Sample questions
CompTIA Cloud+ CV0-004 practice questions
Match each cost management concept to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Prepaid compute for discounted rate
Cheap compute with possible termination
Adjust resources based on demand
Label resources for cost allocation
Upfront purchase vs operational expense
A load balancer log entry shows the above for a request. What is the MOST likely cause of the 504 error?
Exhibit
Refer to the exhibit. User-Agent: Mozilla/5.0 Status: 504 Gateway Timeout Upstream: 10.0.1.25:8080 Response Time: 30.001s
Trap 1: The DNS resolution for the domain name has failed.
DNS failure would prevent connection, not cause a timeout after connection.
Trap 2: The requested resource does not exist on the backend server.
A missing resource would return a 404, not a 504.
Trap 3: The load balancer's health check is misconfigured.
Health check misconfiguration would affect routing but not cause a 504 for an individual request.
- A
The DNS resolution for the domain name has failed.
Why wrong: DNS failure would prevent connection, not cause a timeout after connection.
- B
The backend server took too long to respond to the request.
The 30s response time exceeds typical timeouts, causing the gateway to timeout.
- C
The requested resource does not exist on the backend server.
Why wrong: A missing resource would return a 404, not a 504.
- D
The load balancer's health check is misconfigured.
Why wrong: Health check misconfiguration would affect routing but not cause a 504 for an individual request.
Arrange the steps to deploy a new virtual machine in a public cloud environment (e.g., AWS, Azure, GCP) in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Sequence the steps to troubleshoot a cloud-based application that is not accessible from the internet.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps to migrate an on-premises database to a cloud-managed database service (e.g., RDS, Cloud SQL).
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A company uses a hybrid cloud model with an on-premises data center and a public cloud. The network team reports that traffic between the cloud and on-premises is experiencing high latency and packet loss. The cloud administrator verifies that the VPN connection is up. What is the most likely cause?
Trap 1: A firewall rule is blocking ICMP packets.
Blocking ICMP would not cause high latency; connection would drop.
Trap 2: VMs are placed in different cloud regions.
Region placement affects latency but not packet loss on VPN.
Trap 3: The cloud provider is throttling bandwidth.
Throttling reduces throughput but not packet loss.
- A
A firewall rule is blocking ICMP packets.
Why wrong: Blocking ICMP would not cause high latency; connection would drop.
- B
VMs are placed in different cloud regions.
Why wrong: Region placement affects latency but not packet loss on VPN.
- C
The VPN tunnel has a mismatched MTU size.
Mismatched MTU causes fragmentation and packet loss.
- D
The cloud provider is throttling bandwidth.
Why wrong: Throttling reduces throughput but not packet loss.
A cloud operations team receives an alert that the CPU usage of a VM has exceeded 90% for the past 30 minutes. The VM is part of an auto-scaling group configured to scale out when CPU exceeds 80% for 5 minutes. However, no new instances have been launched. What is the MOST likely reason the auto-scaling failed to trigger?
Trap 1: The VM failed a health check and is being replaced.
Health checks affect instance replacement, not scaling.
Trap 2: The auto-scaling group has reached the minimum instance count.
Minimum instance count applies to scaling down, not up.
Trap 3: The CPU threshold is set too high.
The threshold is 80% and current usage is 90%, so it should trigger.
- A
The VM failed a health check and is being replaced.
Why wrong: Health checks affect instance replacement, not scaling.
- B
The auto-scaling group is in a cooldown period after a previous scaling action.
Cooldown periods prevent rapid successive scaling actions.
- C
The auto-scaling group has reached the minimum instance count.
Why wrong: Minimum instance count applies to scaling down, not up.
- D
The CPU threshold is set too high.
Why wrong: The threshold is 80% and current usage is 90%, so it should trigger.
A cloud engineer is troubleshooting a web application that is not responding. The engineer examines the serial console output of the web-server instance and finds the error shown in the exhibit. What is the MOST likely cause of this issue?
Exhibit
Refer to the exhibit. ``` $ gcloud compute instances list NAME ZONE MACHINE_TYPE PREEMPTIBLE STATUS web-server us-east1-b e2-medium true RUNNING db-server us-east1-b e2-standard-2 STOPPED $ gcloud compute instances describe web-server --format='get(status,serviceAccounts.email)' status: RUNNING serviceAccounts.email: default@project.iam.gserviceaccount.com $ gcloud compute instances get-serial-port-output web-server ... [ 10.123456] cloud-init: User data script started [ 10.654321] cloud-init: ERROR: Failed to fetch metadata from metadata server ... ```
Trap 1: The service account associated with the instance is missing the…
Missing permissions would cause API call failures, not metadata fetch errors.
Trap 2: The instance is in a STOPPED state and cannot execute user data…
The serial output shows the instance is RUNNING.
Trap 3: The instance does not have a public IP address assigned.
Metadata server is accessible regardless of public IP; it's a link-local address.
- A
The service account associated with the instance is missing the required permissions.
Why wrong: Missing permissions would cause API call failures, not metadata fetch errors.
- B
The instance is in a STOPPED state and cannot execute user data scripts.
Why wrong: The serial output shows the instance is RUNNING.
- C
The instance does not have a public IP address assigned.
Why wrong: Metadata server is accessible regardless of public IP; it's a link-local address.
- D
A firewall rule is blocking traffic to the metadata server IP address 169.254.169.254.
The metadata server is accessed via link-local address; blocking this traffic prevents metadata retrieval.
A company has a cloud environment with multiple VPCs that need to communicate with each other using private IP addresses. The company wants a centrally managed solution that simplifies routing and security. Which networking architecture should the architect implement?
Trap 1: VPC peering between all VPCs
Does not scale well; complex full mesh.
Trap 2: Direct Connect to each VPC
Overkill for VPC-to-VPC communication.
Trap 3: VPN connections between all VPCs
Unnecessary and adds latency.
- A
VPC peering between all VPCs
Why wrong: Does not scale well; complex full mesh.
- B
Direct Connect to each VPC
Why wrong: Overkill for VPC-to-VPC communication.
- C
VPN connections between all VPCs
Why wrong: Unnecessary and adds latency.
- D
Transit VPC with a VPN appliance
Centralized hub for routing and security.
A cloud administrator is troubleshooting connectivity to a virtual machine with IP address 10.10.10.10 from another VM on the same subnet. The output of ping and traceroute commands is shown. What is the most likely cause of the connectivity issue?
Exhibit
Refer to the exhibit. ``` $ ping 10.10.10.10 PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data. From 10.10.10.1 icmp_seq=1 Destination Host Unreachable From 10.10.10.1 icmp_seq=2 Destination Host Unreachable From 10.10.10.1 icmp_seq=3 Destination Host Unreachable --- 10.10.10.10 ping statistics --- 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2003ms $ traceroute 10.10.10.10 traceroute to 10.10.10.10 (10.10.10.10), 30 hops max, 60 byte packets 1 10.10.10.1 0.433 ms 0.428 ms 0.414 ms 2 * * * 3 * * * 4 * * * ```
Trap 1: The destination VM is powered off.
While a powered-off VM could cause unreachability, the 'Destination Host Unreachable' message from the gateway suggests the gateway itself cannot resolve the destination MAC, which is more indicative of an ARP failure than a powered-off VM.
Trap 2: The source VM's routing table does not have a default gateway.
Since both VMs are on the same subnet, no routing is needed; the issue is at layer 2, not layer 3 routing.
Trap 3: The destination VM's security group is blocking ICMP.
A security group blocking ICMP would typically result in a timeout (no response) rather than a 'Destination Host Unreachable' message from the gateway.
- A
The destination VM's network interface is disabled.
If the network interface is disabled, the VM will not respond to ARP requests, causing the gateway to return 'Destination Host Unreachable'.
- B
The destination VM is powered off.
Why wrong: While a powered-off VM could cause unreachability, the 'Destination Host Unreachable' message from the gateway suggests the gateway itself cannot resolve the destination MAC, which is more indicative of an ARP failure than a powered-off VM.
- C
The source VM's routing table does not have a default gateway.
Why wrong: Since both VMs are on the same subnet, no routing is needed; the issue is at layer 2, not layer 3 routing.
- D
The destination VM's security group is blocking ICMP.
Why wrong: A security group blocking ICMP would typically result in a timeout (no response) rather than a 'Destination Host Unreachable' message from the gateway.
A cloud engineer is troubleshooting a performance issue in a virtualized environment. A critical application is running slowly, and the engineer suspects resource contention. The host server has 32 vCPUs and 256 GB of RAM, running four VMs. Which tool should the engineer use to determine if CPU ready time is causing the performance degradation?
Trap 1: Run the 'top' command inside the affected VM
'top' shows guest CPU usage, not hypervisor contention.
Trap 2: Deploy a network analyzer to capture traffic between VMs
Network analyzer does not measure CPU contention.
Trap 3: Check the performance monitor in the guest operating system
Guest OS monitors do not show hypervisor-level metrics like CPU ready.
- A
Run the 'top' command inside the affected VM
Why wrong: 'top' shows guest CPU usage, not hypervisor contention.
- B
Deploy a network analyzer to capture traffic between VMs
Why wrong: Network analyzer does not measure CPU contention.
- C
Check the performance monitor in the guest operating system
Why wrong: Guest OS monitors do not show hypervisor-level metrics like CPU ready.
- D
Use the hypervisor's monitoring console to view CPU ready time
Hypervisor consoles provide CPU ready metrics indicating contention.
A cloud engineer is troubleshooting a VM that is experiencing high latency. The VM is hosted on a hypervisor with other VMs. Which TWO metrics should the engineer review to identify if resource contention is occurring?
Trap 1: Network packet drops
Incorrect; packet drops indicate network issues, not resource contention.
Trap 2: Swap usage
Incorrect; swap usage can indicate memory pressure but ballooning is the direct metric.
Trap 3: Disk queue length
Incorrect; disk queue length indicates storage contention, not CPU/memory.
- A
Memory ballooning
Correct; memory ballooning indicates memory contention.
- B
CPU ready time
Correct; high CPU ready time indicates CPU contention.
- C
Network packet drops
Why wrong: Incorrect; packet drops indicate network issues, not resource contention.
- D
Swap usage
Why wrong: Incorrect; swap usage can indicate memory pressure but ballooning is the direct metric.
- E
Disk queue length
Why wrong: Incorrect; disk queue length indicates storage contention, not CPU/memory.
A company is implementing a cloud governance strategy. They need to ensure that all resources are tagged with cost center and environment, and any untagged resources are automatically remediated. Which of the following best practices should be applied?
Trap 1: Implement role-based access control to restrict resource creation
Incorrect; RBAC does not enforce tagging.
Trap 2: Set up budget alerts to notify when costs exceed thresholds
Incorrect; budget alerts do not enforce tagging.
Trap 3: Create a manual audit process to check tags weekly
Incorrect; manual process is not automated and may miss resources.
- A
Implement role-based access control to restrict resource creation
Why wrong: Incorrect; RBAC does not enforce tagging.
- B
Set up budget alerts to notify when costs exceed thresholds
Why wrong: Incorrect; budget alerts do not enforce tagging.
- C
Create a manual audit process to check tags weekly
Why wrong: Incorrect; manual process is not automated and may miss resources.
- D
Use policy-as-code to enforce tagging and automatically apply tags to untagged resources
Correct; policy-as-code can enforce and auto-remediate tagging.
A cloud architect is designing a hybrid cloud environment that connects an on-premises data center to a public cloud. The architect needs to ensure secure, low-latency connectivity and isolate traffic between different business units. Which TWO solutions should the architect implement? (Choose two.)
Trap 1: Configure a NAT gateway to allow outbound internet access
NAT gateway is for internet access, not isolation.
Trap 2: Deploy a bastion host in a public subnet for administrative access
Bastion host is for management, not network isolation.
Trap 3: Use a transit gateway to interconnect all VPCs
Transit gateway centralizes connectivity but does not inherently isolate; additional routing policies are needed.
- A
Configure a NAT gateway to allow outbound internet access
Why wrong: NAT gateway is for internet access, not isolation.
- B
Establish a dedicated VPN or direct connect between on-premises and cloud
Provides secure, low-latency connectivity.
- C
Implement VPC peering to connect VPCs for different business units
VPC peering allows isolated traffic between VPCs.
- D
Deploy a bastion host in a public subnet for administrative access
Why wrong: Bastion host is for management, not network isolation.
- E
Use a transit gateway to interconnect all VPCs
Why wrong: Transit gateway centralizes connectivity but does not inherently isolate; additional routing policies are needed.
A company is deploying a new web application in a hybrid cloud environment. The application must be able to scale out automatically during peak usage and scale in during low usage. The deployment must also ensure that the application remains available if a single Availability Zone fails. Which deployment strategy should the architect recommend?
Trap 1: Deploy a cluster of instances in a single Availability Zone with a…
Single AZ is a single point of failure.
Trap 2: Use a single large instance and manually resize during peak periods.
Manual scaling is not automatic and can cause downtime.
Trap 3: Deploy a load balancer in front of a single instance.
This provides no scaling or fault tolerance.
- A
Deploy a cluster of instances in a single Availability Zone with a load balancer.
Why wrong: Single AZ is a single point of failure.
- B
Create an auto-scaling group spanning multiple Availability Zones.
Auto-scaling provides automatic scaling and multi-AZ ensures high availability.
- C
Use a single large instance and manually resize during peak periods.
Why wrong: Manual scaling is not automatic and can cause downtime.
- D
Deploy a load balancer in front of a single instance.
Why wrong: This provides no scaling or fault tolerance.
A cloud engineer is deploying a containerized application using Kubernetes. The application consists of a frontend, a backend API, and a database. The engineer needs to ensure that the backend API can be reached by the frontend but not from outside the cluster. Which Kubernetes resource should the engineer use to expose the backend API?
Trap 1: NodePort service
NodePort exposes the service on each node's IP, accessible externally.
Trap 2: Ingress resource
Ingress typically exposes HTTP/HTTPS routes externally.
Trap 3: LoadBalancer service
LoadBalancer creates an external load balancer.
- A
NodePort service
Why wrong: NodePort exposes the service on each node's IP, accessible externally.
- B
ClusterIP service
ClusterIP provides internal-only access.
- C
Ingress resource
Why wrong: Ingress typically exposes HTTP/HTTPS routes externally.
- D
LoadBalancer service
Why wrong: LoadBalancer creates an external load balancer.
A company is deploying a web application across multiple cloud regions for high availability. The application must maintain session state. Which deployment strategy should be used?
Trap 1: Active-passive failover
Active-passive failover provides redundancy but does not guarantee session continuity.
Trap 2: Geo-routing with DNS
Geo-routing directs based on location, not session persistence.
Trap 3: Round-robin load balancing
Round-robin distributes requests evenly but does not maintain session affinity.
- A
Active-passive failover
Why wrong: Active-passive failover provides redundancy but does not guarantee session continuity.
- B
Geo-routing with DNS
Why wrong: Geo-routing directs based on location, not session persistence.
- C
Sticky sessions with a load balancer
Sticky sessions route a client to the same server, preserving session state.
- D
Round-robin load balancing
Why wrong: Round-robin distributes requests evenly but does not maintain session affinity.
A deployment of a new application version fails with a '503 Service Unavailable' error after a rolling update. The previous version was working. What is the most likely cause?
Trap 1: Database connection pool exhausted
Would affect both versions equally.
Trap 2: DNS propagation delay
DNS changes do not usually cause 503 errors.
Trap 3: SSL certificate expired
SSL errors are different (e.g., certificate warning).
- A
Database connection pool exhausted
Why wrong: Would affect both versions equally.
- B
DNS propagation delay
Why wrong: DNS changes do not usually cause 503 errors.
- C
SSL certificate expired
Why wrong: SSL errors are different (e.g., certificate warning).
- D
New version missing a required dependency
Missing dependency can cause health check failure, resulting in 503.
A cloud engineer notices that a virtual machine running a critical application is experiencing high CPU usage. The engineer needs to resolve the issue without affecting other VMs on the same host. Which of the following actions should the engineer take first?
Trap 1: Restart the VM to clear the high CPU usage.
Restarting causes downtime and may not fix the root cause.
Trap 2: Increase the CPU allocation for the VM.
This may not be possible if the host is out of CPU resources.
Trap 3: Add another VM to the same host to distribute load.
Adding another VM would increase the load on the host.
- A
Restart the VM to clear the high CPU usage.
Why wrong: Restarting causes downtime and may not fix the root cause.
- B
Increase the CPU allocation for the VM.
Why wrong: This may not be possible if the host is out of CPU resources.
- C
Migrate the VM to another host in the cluster.
Live migration moves the VM to a less loaded host, resolving the issue without downtime.
- D
Add another VM to the same host to distribute load.
Why wrong: Adding another VM would increase the load on the host.
A cloud administrator is troubleshooting connectivity issues between two virtual networks in a public cloud. The networks are in the same region but different VPCs. Both VPCs have route tables and security groups configured. Instances in VPC A cannot ping instances in VPC B. Which of the following is the most likely cause?
Trap 1: The instances are not assigned public IP addresses.
Private IP communication does not require public IPs.
Trap 2: Security groups are blocking ICMP traffic.
Security groups are permissive by default; this could be a cause but is less likely if other traffic also fails.
Trap 3: Network ACLs are not configured to allow the traffic.
NACLs are stateless but default to allow all; misconfiguration is possible but less common than missing peering.
- A
VPC peering is not established between the two VPCs.
Without peering, traffic is isolated between VPCs.
- B
The instances are not assigned public IP addresses.
Why wrong: Private IP communication does not require public IPs.
- C
Security groups are blocking ICMP traffic.
Why wrong: Security groups are permissive by default; this could be a cause but is less likely if other traffic also fails.
- D
Network ACLs are not configured to allow the traffic.
Why wrong: NACLs are stateless but default to allow all; misconfiguration is possible but less common than missing peering.
A cloud administrator notices that a virtual machine (VM) is running slowly. The hypervisor shows high CPU ready time for that VM. Which of the following is the most likely cause?
Trap 1: High disk I/O latency on the datastore
High disk I/O latency would manifest as disk-related performance issues, not CPU ready.
Trap 2: Insufficient memory allocated to the VM
Insufficient memory would cause swapping or ballooning, not CPU ready time.
Trap 3: Misconfigured virtual switch
A misconfigured virtual switch would cause network issues, not high CPU ready time.
- A
High disk I/O latency on the datastore
Why wrong: High disk I/O latency would manifest as disk-related performance issues, not CPU ready.
- B
Insufficient memory allocated to the VM
Why wrong: Insufficient memory would cause swapping or ballooning, not CPU ready time.
- C
Overcommitted physical CPU resources on the host
Overcommitted CPU means the VM competes for physical cores, causing high ready time.
- D
Misconfigured virtual switch
Why wrong: A misconfigured virtual switch would cause network issues, not high CPU ready time.
A cloud engineer is troubleshooting a performance issue where a web server cluster experiences high latency during peak hours. The cluster uses an auto-scaling group behind a load balancer. Which THREE steps should the engineer take to identify the root cause?
Trap 1: Reduce the number of instances in the auto-scaling group
Reducing instances would increase load on remaining servers, worsening latency.
Trap 2: Review security group rules for the load balancer
Security groups control access but do not directly cause latency.
- A
Monitor CPU and memory utilization on the web servers
High resource usage can cause slow responses.
- B
Analyze web server access logs for slow requests
Logs can pinpoint which requests are slow and why.
- C
Check the load balancer's backend instance health status
Unhealthy instances can cause failed requests and retries.
- D
Reduce the number of instances in the auto-scaling group
Why wrong: Reducing instances would increase load on remaining servers, worsening latency.
- E
Review security group rules for the load balancer
Why wrong: Security groups control access but do not directly cause latency.
A cloud engineer is troubleshooting an issue where users cannot connect to a web application hosted on a cloud VM. The VM's security group allows HTTP (port 80) from 0.0.0.0/0, and the VM's OS firewall is disabled. The engineer can ping the VM's public IP from the internet. What is the most likely cause of the issue?
Trap 1: OS firewall is blocking port 80
The OS firewall is disabled.
Trap 2: Incorrect routing table on the VM
Ping works, so routing is functional.
Trap 3: Security group rule is applied to the wrong subnet
The security group allows HTTP from anywhere, so it should work.
- A
OS firewall is blocking port 80
Why wrong: The OS firewall is disabled.
- B
Incorrect routing table on the VM
Why wrong: Ping works, so routing is functional.
- C
Security group rule is applied to the wrong subnet
Why wrong: The security group allows HTTP from anywhere, so it should work.
- D
Web server service is not running on the VM
If the web server is not running, it won't respond on port 80, even though the network allows it.
A cloud administrator is troubleshooting a performance issue in a virtualized environment. Which TWO metrics should be monitored to identify CPU contention on the hypervisor?
Trap 1: Swap rate
Swap rate is a memory metric, not a CPU contention metric.
Trap 2: Memory ballooning
Memory ballooning is related to memory overcommitment, not CPU contention.
Trap 3: CPU utilization per core
CPU utilization shows usage but does not directly indicate contention; high utilization can occur without contention.
- A
Swap rate
Why wrong: Swap rate is a memory metric, not a CPU contention metric.
- B
CPU ready time
CPU ready time is a direct indicator of CPU contention, as it measures the time a vCPU is waiting for physical CPU resources.
- C
Memory ballooning
Why wrong: Memory ballooning is related to memory overcommitment, not CPU contention.
- D
CPU utilization per core
Why wrong: CPU utilization shows usage but does not directly indicate contention; high utilization can occur without contention.
- E
CPU co-stopping time
CPU co-stopping time measures the time correlated vCPUs are waiting for each other, indicating contention.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.