Question 78 of 500
Cloud SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to update the AWS security group for the application tier to allow inbound traffic from the web tier’s subnet. This is correct because, in a hybrid cloud environment using Tetration microsegmentation, the Tetration agent enforces host-level policies, but it does not override or bypass native cloud security groups; both layers must explicitly permit traffic for communication to succeed. On the Cisco SCOR / CCNP Security Core 350-701 exam, this scenario tests your understanding of how Tetration microsegmentation and AWS security groups interact—a common trap is assuming Tetration policies alone control all traffic, when in fact cloud security groups act as a separate, mandatory firewall layer. The key takeaway is that Tetration enforces east-west traffic at the OS level, but north-south and inter-VPC traffic still depends on cloud-native rules. Memory tip: “Tetration tags the host, but the security group gates the flow.”

350-701 Cloud Security Practice Question

This 350-701 practice question tests your understanding of cloud security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company has a hybrid cloud environment with workloads in AWS and Azure, and an on-premises data center. They use Cisco Tetration for micro-segmentation and Cisco CloudCenter for orchestration. Recently, they deployed a new multi-tier application in AWS: a web tier, an application tier, and a database tier, all across multiple Availability Zones. After deployment, the application is unreachable. The security team reviews Tetration policies and finds that a policy is in place to allow traffic between tiers, but the web tier cannot communicate with the application tier. The Tetration agent status shows all agents are healthy. The administrator checks the AWS security groups and notices that the web tier's security group allows inbound HTTP from 0.0.0.0/0, but the application tier's security group does not allow inbound traffic from the web tier's subnet. The application tier's security group only allows inbound traffic from the on-premises CIDR block in error. The network team requests a fix that does not impact other ongoing audits. What should the administrator do?

Question 1hardmultiple choice
Review the full subnetting walkthrough →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Update the AWS security group for the application tier to allow inbound traffic from the web tier's subnet.

Option C is correct because the root cause is that the AWS security group for the application tier is misconfigured to only allow inbound traffic from the on-premises CIDR block, rather than from the web tier's subnet. Cisco Tetration enforces micro-segmentation policies at the host level via agents, but it does not override or bypass native cloud security groups; both layers must permit the traffic. Updating the security group to allow inbound traffic from the web tier's subnet resolves the connectivity issue without affecting other audits, as it is a targeted, non-disruptive change.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Redeploy the application using Cisco CloudCenter to ensure proper security group association.

    Why it's wrong here

    Incorrect: This is a time-consuming workaround and may introduce additional issues.

  • Configure Tetration to use 'full enforcement' mode for all policies, which overrides AWS security groups.

    Why it's wrong here

    Incorrect: Tetration does not automatically override cloud-native security groups; they coexist.

  • Update the AWS security group for the application tier to allow inbound traffic from the web tier's subnet.

    Why this is correct

    Correct: This directly fixes the misconfigured security group blocking traffic.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Remove the Tetration policy for the application tier to allow all traffic.

    Why it's wrong here

    Incorrect: This removes micro-segmentation needed for security.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the misconception that Tetration's micro-segmentation policies can override or bypass cloud-native security groups, when in fact both layers must be correctly configured for traffic to flow.

Detailed technical explanation

How to think about this question

In hybrid cloud environments, Cisco Tetration uses host-based agents to enforce micro-segmentation policies via iptables or Windows Filtering Platform rules, operating at Layer 4-7. However, AWS security groups act as a stateful virtual firewall at the hypervisor level, filtering traffic before it reaches the instance's network interface; thus, both layers must permit the traffic. A common real-world scenario is when Tetration policies are correctly configured but cloud-native security groups (e.g., AWS security groups, Azure NSGs) are misconfigured, leading to connectivity failures that require updating the cloud-side rules rather than the Tetration policies.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 350-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-701 question test?

Cloud Security — This question tests Cloud Security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Update the AWS security group for the application tier to allow inbound traffic from the web tier's subnet. — Option C is correct because the root cause is that the AWS security group for the application tier is misconfigured to only allow inbound traffic from the on-premises CIDR block, rather than from the web tier's subnet. Cisco Tetration enforces micro-segmentation policies at the host level via agents, but it does not override or bypass native cloud security groups; both layers must permit the traffic. Updating the security group to allow inbound traffic from the web tier's subnet resolves the connectivity issue without affecting other audits, as it is a targeted, non-disruptive change.

What should I do if I get this 350-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.