- A
Redeploy the application using Cisco CloudCenter to ensure proper security group association.
Why wrong: Incorrect: This is a time-consuming workaround and may introduce additional issues.
- B
Configure Tetration to use 'full enforcement' mode for all policies, which overrides AWS security groups.
Why wrong: Incorrect: Tetration does not automatically override cloud-native security groups; they coexist.
- C
Update the AWS security group for the application tier to allow inbound traffic from the web tier's subnet.
Correct: This directly fixes the misconfigured security group blocking traffic.
- D
Remove the Tetration policy for the application tier to allow all traffic.
Why wrong: Incorrect: This removes micro-segmentation needed for security.
Quick Answer
The answer is to update the AWS security group for the application tier to allow inbound traffic from the web tier’s subnet. This is correct because, in a hybrid cloud environment using Tetration microsegmentation, the Tetration agent enforces host-level policies, but it does not override or bypass native cloud security groups; both layers must explicitly permit traffic for communication to succeed. On the Cisco SCOR / CCNP Security Core 350-701 exam, this scenario tests your understanding of how Tetration microsegmentation and AWS security groups interact—a common trap is assuming Tetration policies alone control all traffic, when in fact cloud security groups act as a separate, mandatory firewall layer. The key takeaway is that Tetration enforces east-west traffic at the OS level, but north-south and inter-VPC traffic still depends on cloud-native rules. Memory tip: “Tetration tags the host, but the security group gates the flow.”
350-701 Cloud Security Practice Question
This 350-701 practice question tests your understanding of cloud security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company has a hybrid cloud environment with workloads in AWS and Azure, and an on-premises data center. They use Cisco Tetration for micro-segmentation and Cisco CloudCenter for orchestration. Recently, they deployed a new multi-tier application in AWS: a web tier, an application tier, and a database tier, all across multiple Availability Zones. After deployment, the application is unreachable. The security team reviews Tetration policies and finds that a policy is in place to allow traffic between tiers, but the web tier cannot communicate with the application tier. The Tetration agent status shows all agents are healthy. The administrator checks the AWS security groups and notices that the web tier's security group allows inbound HTTP from 0.0.0.0/0, but the application tier's security group does not allow inbound traffic from the web tier's subnet. The application tier's security group only allows inbound traffic from the on-premises CIDR block in error. The network team requests a fix that does not impact other ongoing audits. What should the administrator do?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Update the AWS security group for the application tier to allow inbound traffic from the web tier's subnet.
Option C is correct because the root cause is that the AWS security group for the application tier is misconfigured to only allow inbound traffic from the on-premises CIDR block, rather than from the web tier's subnet. Cisco Tetration enforces micro-segmentation policies at the host level via agents, but it does not override or bypass native cloud security groups; both layers must permit the traffic. Updating the security group to allow inbound traffic from the web tier's subnet resolves the connectivity issue without affecting other audits, as it is a targeted, non-disruptive change.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Redeploy the application using Cisco CloudCenter to ensure proper security group association.
Why it's wrong here
Incorrect: This is a time-consuming workaround and may introduce additional issues.
- ✗
Configure Tetration to use 'full enforcement' mode for all policies, which overrides AWS security groups.
Why it's wrong here
Incorrect: Tetration does not automatically override cloud-native security groups; they coexist.
- ✓
Update the AWS security group for the application tier to allow inbound traffic from the web tier's subnet.
Why this is correct
Correct: This directly fixes the misconfigured security group blocking traffic.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Remove the Tetration policy for the application tier to allow all traffic.
Why it's wrong here
Incorrect: This removes micro-segmentation needed for security.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Cisco often tests the misconception that Tetration's micro-segmentation policies can override or bypass cloud-native security groups, when in fact both layers must be correctly configured for traffic to flow.
Detailed technical explanation
How to think about this question
In hybrid cloud environments, Cisco Tetration uses host-based agents to enforce micro-segmentation policies via iptables or Windows Filtering Platform rules, operating at Layer 4-7. However, AWS security groups act as a stateful virtual firewall at the hypervisor level, filtering traffic before it reaches the instance's network interface; thus, both layers must permit the traffic. A common real-world scenario is when Tetration policies are correctly configured but cloud-native security groups (e.g., AWS security groups, Azure NSGs) are misconfigured, leading to connectivity failures that require updating the cloud-side rules rather than the Tetration policies.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Cloud Security — study guide chapter
Learn the concepts, then practise the questions
- →
Cloud Security practice questions
Targeted practice on this topic area only
- →
All 350-701 questions
500 questions across all exam domains
- →
Cisco SCOR / CCNP Security Core 350-701 study guide
Full concept coverage aligned to exam objectives
- →
350-701 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 350-701 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Endpoint Protection and Detection practice questions
Practise 350-701 questions linked to Endpoint Protection and Detection.
Secure Network Access, Visibility and Enforcement practice questions
Practise 350-701 questions linked to Secure Network Access, Visibility and Enforcement.
Security Concepts practice questions
Practise 350-701 questions linked to Security Concepts.
Network Security practice questions
Practise 350-701 questions linked to Network Security.
Cloud Security practice questions
Practise 350-701 questions linked to Cloud Security.
Content Security practice questions
Practise 350-701 questions linked to Content Security.
350-701 fundamentals practice questions
Practise 350-701 questions linked to 350-701 fundamentals.
350-701 scenario practice questions
Practise 350-701 questions linked to 350-701 scenario.
350-701 troubleshooting practice questions
Practise 350-701 questions linked to 350-701 troubleshooting.
Practice this exam
Start a free 350-701 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 350-701 question test?
Cloud Security — This question tests Cloud Security — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Update the AWS security group for the application tier to allow inbound traffic from the web tier's subnet. — Option C is correct because the root cause is that the AWS security group for the application tier is misconfigured to only allow inbound traffic from the on-premises CIDR block, rather than from the web tier's subnet. Cisco Tetration enforces micro-segmentation policies at the host level via agents, but it does not override or bypass native cloud security groups; both layers must permit the traffic. Updating the security group to allow inbound traffic from the web tier's subnet resolves the connectivity issue without affecting other audits, as it is a targeted, non-disruptive change.
What should I do if I get this 350-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 25, 2026
This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.