.0.0.0/0) pointing to an Internet Gateway.
C.The BGP session between the on-premises router and the Direct Connect router is down.
D.The virtual private gateway is not attached to the VPC.
AnswerB

More specific route takes precedence over the Direct Connect route.

Why this answer

Option B is correct because the VPC route table contains a more specific route (0.0.0.0/0) pointing to an Internet Gateway, which overrides the less specific route to the virtual private gateway for traffic destined to the on-premises network. When the on-premises router advertises a specific route (e.g., 10.0.0.0/16) via BGP, the VPC route table must have a matching route (or a more specific one) pointing to the virtual private gateway; otherwise, the default route to the Internet Gateway takes precedence, sending traffic over the internet instead of Direct Connect.

Exam trap

The trap here is that candidates often assume the BGP session or virtual private gateway attachment is the issue, but the real cause is a route table priority conflict where a less specific default route to an Internet Gateway overrides the more specific Direct Connect route.

How to eliminate wrong answers

Option A is wrong because if the on-premises network lacked a route to the VPC CIDR, traffic would not reach the VPC at all, but the scenario states traffic is going over the internet, indicating a route exists but is misdirected. Option C is wrong because if the BGP session were down, the on-premises router would not advertise any routes, and the VPC would have no learned route to the on-premises network, causing traffic to fail or use the internet gateway as a default; however, the question states the on-premises router is advertising a specific route, implying BGP is up. Option D is wrong because if the virtual private gateway were not attached to the VPC, the VPC would have no connectivity to Direct Connect, and traffic would either fail or use the internet gateway, but the scenario specifically mentions a virtual private gateway is attached, making this option incorrect.

243
MCQeasy

A company is using Amazon CloudFront to distribute its web application. Users in a specific geographic region are experiencing high latency. What is the most cost-effective solution to reduce latency for these users?

A.Use AWS Global Accelerator to route traffic over the AWS global network.
B.Configure Route 53 latency-based routing to direct users to a different origin.
C.Increase the compute capacity of the origin server.
D.Add additional CloudFront edge locations in the affected region.
AnswerD

More edge locations bring content closer to users, reducing latency cost-effectively.

Why this answer

Option D is correct because adding additional CloudFront edge locations in the affected region brings content closer to users, reducing latency. Option A is wrong because Route 53 policies do not affect CloudFront cache behavior. Option B is wrong because increasing origin server capacity does not reduce network latency.

Option C is wrong because global accelerator adds cost without addressing edge caching.

244
MCQeasy

A company has a VPC with public and private subnets. An Application Load Balancer (ALB) is in the public subnets, and Amazon EC2 instances are in the private subnets. The SysOps administrator needs to allow the EC2 instances to access an Amazon S3 bucket in the same AWS Region without traversing the internet. Which solution should the administrator implement?

A.A VPC Gateway Endpoint for S3
B.A NAT Gateway
C.An Internet Gateway
D.VPC Peering
AnswerA

A VPC Gateway Endpoint for S3 allows instances in private subnets to access S3 privately using AWS internal networks, without internet traffic.

Why this answer

A VPC Gateway Endpoint for S3 allows EC2 instances in private subnets to access S3 buckets privately using AWS's internal network, without traversing the internet. This endpoint uses prefix lists and route table entries to direct S3 traffic through the AWS backbone, ensuring low latency and no data transfer costs.

Exam trap

The trap here is that candidates often choose a NAT Gateway or Internet Gateway because they think outbound traffic to AWS services must go through the internet, but Gateway Endpoints provide a private, cost-effective alternative for S3 and DynamoDB access within the same region.

How to eliminate wrong answers

Option B (NAT Gateway) is wrong because it routes traffic through the internet, which violates the requirement to avoid internet traversal and incurs data transfer costs. Option C (Internet Gateway) is wrong because it is used for public internet access and requires public IP addresses, not private S3 access. Option D (VPC Peering) is wrong because it connects VPCs but does not provide direct access to S3; S3 is a service outside the VPC, not a peered resource.

245
MCQeasy

A company wants to host a static website using Amazon S3. The website files are stored in an S3 bucket. The SysOps administrator needs to make the website accessible via HTTP. Which action must be performed on the S3 bucket?

A.Enable versioning
B.Enable static website hosting
C.Configure a bucket policy to allow public read access
D.Attach a CloudFront distribution
AnswerB

Enabling static website hosting provides an HTTP endpoint and allows the bucket to serve web pages directly.

Why this answer

To host a static website on Amazon S3, you must enable the 'Static website hosting' property on the bucket. This configures the bucket to serve HTTP responses for index and error documents, and provides a regional website endpoint (e.g., http://bucket-name.s3-website-region.amazonaws.com). Without this setting, the bucket only supports REST API access (via the S3 API endpoint), not standard HTTP browser requests.

Exam trap

The trap here is that candidates often confuse the requirement for a public bucket policy (which is necessary but not sufficient) with the actual action needed to enable HTTP serving, leading them to select Option C instead of B.

How to eliminate wrong answers

Option A is wrong because enabling versioning is a data protection feature that tracks object versions; it does not enable HTTP access to the bucket. Option C is wrong because while a bucket policy granting public read access is necessary for public static websites, it alone does not make the bucket serve HTTP traffic—the static website hosting feature must be explicitly enabled to activate the website endpoint. Option D is wrong because attaching a CloudFront distribution is an optional performance and security enhancement, not a required action; the bucket can serve HTTP directly without CloudFront.

246
MCQhard

Refer to the exhibit. This bucket policy is attached to an S3 bucket that is used as an origin for a CloudFront distribution. Users are reporting Access Denied errors when accessing objects via the CloudFront URL. What is the MOST likely cause?

A.The condition is missing the aws:SourceVpce condition for VPC endpoints.
B.The bucket policy does not grant access to the CloudFront service principal.
C.The resource ARN is missing the bucket ARN for the bucket itself.
D.The condition restricts access to a specific IP range, but CloudFront requests come from its own IP addresses.
AnswerD

CloudFront uses its own IP addresses to fetch objects from the origin; the user's IP is not forwarded by default.

Why this answer

Option A is correct because when CloudFront is used to access S3, the source IP is the CloudFront edge IP, not the user's IP. The condition restricts to 192.0.2.0/24, which will not match. Option B is wrong because the bucket policy does not need to grant access to the CloudFront service principal; it can use Origin Access Identity (OAI) but not required.

Option C is wrong because the resource ARN includes /*, which is correct. Option D is wrong because the condition is not missing; it's present but incorrect for CloudFront.

247
MCQeasy

A company uses Amazon CloudFront to deliver static content from an Amazon S3 bucket. Users in Europe report slow load times. Which CloudFront feature would MOST effectively improve performance for these users?

A.Enable origin shield.
B.Add additional edge locations in Europe and use regional edge caches.
C.Enable HTTP/3 (QUIC) support on the distribution.
D.Configure geo restriction to allow only European users.
AnswerB

CloudFront uses edge locations globally; adding regional edge caches in Europe caches content closer to users.

Why this answer

Adding additional edge locations in Europe and using regional edge caches (Option B) reduces latency by serving content from geographically closer points of presence (PoPs) and by caching objects at a regional layer that aggregates requests from multiple edge locations, which improves cache hit ratios and reduces the load on the origin. This directly addresses the slow load times reported by European users by minimizing the distance data must travel.

Exam trap

The trap here is that candidates often confuse performance-enhancing features like HTTP/3 or origin shield with the fundamental need to reduce geographic distance, assuming any 'optimization' will fix latency, when in fact only adding closer edge locations and regional caching directly addresses the root cause of high latency for distant users.

How to eliminate wrong answers

Option A is wrong because enabling origin shield does not add edge locations in Europe; it creates an additional caching layer in front of the origin to reduce origin load, but it does not improve latency for users far from existing edge locations. Option C is wrong because HTTP/3 (QUIC) improves connection establishment and multiplexing but does not reduce the physical distance between users and CloudFront edge locations, so it cannot fix latency caused by geographic distance. Option D is wrong because geo restriction only blocks or allows content based on user location; it does not improve performance for allowed users and may even increase latency if not configured correctly.

248
MCQeasy

A SysOps administrator needs to allow a Lambda function to access a DynamoDB table in the same AWS account. Which configuration is required?

A.Create a VPC endpoint for DynamoDB and attach it to the Lambda function.
B.Configure a network ACL to allow traffic from Lambda to DynamoDB.
C.Add the Lambda function as a principal in the DynamoDB table's resource-based policy.
D.Assign an IAM role to the Lambda function with DynamoDB permissions.
AnswerD

Correct. IAM role grants permissions.

Why this answer

Lambda needs an IAM role with a policy granting DynamoDB actions. The role is assumed by the Lambda service.

249
MCQmedium

Refer to the exhibit. A VPC peering connection exists between VPC A (CIDR 10.0.0.0/16) and VPC B (CIDR 192.168.0.0/16). The command output shows the route table for VPC A (rtb-11111111) and VPC B (rtb-33333333). An instance in VPC A (private IP 10.0.1.5) cannot ping an instance in VPC B (private IP 192.168.1.10). What is the most likely reason?

A.The route table for VPC A is missing a route to 192.168.0.0/16 via the peering connection.
B.The security group for the instance in VPC B blocks ICMP traffic.
C.The VPC peering connection status is not active.
D.The network ACL for the subnet in VPC A blocks outbound ICMP.
AnswerA

Without this route, traffic from VPC A to VPC B is dropped.

Why this answer

The route table for VPC A does not have a route to VPC B's CIDR (192.168.0.0/16) via the peering connection (pcx-44444444). It only has routes for local and IGW. The route table for VPC B has the peering route.

Therefore, traffic from VPC A to VPC B is not routed correctly. Option B is incorrect because the peering status is active. Option C is incorrect because security groups are not shown.

Option D is incorrect because NACLs are not shown.

250
MCQeasy

A company is using Amazon CloudFront to distribute content globally. The company wants to restrict access to content so that only users from specific countries can access it. Which CloudFront feature should be used?

A.AWS WAF
B.Signed URLs
C.Geo restriction
D.Origin Access Identity (OAI)
AnswerC

Geo restriction (geo-blocking) allows you to allow or deny access to content based on the viewer's country.

Why this answer

Option A is correct because CloudFront geo restriction allows you to whitelist or blacklist countries. Option B is wrong because signed URLs provide access per request. Option C is wrong because origin access identity restricts access to the origin, not users.

Option D is wrong because WAF can be used for more granular access control but geo restriction is the native feature for country-based blocking.

251
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The VPC has a private subnet with EC2 instances that need to communicate with on-premises servers. The on-premises network team reports that they can ping the EC2 instances, but the EC2 instances cannot ping the on-premises servers. The SysOps administrator checks the route tables and finds that the VPC has a route to the on-premises CIDR via the virtual private gateway. The security groups allow all ICMP traffic. What is the most likely cause?

A.The security group on the EC2 instances blocks outbound ICMP
B.The network ACL for the private subnet blocks outbound traffic
C.The on-premises network does not have a route back to the VPC CIDR through the Direct Connect
D.The VPC route table does not have a route to the on-premises CIDR via the virtual private gateway
AnswerC

For two-way communication, both sides must have routes via Direct Connect.

Why this answer

Option C is correct because the on-premises servers need to have a route back to the VPC CIDR through the Direct Connect. The fact that they can ping the EC2 instances indicates that traffic from on-premises to VPC is working, but the return traffic may be going through the internet instead of Direct Connect if the on-premises route is not configured. Option A is wrong because the VPC route is present.

Option B is wrong because security groups allow ICMP. Option D is wrong because NACLs default to allow all.

252
MCQeasy

A company has multiple VPCs in the same AWS Region that need to communicate with each other. The SysOps administrator wants to avoid the complexity of a full mesh of VPC peering connections. Which AWS service should the administrator use to connect all VPCs with a central hub?

A.AWS Direct Connect
B.AWS Transit Gateway
C.VPC peering
D.AWS PrivateLink
AnswerB

Correct. Transit Gateway provides a scalable hub-and-spoke model, allowing you to attach many VPCs and manage routing centrally.

Why this answer

AWS Transit Gateway acts as a central hub that allows you to connect multiple VPCs and on-premises networks through a single gateway, eliminating the need for a full mesh of VPC peering connections. It uses a star topology where each VPC attaches to the Transit Gateway, and routing is managed via route tables, simplifying network management and scaling.

Exam trap

The trap here is that candidates often confuse VPC peering (which is point-to-point) with a hub-and-spoke solution, or mistakenly think AWS PrivateLink can route general traffic between VPCs, when it is actually designed for service-specific endpoints.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, not a service for interconnecting multiple VPCs within the same Region. Option C is wrong because VPC peering creates a one-to-one connection between two VPCs, requiring a full mesh of N*(N-1)/2 connections for multiple VPCs, which adds complexity and does not provide a central hub. Option D is wrong because AWS PrivateLink enables private connectivity between VPCs and services (like endpoints), but it is designed for accessing specific services rather than routing traffic between multiple VPCs as a hub-and-spoke model.

253
MCQmedium

A company runs a multi-tier web application in a VPC with public and private subnets. The web servers (EC2 instances) are in public subnets, and the database servers (RDS MySQL) are in private subnets. The web servers need to connect to the database servers on port 3306. The security group for the RDS instances (sg-db) has an inbound rule allowing TCP port 3306 from the security group of the web servers (sg-web). The web servers can connect to the database, but the connection is intermittent and slow. The SysOps administrator checks the network ACLs and finds that both the public and private subnet network ACLs have default allow all entries. What is the most likely cause of the issue?

A.The RDS instances are in a private subnet and cannot receive traffic from public subnets
B.The security group for the RDS instances is missing an inbound rule for port 3306 from the web servers' IP range
C.The network ACL for the private subnet does not have an outbound rule to allow return traffic on ephemeral ports
D.The network ACLs are stateful and require an outbound rule for ephemeral ports
AnswerC

Without an outbound rule for ephemeral ports (1024-65535), the DB cannot send response packets back to the web servers.

Why this answer

Option D is correct because the network ACL for the private subnet has no outbound rule to allow return traffic (ephemeral ports) from the database back to the web servers. Network ACLs are stateless, so despite the inbound rule allowing traffic from the web servers, the outbound rule must allow return traffic. Option A is wrong because the security group rule is correct.

Option B is wrong because RDS is not a web server; it doesn't need a public subnet. Option C is wrong because NACLs are stateless, not stateful.

254
MCQmedium

A company has a VPC with an Internet Gateway and a NAT Gateway. They launch an EC2 instance in a private subnet. The instance needs to download updates from the internet, but the security team wants to prevent any inbound traffic from the internet. Which route table configuration is correct for the private subnet?

A.10.0.0.0/16 -> local; 0.0.0.0/0 -> VPC Peering
B.0.0.0.0/0 -> Internet Gateway
C.0.0.0.0/0 -> NAT Gateway
D.No default route; only local routes.
AnswerC

NAT Gateway enables outbound traffic only, preventing inbound.

Why this answer

Option C is correct because the private subnet route table should have a default route (0.0.0.0/0) pointing to the NAT Gateway for outbound traffic, and no route to the Internet Gateway. Option A is wrong because pointing to the Internet Gateway would allow inbound traffic. Option B is wrong because no route would block all traffic.

Option D is wrong because directing to the VPC CIDR is for internal traffic.

255
MCQeasy

A company hosts a static website on Amazon EC2 instances behind an Application Load Balancer. They want to improve latency for users around the world by caching content at edge locations. Which AWS service should they use?

A.Amazon CloudFront
B.AWS Global Accelerator
C.AWS Direct Connect
D.Amazon Route 53
AnswerA

Correct. CloudFront caches content at edge locations, reducing latency and offloading origin servers.

Why this answer

Amazon CloudFront is a content delivery network (CDN) that caches static content (e.g., HTML, CSS, images) at edge locations worldwide, reducing latency for global users by serving cached responses from the nearest edge rather than the origin EC2 instances behind the Application Load Balancer. It integrates directly with ALB as a custom origin, offloading traffic and improving response times for repeated requests.

Exam trap

The trap here is confusing AWS Global Accelerator (which optimizes network path but does not cache) with CloudFront (which caches at edge), leading candidates to pick Global Accelerator for latency improvement without recognizing the requirement for content caching.

How to eliminate wrong answers

Option B (AWS Global Accelerator) is wrong because it improves latency by directing traffic over the AWS global network using Anycast IPs, but it does not cache content at edge locations—it only optimizes routing to the origin. Option C (AWS Direct Connect) is wrong because it establishes a dedicated private network connection from on-premises to AWS, which does not cache content or serve edge locations; it is used for hybrid connectivity, not global content delivery. Option D (Amazon Route 53) is wrong because it is a DNS service that resolves domain names to IP addresses and can route users to the nearest endpoint via latency-based routing, but it does not cache or store content at edge locations.

256
MCQeasy

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket to store logs. The instance currently has no internet access. The SysOps administrator has created a VPC endpoint for S3 (gateway type) and attached it to the VPC. The instance still cannot reach S3. What additional step is required?

A.Attach an Internet Gateway to the VPC and add a route to it
B.Add a security group rule to allow outbound HTTPS traffic to S3
C.Modify the endpoint policy to allow all S3 actions
D.Add a route in the private subnet's route table pointing to the S3 endpoint
AnswerD

The endpoint uses a prefix list, and the route table must have a route for S3 traffic to go through the endpoint.

Why this answer

Option A is correct because the route table for the private subnet must have a route to the S3 endpoint (prefix list). Option B is wrong because S3 endpoints do not require internet access. Option C is wrong because the endpoint policy is not the issue if it allows all actions.

Option D is wrong because the instance's security group does not block traffic to S3 by default.

257
Multi-Selectmedium

A company is designing a VPC with public and private subnets. The private subnets need internet access for patching, but must not be directly reachable from the internet. Which TWO components should be used together?

Select 2 answers
A.VPC Peering connection
B.Private subnet route table with a route to the Internet Gateway
C.Internet Gateway attached to the VPC
D.Private subnet route table with a route to the NAT Gateway
E.NAT Gateway in a public subnet
AnswersD, E

This route directs traffic from private subnets to the NAT Gateway.

Why this answer

Option A (NAT Gateway) and Option D (Private route table with route to NAT) are correct. A NAT Gateway in a public subnet provides outbound internet access, and a private route table directs traffic to the NAT Gateway. Option B is wrong because Internet Gateway is for public subnets.

Option C is wrong because VPC Peering is for connecting VPCs, not internet access. Option E is wrong because a direct route to IGW would make the subnet public.

258
MCQmedium

A company has a web application deployed in a VPC with both public and private subnets. The web servers are in public subnets and the database servers are in private subnets. The web servers need to access the internet for updates. Which configuration is required to provide internet access to the web servers while keeping the database servers private?

A.Place both web and database servers in private subnets and use a NAT Gateway for outbound internet access.
B.Attach an Internet Gateway to the VPC and add a route to it in the route tables for both public and private subnets.
C.Attach an Internet Gateway to the VPC and add a route to it only in the route tables for the public subnets.
D.Use a VPC Gateway Endpoint to provide internet access to the web servers.
AnswerC

This provides inbound and outbound internet to public subnets while private subnets remain isolated.

Why this answer

Option C is correct because an Internet Gateway (IGW) is required for any subnet that needs direct internet access. By attaching an IGW to the VPC and adding a default route (0.0.0.0/0) pointing to the IGW only in the public subnet route tables, web servers in those subnets can reach the internet. Database servers in private subnets remain isolated because their route tables lack the IGW route, preventing direct inbound or outbound internet traffic.

Exam trap

The trap here is that candidates often confuse the role of an Internet Gateway with a NAT Gateway, assuming that adding an IGW route to all subnets is necessary for outbound access, but this would break the isolation of private subnets by allowing direct inbound traffic.

How to eliminate wrong answers

Option A is wrong because placing both web and database servers in private subnets would require a NAT Gateway for outbound internet access, but the question specifies web servers are already in public subnets and need direct internet access, not NAT-mediated access. Option B is wrong because adding a route to the Internet Gateway in private subnet route tables would expose database servers to the internet, violating the requirement to keep them private. Option D is wrong because a VPC Gateway Endpoint provides private connectivity to AWS services (e.g., S3, DynamoDB) via the AWS network, not general internet access for web servers.

259
MCQhard

A SysOps administrator is setting up Amazon Route 53 for a domain that will be used for a web application. The application requires failover to a backup data center in another region if the primary becomes unhealthy. The administrator creates a failover routing policy with two records (primary and secondary) associated with health checks. After testing, the failover does not occur when the primary endpoint fails. What is the most likely cause?

A.The primary record is not an alias record
B.The domain registrar's nameservers are not pointing to Route 53
C.The health check is configured to monitor the secondary endpoint instead of the primary
D.The TTL on the primary record is set too high
AnswerC

The health check must monitor the primary endpoint to trigger failover.

Why this answer

Option B is correct because if the health check is set to evaluate the health of the secondary endpoint instead of the primary, Route 53 will not detect the primary failure. Option A is wrong because DNS TTL affects caching but not failover behavior. Option C is wrong because the failover routing policy is independent of the domain registrar's nameservers.

Option D is wrong because an alias record is not required for failover with non-AWS endpoints.

260
MCQmedium

A SysOps Administrator is setting up a VPC peering connection between two VPCs (VPC-A and VPC-B) in different AWS accounts. After the peering connection is accepted, instances in VPC-A cannot ping instances in VPC-B. Both VPCs have non-overlapping CIDR blocks. What is the MOST likely cause?

A.The route tables in both VPCs do not have routes to the peer VPC CIDR.
B.VPC peering does not support cross-account connections.
C.The CIDR blocks overlap, causing routing conflicts.
D.The security groups in VPC-B do not allow inbound ICMP traffic from VPC-A.
AnswerA

Without routes pointing to the peering connection, traffic cannot be forwarded between VPCs.

Why this answer

The most likely cause is that the route tables in both VPCs do not have routes to the peer VPC CIDR. Even after a VPC peering connection is accepted, traffic cannot flow between the VPCs unless explicit routes are added to each VPC's route table pointing to the CIDR block of the peer VPC, with the VPC peering connection as the target. Without these routes, instances in VPC-A have no path to reach instances in VPC-B, so ping fails.

Exam trap

The trap here is that candidates often assume security groups or NACLs are the primary cause of connectivity issues, but the foundational routing layer must be correctly configured first for any traffic to flow across a VPC peering connection.

How to eliminate wrong answers

Option B is wrong because VPC peering does support cross-account connections; you simply need to accept the peering request from the other account. Option C is wrong because the question explicitly states that the CIDR blocks are non-overlapping, so routing conflicts from overlap are not the issue. Option D is wrong because while security group rules could block ICMP, the most likely cause is the missing route tables, as routing is a prerequisite for any traffic to reach the destination before security groups are evaluated.

261
MCQeasy

A company has two VPCs in the same AWS region. VPC A hosts a web application, and VPC B hosts a database. The SysOps administrator needs to enable private IP communication between the two VPCs without using the public internet. The administrator wants a simple, low-cost solution that uses the AWS network backbone. Which AWS service should be used?

A.VPC Peering
B.AWS Transit Gateway
C.AWS Direct Connect
D.AWS Site-to-Site VPN
AnswerA

VPC Peering directly connects two VPCs using private IPs over the AWS network, simple and cost-effective for a pair of VPCs.

Why this answer

VPC Peering allows direct, private IP connectivity between two VPCs using the AWS network backbone without traversing the public internet. It is the simplest and most cost-effective solution for connecting exactly two VPCs in the same region, as there are no additional hourly charges beyond data transfer costs, and no intermediate devices or bandwidth limitations are introduced.

Exam trap

The trap here is that candidates may choose AWS Transit Gateway because it is a powerful networking hub, but the question explicitly asks for a simple, low-cost solution for only two VPCs, making VPC Peering the correct choice despite Transit Gateway's broader capabilities.

How to eliminate wrong answers

Option B (AWS Transit Gateway) is wrong because it is designed for hub-and-spoke connectivity across many VPCs and incurs an hourly attachment fee, making it unnecessarily complex and more expensive for a simple two-VPC connection. Option C (AWS Direct Connect) is wrong because it is a dedicated physical connection from an on-premises data center to AWS, not a service for connecting two VPCs within the same region, and it involves significant setup costs and lead times. Option D (AWS Site-to-Site VPN) is wrong because it establishes encrypted tunnels over the public internet between on-premises networks and AWS, not between two VPCs, and it introduces additional latency and complexity compared to VPC Peering.

262
MCQeasy

A SysOps Administrator needs to allow an EC2 instance in a private subnet to access the internet for software updates. Which AWS service should be used?

A.VPN Connection
B.NAT Gateway
C.Internet Gateway
D.VPC Peering
AnswerB

Correct because a NAT Gateway enables outbound internet access for private subnets.

Why this answer

Option B is correct because a NAT Gateway allows instances in private subnets to access the internet. Option A is wrong because an Internet Gateway is for public subnets. Option C is wrong because a VPC Peering connection does not provide internet access.

Option D is wrong because a VPN connection is for on-premises connectivity.

263
Multi-Selectmedium

A SysOps administrator needs to design a VPC with public and private subnets for a web application. Which TWO components are required to allow instances in the private subnet to access the internet?

Select 2 answers
A.NAT gateway in a public subnet
B.Route table entry in the private subnet routing 0.0.0.0/0 to the NAT gateway
C.VPC endpoint for S3
D.Internet gateway attached to the VPC
E.Virtual private gateway
AnswersA, B

NAT gateway enables outbound internet access for private instances.

Why this answer

Options B and D are correct. A NAT gateway (or NAT instance) in a public subnet and a route table entry pointing to it allow private instances to access the internet. Option A is wrong because internet gateway is for public subnets.

Option C is wrong because VPC endpoints are for accessing AWS services privately. Option E is wrong because VPN is for hybrid connectivity.

264
MCQeasy

A SysOps administrator needs to allow an EC2 instance in a private subnet to download patches from the internet. Which AWS service should be used to achieve this securely?

A.Internet Gateway (IGW)
B.NAT Gateway
C.AWS VPN
D.VPC Peering
AnswerB

A NAT Gateway enables outbound internet access for private subnet instances while blocking inbound connections.

Why this answer

Option B is correct because a NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet, while preventing inbound traffic from the internet. Option A is wrong because an Internet Gateway is for public subnets. Option C is wrong because a VPC Peering connection connects VPCs, not to the internet.

Option D is wrong because a VPN connection connects to on-premises networks, not the internet.

265
MCQhard

A SysOps administrator is troubleshooting connectivity issues between Amazon EC2 instances in two different VPCs that are connected via a VPC peering connection. The instances can successfully send ICMP (ping) traffic, but TCP connections on port 443 (HTTPS) fail. The security groups of both instances allow all inbound and outbound traffic. What is the most likely cause of the issue?

A.The Network ACL associated with the subnets is blocking the return traffic for TCP connections on ephemeral ports
B.The VPC peering connection is not properly configured for TCP traffic
C.The route tables in the VPCs do not contain a route for the other VPC's CIDR
D.The security group on the EC2 instance is blocking inbound TCP traffic on port 443
AnswerA

NACLs are stateless; they require explicit inbound and outbound rules. ICMP may be allowed, but TCP return traffic is blocked if ephemeral ports are not allowed in the outbound NACL.

Why this answer

The correct answer is A because the Network ACL (NACL) is stateless, meaning it must explicitly allow both inbound and outbound traffic. While ICMP (ping) works because it doesn't rely on ephemeral ports for return traffic, TCP connections on port 443 require the return traffic to come from the target instance on a high ephemeral port (typically 1024-65535). If the NACL's outbound rules block these ephemeral ports, the TCP handshake fails, even though the security groups allow all traffic.

Exam trap

The trap here is that candidates assume security groups are the only firewall layer, overlooking that Network ACLs are stateless and require explicit rules for ephemeral port return traffic, which is why ICMP works but TCP fails.

How to eliminate wrong answers

Option B is wrong because VPC peering connections are transparent to protocols; they operate at Layer 3 and do not differentiate between ICMP and TCP traffic. Option C is wrong because if the route tables lacked a route for the other VPC's CIDR, ICMP (ping) would also fail, as routing is required for all traffic types. Option D is wrong because the question explicitly states that the security groups allow all inbound and outbound traffic, so they cannot be blocking TCP port 443.

266
Multi-Selectmedium

A SysOps administrator is troubleshooting DNS resolution issues for a custom domain used by an Application Load Balancer. Which TWO steps should the administrator take to diagnose the issue? (Choose two.)

Select 2 answers
A.Ensure the VPC's CIDR block does not overlap with the ALB's IP range
B.Verify that the Route 53 alias record points to the ALB's DNS name
C.Run 'dig' or 'nslookup' from a client to verify the domain resolves to the correct IP
D.Verify that the ALB's security group allows inbound traffic on port 443
E.Check the health status of the ALB's target group
AnswersB, C

Misconfigured alias records cause resolution failures.

Why this answer

Option B is correct because a Route 53 alias record must point to the ALB's DNS name (e.g., my-alb-1234567890.us-east-1.elb.amazonaws.com) to properly route traffic to the load balancer. If the alias record is misconfigured or points to an incorrect resource, DNS resolution will fail or resolve to an unintended IP, causing the custom domain not to work.

Exam trap

The trap here is that candidates confuse DNS resolution issues with network connectivity or load balancer health, leading them to select security group or target group checks instead of focusing on the DNS configuration itself.

267
Multi-Selectmedium

Which TWO actions can reduce data transfer costs for content delivered to users globally? (Choose two.)

Select 2 answers
A.Deploy multiple Application Load Balancers in different regions.
B.Use Amazon CloudFront to cache content at edge locations.
C.Use AWS Direct Connect for all traffic.
D.Use a single S3 bucket in one region with cross-region replication.
E.Enable S3 Transfer Acceleration.
AnswersA, B

Allows serving content from regional origins, reducing cross-region data transfer.

Why this answer

CloudFront caches content at edge locations to reduce origin data transfer. S3 Transfer Acceleration speeds up uploads but not downloads. VPC endpoints reduce data transfer costs for intra-region traffic, but for global content, CloudFront and using an origin in the same region as the users (e.g., via multiple origins) can help.

However, the best two are CloudFront and using multiple origins in different regions.

268
Multi-Selecthard

Which THREE of the following are valid options for connecting a VPC to an on-premises network? (Select THREE.)

Select 3 answers
A.Transit gateway with VPN attachment
B.AWS Direct Connect
C.VPC peering
D.AWS Site-to-Site VPN
E.VPC endpoint
AnswersA, B, D

A transit gateway can connect multiple VPCs and on-premises networks via VPN.

Why this answer

A Transit Gateway with a VPN attachment allows you to connect your VPC to an on-premises network by acting as a central hub that interconnects VPCs and on-premises networks via IPsec VPN tunnels. This is a valid option because the Transit Gateway can terminate multiple VPN connections, enabling hybrid connectivity with centralized routing and scalability.

Exam trap

The trap here is that candidates confuse VPC peering (which only connects VPCs) with hybrid connectivity options, or mistakenly think VPC endpoints can extend to on-premises networks, when they are strictly for accessing AWS services privately within a VPC.

← PreviousPage 4 of 4 · 268 questions total

Ready to test yourself?

Try a timed practice session using only Networking and Content Delivery questions.