CompTIA Cloud+ CV0-004 (CV0-004) — Questions 226300

499 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQeasy

A company recently migrated its on-premises backup server to a cloud virtual machine running Windows Server with a dedicated data disk for backups. The backup software is configured to write to a folder on the data disk. After two weeks, the backup jobs start failing with 'disk full' errors. The cloud engineer logs into the VM and verifies that the data disk has 500 GB of total space and the backup folder shows only 300 GB used. However, the operating system reports the disk as 100% full. The engineer also notices that the recycle bin on the data disk appears to be empty. Which of the following is the MOST likely cause of the discrepancy?

A.Shadow copies (Volume Shadow Copies) are consuming space on the data disk
B.The cloud provider has imposed a quota on the disk's storage capacity that is lower than the provisioned size
C.The recycle bin on the data disk contains deleted backup files that are not counted
D.The backup software is compressing data, causing the disk to appear full due to index fragmentation
AnswerA

VSS snapshots can consume disk space without appearing in the backup folder or recycle bin.

Why this answer

Option A is correct: previous backups moved to the system volume shadow copy (VSS) snapshots can consume hidden space. Option B is wrong: VSS and system protection are separate from the recycle bin. Option C is wrong: cloud storage limits affect object storage, not VM disks.

Option D is wrong: compression would reduce used space, not increase it.

227
Drag & Dropmedium

Arrange the steps to configure auto-scaling for a group of virtual machines based on CPU utilization.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First define the template, then the group, then the scaling policy, attach it, and test.

228
MCQeasy

Users are unable to load a web page on a newly deployed web server. The security group for the server allows inbound HTTP from 0.0.0.0/0. The web service is running and listening on port 80. Which of the following is the MOST likely cause?

A.The DNS record for the domain is not yet propagated.
B.The VM's firewall is blocking inbound requests on port 80.
C.The load balancer target group is unhealthy.
D.The web server is listening on the wrong IP address.
AnswerD

A common misconfiguration is binding the web server to 127.0.0.1 or a private IP instead of the public-facing IP, causing external requests to fail.

Why this answer

Option D is correct because if the web server is listening on an IP address other than the one clients are reaching (e.g., 127.0.0.1 or a different private IP), inbound HTTP requests will not be processed even though the security group allows traffic on port 80. This is a common misconfiguration where the server binds to a loopback or incorrect interface, causing it to ignore external packets.

Exam trap

CompTIA often tests the distinction between network-level security groups and OS-level firewall or binding configurations, trapping candidates who assume that allowing inbound traffic in the security group is sufficient for connectivity.

How to eliminate wrong answers

Option A is wrong because DNS propagation affects name resolution, not the ability to load a page via IP address; if the server is reachable by IP, DNS is irrelevant. Option B is wrong because the VM's firewall (e.g., iptables or Windows Firewall) is a separate layer from the cloud security group, and the question states the security group allows HTTP, but the VM's OS-level firewall could still block port 80—however, this is less likely than a binding issue given the server is 'newly deployed' and listening on port 80. Option C is wrong because a load balancer target group being unhealthy would only affect traffic through the load balancer, not direct access to the web server; the question does not mention a load balancer.

229
Multi-Selectmedium

Which THREE of the following are common causes of application performance degradation in a cloud environment? (Choose three.)

Select 3 answers
A.Insufficient number of security groups
B.Network latency and bandwidth limitations
C.Application code that is poorly optimized
D.Resource exhaustion (CPU, memory, disk I/O)
E.Overprovisioned storage
AnswersB, C, D

High latency or low bandwidth can cause delays in data transmission.

Why this answer

Options A, B, and C are correct. Resource exhaustion (CPU, memory, disk I/O) directly impacts performance. Network latency and bandwidth limitations slow down data transfer.

Poorly optimized application code can cause inefficiencies. Option D is wrong because insufficient security groups do not affect performance; they affect traffic flow rules. Option E is wrong because overprovisioned storage means excess capacity, which does not degrade performance; underprovisioned storage would.

230
MCQhard

A company runs an e-commerce platform on a public cloud. The architecture consists of a front-end load balancer, a web server tier, and an RDS database. The web servers are in an auto-scaling group across two availability zones. The database is a single Multi-AZ deployment. After a recent traffic surge, the web servers scaled but the database CPU utilization reached 90%, causing slow page loads. The database is a db.r5.large instance with 16 GB RAM and 2 vCPUs. The company expects double the traffic during the upcoming holiday season. The budget is limited. Which action should the cloud architect take to address the database bottleneck while minimizing cost?

A.Implement a fully managed caching layer, such as ElastiCache, in front of the database
B.Add read replicas of the database and configure the application to use them for read queries; implement auto-scaling for read replicas based on average CPU utilization
C.Separate the database into multiple smaller databases using sharding
D.Upgrade the database to a larger instance type, such as db.r5.2xlarge
AnswerB

Read replicas distribute read traffic, reducing primary CPU load, and auto-scaling ensures cost efficiency.

Why this answer

Option B is correct because adding read replicas offloads read queries from the primary database, reducing CPU utilization. Auto-scaling read replicas based on average CPU utilization ensures cost efficiency by scaling only when needed, which aligns with the limited budget and expected traffic surge. This approach directly addresses the bottleneck without requiring a costly instance upgrade or complex sharding.

Exam trap

CompTIA often tests the misconception that upgrading instance size is the simplest fix, but the trap here is that horizontal scaling with read replicas is more cost-effective and elastic for read-heavy workloads than vertical scaling, especially when budget is limited.

How to eliminate wrong answers

Option A is wrong because a fully managed caching layer like ElastiCache reduces read load but does not address high CPU utilization from write-heavy or complex query workloads; it also adds cost and complexity without directly scaling database compute capacity. Option C is wrong because sharding introduces significant architectural complexity, operational overhead, and potential data consistency issues, which is not justified for a single Multi-AZ RDS instance with a predictable traffic surge; it is overkill for this scenario. Option D is wrong because upgrading to a larger instance type (db.r5.2xlarge) increases cost linearly without guaranteeing optimal resource utilization, and it does not provide the elasticity needed to handle variable traffic spikes cost-effectively.

231
MCQhard

An organization is deploying a multi-tier application in the cloud. The web tier uses auto scaling, and the database tier uses a managed database service. During a load test, the web tier scales up correctly, but the database performance degrades significantly, causing timeout errors. The administrator reviews the database metrics and finds that CPU and memory are normal, but the number of connections is high. Which of the following is the BEST action to resolve the issue?

A.Add read replicas to offload read traffic from the primary database.
B.Increase the maximum number of web servers in the auto scaling group.
C.Increase the compute size of the database instance.
D.Implement connection pooling on the web servers to limit database connections.
AnswerD

Connection pooling reduces the number of simultaneous database connections, improving performance.

Why this answer

The issue is that the database is overwhelmed by a high number of connections, not by CPU or memory pressure. Connection pooling on the web servers reuses a fixed set of database connections, reducing the connection overhead and preventing the database from hitting its maximum connection limit. This directly addresses the symptom of high connection count without changing the database's compute capacity or the web tier's scaling behavior.

Exam trap

The trap here is that candidates confuse high connection count with high CPU/memory load and choose to scale the database vertically (Option C), when the real issue is connection exhaustion that is solved by pooling.

How to eliminate wrong answers

Option A is wrong because read replicas only offload read queries, but the problem is connection count, not read load; the database is likely experiencing connection exhaustion from both reads and writes. Option B is wrong because increasing the maximum number of web servers would increase the number of concurrent database connections, worsening the problem. Option C is wrong because CPU and memory are normal, so increasing compute size does not address the connection limit; the bottleneck is the maximum number of allowed connections, not resource saturation.

232
MCQeasy

A cloud administrator is configuring a Linux VM as a router. The iptables rules are shown. The administrator can SSH into the VM from the network but cannot forward traffic between interfaces. What is the most likely cause?

A.The INPUT chain has a rule dropping invalid packets
B.The INPUT chain is missing a rule to allow forwarded traffic
C.The FORWARD chain's default policy is DROP and no rules allow forwarding
D.The NAT table is misconfigured
AnswerC

With default policy DROP and no FORWARD rules, all forwarded packets are dropped.

Why this answer

The FORWARD chain in iptables controls traffic that passes through the VM (i.e., traffic not destined for the VM itself). If its default policy is DROP and no explicit ACCEPT rules exist for forwarding, the kernel will drop all forwarded packets, preventing the VM from acting as a router. SSH access works because it uses the INPUT chain, which is separate from FORWARD.

Exam trap

The trap here is that candidates confuse the INPUT chain (for local traffic) with the FORWARD chain (for transit traffic), assuming that allowing SSH implies forwarding is also allowed, when in fact they are handled by completely separate chains.

How to eliminate wrong answers

Option A is wrong because the INPUT chain dropping invalid packets affects only traffic destined for the VM itself, not forwarded traffic; SSH connectivity proves INPUT is functional. Option B is wrong because forwarded traffic is governed by the FORWARD chain, not the INPUT chain; the INPUT chain has no role in forwarding decisions. Option D is wrong because the NAT table is used for source/destination NAT (e.g., masquerading) and does not control basic IP forwarding; even with correct NAT, packets will be dropped if the FORWARD chain blocks them.

233
MCQeasy

An organization is migrating a legacy application to a public cloud. The application requires a static IP address that does not change after a VM is stopped. Which of the following should the cloud architect use to meet this requirement?

A.Reserved IP address
B.Elastic IP address
C.Ephemeral IP address
D.Floating IP address
AnswerA

Reserved IPs are static and remain allocated to the account even when the VM is off.

Why this answer

A reserved IP address is a static, persistent public IP that remains assigned to a VM even when the VM is stopped or deallocated. In public cloud platforms like Azure, a reserved IP (or static IP) is explicitly set to not change across VM lifecycle events, meeting the requirement for a fixed address that survives stop/deallocate operations.

Exam trap

CompTIA often tests the distinction between cloud-agnostic terminology and vendor-specific terms (e.g., 'Reserved IP' vs 'Elastic IP'), trapping candidates who pick a correct AWS concept but fail to recognize the generic term required by the exam.

How to eliminate wrong answers

Option B (Elastic IP address) is wrong because Elastic IP is an AWS-specific term for a static public IP that persists across stop/start, but it is not the generic cloud term used in the CV0-004 exam; the question asks for the general concept, and 'Reserved IP' is the correct cross-platform term. Option C (Ephemeral IP address) is wrong because an ephemeral IP is temporary and is released when the VM is stopped or deallocated, directly contradicting the requirement for a static IP. Option D (Floating IP address) is wrong because a floating IP is typically used in OpenStack or on-premises environments for dynamic remapping between instances, not for a persistent static IP that remains attached to a single VM across stop/start cycles.

234
MCQeasy

An organization is migrating its on-premises virtualization environment to a public cloud. The current environment uses VMware vSphere with VM templates. The cloud provider supports importing VMs in OVF format. Which step should the cloud administrator take to prepare the VMs for migration?

A.Take a snapshot of each VM and copy the snapshot files.
B.Export each VM as an OVF template.
C.Convert each VM to an ISO image.
D.Copy the VM's VMDK files and import them as VHDX.
AnswerB

OVF is a standard format for VM import/export.

Why this answer

The cloud provider supports importing VMs in OVF format, which is an open standard for packaging and distributing virtual appliances. Exporting each VM as an OVF template from VMware vSphere creates the necessary .ovf descriptor file and accompanying disk files (e.g., .vmdk) that the provider can directly import. This is the correct preparation step because it produces the exact format required by the target cloud platform.

Exam trap

The trap here is that candidates may confuse 'export as OVF' with other common VMware operations like taking snapshots or copying VMDK files, not realizing that OVF is the specific format required by the cloud provider for direct import.

How to eliminate wrong answers

Option A is wrong because a snapshot captures a point-in-time state of the VM but does not produce a portable, importable format like OVF; snapshot files are tied to the original VM and cannot be directly imported into a cloud provider. Option C is wrong because an ISO image is used for OS installation media or data discs, not for virtual machine disk images; converting a VM to ISO would lose the VM's configuration, snapshots, and file system structure. Option D is wrong because VMDK files are VMware's native disk format, but the provider expects OVF format, not raw VMDK or VHDX; importing VMDK files directly would require additional conversion steps and the provider's import process specifically requires the OVF package.

235
MCQhard

Which deployment strategy minimizes risk by gradually shifting a small percentage of traffic to a new version before full rollout?

A.Canary deployment
B.In-place deployment
C.Rolling deployment
D.Blue-green deployment
AnswerA

Canary releases send a small amount of traffic to the new version to test stability.

Why this answer

A canary deployment minimizes risk by routing a small percentage of traffic (e.g., 5-10%) to the new version while the majority continues to use the stable version. This allows real-world validation of the new version under production load before a full rollout, and if issues are detected, traffic can be instantly redirected back to the old version. The strategy is named after the 'canary in a coal mine' concept, where early detection of problems prevents widespread impact.

Exam trap

CompTIA often tests the distinction between canary and rolling deployments, where candidates mistakenly think rolling deployment also uses a small traffic percentage, but rolling updates instances sequentially without the deliberate traffic-splitting and validation phase that defines a canary.

How to eliminate wrong answers

Option B (In-place deployment) is wrong because it directly replaces the existing version on the same infrastructure without any traffic shifting or gradual rollout, meaning any failure affects all users immediately. Option C (Rolling deployment) is wrong because it gradually replaces instances one by one (or in batches) but does not intentionally isolate a small traffic percentage for validation; it updates all instances over time without a canary's targeted risk assessment. Option D (Blue-green deployment) is wrong because it maintains two identical environments (blue and green) and switches all traffic at once from the old to the new version, which does not involve a gradual traffic shift or small percentage testing.

236
MCQhard

A cloud operations team is troubleshooting a performance issue with a database that is running on a virtual machine. The database is experiencing high latency during peak hours. Metrics show that CPU and memory usage are below 50%, but disk I/O latency spikes. The database is hosted on a cloud provider's virtual machine with premium SSDs. Which of the following is the MOST likely cause of the disk I/O latency?

A.The OS is paging memory to disk due to insufficient RAM.
B.The virtual machine's network bandwidth is saturated.
C.The disk IOPS limit is being exceeded during peak loads.
D.The database application is CPU-bound.
AnswerC

Exceeding provisioned IOPS results in throttling, causing increased latency.

Why this answer

Option B is correct because exceeding provisioned IOPS limits causes throttling and latency. Option A is wrong because CPU and memory are low, indicating no processing bottleneck. Option C is wrong because premium SSDs typically host OS and data, and the problem is I/O.

Option D is wrong because network bandwidth doesn't directly cause disk I/O latency.

237
Drag & Dropmedium

Order the steps to migrate an on-premises database to a cloud-managed database service (e.g., RDS, Cloud SQL).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create cloud DB, export on-prem data, upload, import, and update connections.

238
Multi-Selecteasy

Which TWO of the following are benefits of using a content delivery network (CDN) with cloud-hosted applications? (Choose two.)

Select 2 answers
A.Reduces load on the origin server
B.Simplifies application architecture
C.Eliminates the need for HTTPS encryption
D.Reduces latency for end users by caching content at edge locations
E.Lowers overall infrastructure cost
AnswersA, D

CDN serves cached requests, reducing origin traffic.

Why this answer

Options B and E are correct. CDN reduces latency by caching content at edge locations (B) and reduces origin server load (E). Option A is wrong because CDN typically increases complexity, not simplifies.

Option C is wrong: CDN may add cost. Option D is wrong: security is not inherently increased; CDN can provide DDoS protection but is not a built-in benefit.

239
MCQhard

During a security audit, it is discovered that a cloud application can be accessed using a shared service account that has elevated privileges. The audit recommends implementing a just-in-time (JIT) access model. What is the primary benefit of JIT access in this scenario?

A.Automates auditing of third-party access.
B.Allows for easier management of user identities.
C.Reduces the attack surface by minimizing persistent privileged access.
D.Eliminates the need for user authentication.
AnswerC

JIT ensures that elevated permissions are granted only for specific times and tasks, so compromised credentials have limited window of opportunity.

Why this answer

JIT access grants temporary elevated privileges only when needed, reducing the risk of standing privileged access. It enables real-time approval workflows. It does not directly manage identities nor automate audits of third-party access; those are secondary benefits.

240
Multi-Selecthard

A large enterprise is migrating multiple applications to the cloud. They need to ensure compliance with industry regulations and maintain security during the transition. Which THREE best practices should they follow?

Select 3 answers
A.Use a single cloud provider for simplicity
B.Disable logging to reduce data exposure
C.Encrypt data in transit and at rest
D.Conduct vulnerability assessments on migrated applications
E.Implement identity and access management (IAM)
AnswersC, D, E

Encryption protects data from unauthorized access.

Why this answer

Encrypting data in transit (using TLS 1.2/1.3) and at rest (using AES-256) is a fundamental security best practice for cloud migrations. It ensures that sensitive data remains protected from interception or unauthorized access during the transfer and while stored in cloud services like S3 or EBS, directly supporting compliance with regulations such as GDPR, HIPAA, or PCI DSS.

Exam trap

CompTIA often tests the misconception that simplifying the migration by using a single provider or reducing logging is a valid security strategy, when in fact these actions undermine compliance and visibility.

241
MCQmedium

A cloud architect is designing a multi-tier application that must be resilient to the failure of an entire availability zone. Which of the following strategies BEST meets this requirement?

A.Place all instances behind a single load balancer in one zone
B.Implement auto-scaling within the same availability zone
C.Use larger instance types to handle more load
D.Deploy application instances across three availability zones with a load balancer
AnswerD

Multi-AZ deployment ensures continued operation if one zone fails.

Why this answer

Option D is correct because deploying across multiple availability zones provides high availability. Option A is wrong because vertical scaling does not address zone failure. Option B is wrong because auto-scaling within a single zone does not help if the zone fails.

Option C is wrong because a single load balancer in one zone is a single point of failure.

242
MCQeasy

A company recently migrated its on-premises e-commerce application to a public cloud using lift-and-shift. After the migration, users report that the application is slower than before. The application consists of a web server, an application server, and a database server, all deployed on separate virtual machines. The cloud architecture uses the same instance sizes as the on-premises servers. The cloud administrator notices that the database server's disk I/O latency is higher than expected. What is the most likely cause of the performance degradation?

A.The database server is using standard HDD storage instead of SSD.
B.The cloud provider's network has high latency.
C.The application server is not load-balanced.
D.The web server has too many vCPUs allocated.
AnswerA

HDD has higher latency, impacting database performance.

Why this answer

The database server's disk I/O latency is higher than expected because the lift-and-shift migration likely retained the same storage type as on-premises, but the cloud environment's standard HDD (hard disk drive) storage has significantly lower IOPS and higher latency compared to SSD (solid-state drive) storage. In a public cloud, standard HDD is optimized for sequential workloads and infrequent access, not for the random I/O patterns typical of a database server, causing performance degradation. The administrator should have provisioned SSD-backed storage (e.g., AWS gp3 or Azure Premium SSD) for the database VM to match or exceed on-premises performance.

Exam trap

CompTIA often tests the misconception that 'cloud performance is always better' or that network latency is the default culprit, but the trap here is that disk storage tiering (HDD vs. SSD) is a common oversight in lift-and-shift migrations, and candidates may incorrectly blame network or compute resources instead of the storage layer.

How to eliminate wrong answers

Option B is wrong because high network latency would affect all tiers (web, app, database) and manifest as general slowness, not specifically as high disk I/O latency on the database server; the question isolates the database's disk I/O as the symptom. Option C is wrong because the absence of load balancing on the application server would cause uneven traffic distribution and potential overload, not directly increase disk I/O latency on the database server. Option D is wrong because allocating too many vCPUs to the web server would not cause higher disk I/O latency on a separate database server; it might waste resources or cause CPU contention, but disk I/O is a storage-layer issue independent of web server vCPU count.

243
MCQmedium

A company has a cloud-based application that uses an auto-scaling group across multiple Availability Zones (AZs). The application experiences periodic spikes in traffic. The auto-scaling policy uses a step scaling policy based on CPU utilization. The operations team notices that during a traffic spike, new instances are launched but take over five minutes to become healthy and begin serving traffic. During this time, existing instances are overloaded and some requests fail. The team wants to reduce the time it takes for new instances to handle traffic. Which action would be most effective?

A.Increase the instance type to a larger size so each instance can handle more traffic.
B.Use a pre-warmed, customized AMI with the application pre-installed and caches preloaded.
C.Reduce the cooldown period in the scaling policy to launch instances faster.
D.Move all instances to a single AZ to avoid cross-AZ latency.
AnswerB

A pre-warmed AMI reduces startup time by eliminating installation and cache warming steps.

Why this answer

Using a pre-warmed AMI with the application stack already configured and caching enabled significantly reduces the time required for an instance to become healthy because it avoids the need to install dependencies and warm caches on each startup.

244
MCQmedium

A cloud administrator runs the command shown in the exhibit on a storage node in a hyper-converged cluster. The node is experiencing intermittent I/O errors and degraded performance. Based on the SMART data, what is the most likely cause of the issue?

A.The storage network is experiencing high latency.
B.The filesystem is corrupted and requires a repair.
C.The disk has developed bad sectors and is likely failing.
D.A RAID array is rebuilding, causing performance degradation.
AnswerC

The elevated reallocated and pending sector counts indicate physical disk degradation.

Why this answer

The SMART data from the storage node shows attributes such as Reallocated_Sector_Count, Current_Pending_Sector, and Offline_Uncorrectable with non-zero values, which are definitive indicators of physical bad sectors on the disk. These bad sectors cause intermittent I/O errors and degraded performance because the disk must retry reads/writes or remap sectors, increasing latency. Option C is correct because this pattern directly points to a failing disk, not a network, filesystem, or RAID issue.

Exam trap

The trap here is that candidates confuse SMART disk failure indicators with filesystem corruption or network issues, because intermittent I/O errors can superficially resemble symptoms of a corrupt filesystem or a flapping network link, but the SMART data provides direct hardware-level evidence that eliminates those possibilities.

How to eliminate wrong answers

Option A is wrong because high storage network latency would manifest as consistent packet loss or jitter across all nodes, not as SMART attributes indicating physical disk errors; the command shown is a SMART query, not a network diagnostic. Option B is wrong because filesystem corruption typically produces errors like 'structure needs cleaning' or 'input/output error' on specific files, not the SMART counters for reallocated or pending sectors, which are hardware-level indicators. Option D is wrong because a RAID array rebuilding would show a degraded or rebuilding state in the RAID controller status (e.g., mdadm or megaraid output), not in SMART data, and performance would be consistently slow during rebuild, not intermittent.

245
MCQhard

An organization has a hybrid cloud environment with resources in both a private cloud and a public cloud. The operations team reports that the cloud management platform cannot collect monitoring data from the public cloud instances. The security team recently updated firewall rules. Which of the following is the MOST likely cause?

A.The load balancer in front of the management platform is misconfigured
B.The public cloud instances cannot reach the management platform's IP address due to firewall changes
C.The SNMP community string was modified on the instances
D.The management platform's NAT IP address was changed
AnswerB

Firewall updates may have blocked outbound traffic from instances to the management platform.

Why this answer

The security team's recent firewall rule update is the most likely cause because the cloud management platform typically uses specific ports and protocols (e.g., HTTPS on TCP 443, SSH on TCP 22, or WinRM on TCP 5985/5986) to collect monitoring data from public cloud instances. If the firewall rules block outbound traffic from the public cloud instances to the management platform's IP address, or block inbound traffic from those instances at the platform's side, the data collection will fail. This directly aligns with the reported symptom of the management platform being unable to collect monitoring data after a firewall change.

Exam trap

CompTIA often tests the candidate's ability to correlate a specific operational change (firewall rule update) with the most direct impact on network connectivity for monitoring, rather than distracting with unrelated configuration changes like SNMP strings or load balancer settings.

How to eliminate wrong answers

Option A is wrong because a misconfigured load balancer in front of the management platform would affect all traffic to the platform, not just monitoring data from public cloud instances, and the issue is specifically tied to the recent firewall rule update. Option C is wrong because while SNMP community string changes could disrupt monitoring, the question explicitly states the security team updated firewall rules, not SNMP configurations, and SNMP is not the only monitoring protocol used in hybrid cloud environments. Option D is wrong because changing the management platform's NAT IP address would require corresponding updates in routing and firewall rules; if this had occurred, the operations team would likely have reported a broader connectivity failure, not just a monitoring data collection issue, and the firewall rule update is the more immediate and likely cause.

246
MCQeasy

A cloud engineer notices that a virtual machine running a critical application is experiencing high CPU usage. The engineer needs to resolve the issue without affecting other VMs on the same host. Which of the following actions should the engineer take first?

A.Restart the VM to clear the high CPU usage.
B.Increase the CPU allocation for the VM.
C.Migrate the VM to another host in the cluster.
D.Add another VM to the same host to distribute load.
AnswerC

Live migration moves the VM to a less loaded host, resolving the issue without downtime.

Why this answer

Migrating the VM to another host in the cluster (option C) is the correct first action because it immediately offloads the CPU pressure from the current host without impacting the VM's operation or other VMs. This leverages VMware vMotion or Microsoft Hyper-V Live Migration to move the running VM to a less-utilized host, isolating the performance issue while preserving uptime and avoiding resource contention.

Exam trap

CompTIA often tests the misconception that increasing a VM's resource allocation is the first troubleshooting step, when in fact it can cause resource starvation for other VMs; the correct first action is to migrate the VM to balance the load.

How to eliminate wrong answers

Option A is wrong because restarting the VM would cause application downtime and does not address the root cause of high CPU usage; it only temporarily clears the process queue. Option B is wrong because increasing the CPU allocation for the VM on the same host could starve other VMs of CPU resources, violating the requirement to not affect other VMs. Option D is wrong because adding another VM to the same host would increase overall CPU contention, worsening the problem for all VMs on that host.

247
MCQeasy

A cloud administrator is designing a multi-tier application. The database tier must not be directly accessible from the internet, but the web tier must be able to connect to it. Which of the following should the administrator implement?

A.Implement an application load balancer in front of the database.
B.Place the database servers in a public subnet and restrict the security group.
C.Use a VPN connection for the web tier to access the database.
D.Place the database servers in a private subnet and configure the security group to allow inbound traffic from the web tier's security group.
AnswerD

This isolates the database from the internet and allows only the web tier to connect.

Why this answer

Option D is correct because placing the database servers in a private subnet ensures they have no direct internet route, meeting the security requirement. By configuring the security group to allow inbound traffic only from the web tier's security group, you enable the web tier to connect to the database while blocking all other traffic, including from the internet. This leverages AWS security group referencing (or similar cloud provider feature) to create a trusted, internal communication path.

Exam trap

The trap here is that candidates often confuse 'restricting the security group' with 'placing in a private subnet,' failing to realize that a public subnet inherently provides internet accessibility regardless of security group rules, which only filter traffic but do not remove the public route.

How to eliminate wrong answers

Option A is wrong because an application load balancer is designed to distribute traffic to web or application servers, not to provide secure database access; placing a load balancer in front of the database would expose it to the internet and add unnecessary complexity without preventing direct internet access. Option B is wrong because placing the database servers in a public subnet, even with a restrictive security group, still exposes them to potential internet-based attacks and violates the requirement that the database must not be directly accessible from the internet. Option C is wrong because a VPN connection is typically used for site-to-site or remote user access, not for internal web-to-database communication within the same cloud environment; it would add latency and overhead without addressing the core need for private subnet isolation.

248
Multi-Selecthard

A company is migrating on-premises workloads to the cloud. They need to ensure high availability for a stateless web application across two availability zones. Which THREE components should be configured to meet this requirement?

Select 3 answers
A.An auto scaling group spanning both availability zones
B.A load balancer in front of the web tier
C.A read replica database in a different AZ
D.A single large EC2 instance to handle all traffic
E.Multiple subnets, each in a different availability zone
AnswersA, B, E

Correct; auto scaling maintains instance count across AZs.

Why this answer

An auto scaling group spanning both availability zones (Option A) ensures that the stateless web application can automatically replace failed instances and maintain the desired capacity across multiple AZs, which is essential for high availability. By distributing instances across AZs, the application can tolerate an entire AZ failure without losing all compute capacity.

Exam trap

The trap here is that candidates often confuse database-level high availability (like read replicas or Multi-AZ RDS) with application-tier high availability, leading them to select a database option (C) when the question explicitly targets the stateless web tier.

249
MCQmedium

An organization's cloud environment has a policy that all administrative access must be logged and recorded. Which of the following is the best method to enforce this policy?

A.Require multifactor authentication.
B.Use a bastion host with session recording.
C.Implement a VPN connection for all administrators.
D.Configure syslog forwarding for all devices.
AnswerB

A bastion host can log and record all administrative actions.

Why this answer

Option C is correct because a bastion host can be configured to record all administrative sessions, providing both logging and recording. Option A enforces authentication but not session recording. Option B secures the connection but does not record.

Option D provides logging of events but not full session recording.

250
MCQmedium

A cloud engineer deployed the infrastructure shown. The load balancer's health checks are failing for the EC2 instance. Which of the following is the MOST likely cause?

A.The web server is not running HTTP.
B.The health check endpoint /health does not exist on the web server.
C.The EC2 instance is in the wrong subnet.
D.The security group does not allow traffic from the load balancer.
AnswerB

The user_data script does not create a /health page; it only installs httpd.

Why this answer

Option A is correct because the health check path '/health' is not created by the user_data script, which only installs httpd and starts it, but does not create the health check endpoint. Option B is wrong because the security group is attached. Option C is wrong because the subnet is specified.

Option D is wrong because the user_data script starts httpd.

251
MCQhard

A company is migrating a legacy application that requires static public IP addresses for licensing. The cloud provider assigns public IPs dynamically by default. Which solution should the administrator recommend while minimizing cost?

A.Use a NAT gateway with a static IP.
B.Assign elastic IP addresses (or static public IPs) to the instances.
C.Use static private IPs.
D.Use a VPN connection.
AnswerB

Elastic IPs are static public IPs that can be associated with instances at no cost while in use.

Why this answer

Option B is correct because Elastic IP addresses (or static public IPs) provide persistent public IPv4 addresses that can be associated with instances, meeting the licensing requirement for static public IPs. This is the most cost-effective solution as it only incurs charges for allocated but unused Elastic IPs, whereas other options introduce additional infrastructure costs or fail to address the requirement.

Exam trap

The trap here is that candidates may choose a NAT gateway (Option A) thinking it provides a static public IP for the instance, but a NAT gateway only translates outbound traffic and does not assign a public IP to the instance for inbound licensing checks, while also incurring higher costs.

How to eliminate wrong answers

Option A is wrong because a NAT gateway with a static IP provides outbound internet access but does not assign a static public IP directly to the instance for inbound licensing validation; it also incurs hourly and data processing costs, increasing expenses unnecessarily. Option C is wrong because static private IPs are not publicly routable and cannot satisfy the licensing requirement for static public IP addresses. Option D is wrong because a VPN connection creates an encrypted tunnel to a remote network but does not provide a static public IP address for the instance; it adds complexity and cost without meeting the core requirement.

252
MCQhard

A company is deploying a containerized microservices architecture on Azure Kubernetes Service (AKS). The security team requires that all container images are scanned for vulnerabilities before deployment. Which deployment approach should the DevOps team implement to ensure only approved images are used?

A.Store all images in a private registry without any scanning.
B.Use Docker Content Trust to sign images and verify signatures during deployment.
C.Enable Azure Container Registry tasks for automatic vulnerability scanning and enforce with Azure Policy.
D.Deploy an admission controller that checks image signatures only.
AnswerC

ACR tasks scan images and Azure Policy can deny non-compliant deployments.

Why this answer

Option C is correct because Azure Container Registry (ACR) Tasks can automatically scan images for vulnerabilities using Microsoft Defender for Cloud, and Azure Policy can enforce that only images from approved registries or with passing scan results are deployed to AKS. This ensures that all container images are scanned before deployment and that only compliant images are used, meeting the security team's requirement.

Exam trap

The trap here is that candidates often confuse image signing (e.g., Docker Content Trust or Notary) with vulnerability scanning, assuming that signing alone ensures security, but signing only verifies image origin and integrity, not the presence of vulnerabilities.

How to eliminate wrong answers

Option A is wrong because storing images in a private registry without scanning does not enforce vulnerability scanning or approval, leaving the system exposed to known vulnerabilities. Option B is wrong because Docker Content Trust only signs images and verifies signatures during deployment, but it does not perform vulnerability scanning; it ensures image integrity and provenance, not security compliance. Option D is wrong because an admission controller that checks image signatures only verifies cryptographic signatures, not vulnerability scan results, so it does not ensure images are free of vulnerabilities.

253
MCQmedium

A mid-sized company is migrating its on-premises applications to a public cloud. The security team has implemented a cloud access security broker (CASB) to monitor and enforce policies for sensitive data. The company uses a multi-cloud environment with both AWS and Azure. After deployment, the security team receives alerts that a developer accidentally exposed a set of credentials in a public GitHub repository. The credentials were associated with a service account that has read-write access to an AWS S3 bucket containing customer PII (personally identifiable information). The team immediately revokes the credentials and rotates the access keys. The security team wants to prevent such incidents in the future and ensure that any exposed credentials are promptly detected without relying solely on manual GitHub scans. The company also wants to maintain a least-privilege model for all cloud resources. Given this scenario, which of the following actions should the security team take FIRST to reduce the risk of credential exposure and improve detection?

A.Implement a periodic secret scanning tool that runs every 24 hours and reports any found credentials to the security team.
B.Configure the CASB to integrate with the GitHub API to continuously scan for exposed secrets and automatically trigger alerts.
C.Disable all public repositories and require all code to be stored in private repositories with strict branch protection rules.
D.Require all developers to use a password manager to store secrets and set up a process to manually review GitHub commits.
AnswerB

CASB can monitor SaaS applications like GitHub for policy violations, including exposed credentials, and provide real-time alerts.

Why this answer

Option B is correct because a CASB is designed to integrate with cloud services like GitHub via APIs to provide continuous monitoring and policy enforcement. By configuring the CASB to scan GitHub repositories in real-time, the security team can detect exposed credentials immediately upon commit, rather than relying on periodic scans or manual reviews. This aligns with the requirement for prompt detection without manual intervention and leverages the existing CASB investment for multi-cloud environments.

Exam trap

CompTIA often tests the distinction between periodic and continuous detection mechanisms, where candidates may choose a periodic scanning tool (Option A) because it seems simpler, but the question explicitly requires prompt detection without relying solely on manual scans, making real-time CASB integration the correct first action.

How to eliminate wrong answers

Option A is wrong because a periodic secret scanning tool that runs every 24 hours introduces a detection delay, which contradicts the requirement for prompt detection of exposed credentials; real-time detection is needed to minimize the window of exposure. Option C is wrong because disabling all public repositories and requiring private repositories with branch protection rules reduces the attack surface but does not address the detection of already-exposed credentials or prevent accidental commits of secrets to private repositories; it also ignores the need for continuous monitoring. Option D is wrong because requiring developers to use a password manager and manually review commits is a procedural control that lacks automation and scalability, failing to meet the requirement for prompt detection without relying solely on manual scans.

254
Multi-Selecteasy

Which TWO of the following are effective methods to protect data in transit within a cloud environment? Select two.

Select 2 answers
A.Object-level ACLs
B.Server-side encryption with AES-256
C.Data masking
D.VPN overlay networks
E.TLS/SSL encryption
AnswersD, E

VPNs encrypt traffic between endpoints or networks.

Why this answer

Options A and B are correct because TLS and VPN encrypt data during transmission. The other options are for data at rest or data masking.

255
MCQmedium

A security team wants to implement host-based intrusion detection on their virtual machines in a public cloud. Which approach provides the most effective detection while minimizing performance impact?

A.Install an antivirus agent on each VM.
B.Enable network traffic logging at the hypervisor level.
C.Enable VPC flow logs and analyze them.
D.Use a cloud-native security service that deploys an agent to monitor system logs and file integrity.
AnswerD

These services are purpose-built for host-based intrusion detection and are optimized for cloud environments.

Why this answer

Option B is correct because cloud-native security services with agents are optimized for host-based detection with minimal overhead.

256
MCQhard

A cloud architect manages a hybrid cloud environment where on-premises workloads are being migrated to a public cloud provider. The company uses a cloud-native container orchestration platform (e.g., Amazon EKS) for microservices. Recently, a critical application experienced intermittent connectivity failures between microservices during peak hours. The architect observes that the Kubernetes cluster uses a Calico network plugin with BGP peering to on-premises routers. The cluster nodes are spread across three Availability Zones, and the application pods communicate across zones. The architect also notes that the BGP session between the cluster and on-premises routers uses a single physical interface per node, and the on-premises routers have equal-cost multipath (ECMP) configured for the cluster node IPs. During peak hours, the on-premises routers experience high CPU utilization, and some BGP flaps occur. Which of the following is the MOST effective solution to improve connectivity reliability?

A.Reduce the number of ECMP paths on the on-premises routers to lower CPU utilization.
B.Increase the number of ECMP paths to improve traffic distribution.
C.Add a second physical interface on each cluster node and peer with multiple on-premises routers.
D.Replace BGP with static routes between the cluster and on-premises network.
AnswerC

This provides redundancy and reduces load per BGP session, minimizing flaps and improving reliability.

Why this answer

Option C is correct because adding a second physical interface per node enables redundant BGP peering with multiple on-premises routers, eliminating the single point of failure. This reduces BGP flap impact during peak hours by distributing control-plane load and providing failover paths, directly addressing the high CPU utilization and intermittent connectivity caused by ECMP instability.

Exam trap

The trap here is that candidates assume ECMP tuning (reducing or increasing paths) is the fix, but the root cause is the single physical interface creating a control-plane bottleneck and flap vulnerability, not the number of ECMP paths.

How to eliminate wrong answers

Option A is wrong because reducing ECMP paths would concentrate traffic onto fewer links, increasing per-path load and potentially worsening CPU utilization on the on-premises routers, not solving the BGP flap issue. Option B is wrong because increasing ECMP paths would add more next-hop entries to the routing table, further raising CPU utilization on the on-premises routers and exacerbating BGP flaps during peak hours. Option D is wrong because replacing BGP with static routes removes dynamic failover and route advertisement, making the hybrid environment brittle and unable to adapt to node or link failures, which would degrade connectivity reliability.

257
MCQhard

An administrator deployed a new web application using an auto-scaling group. Users report that the application becomes slow after a few hours. The administrator examines the scaling policy and notices that the CPU utilization threshold is set to 80% for scale-out and 20% for scale-in. What is the most likely issue?

A.The scale-in threshold is too low, causing instances to be terminated prematurely
B.The load balancer is misconfigured
C.The application has a memory leak
D.The scale-out threshold is too high, causing delayed scaling
AnswerD

At 80% CPU, scaling out only occurs after significant load, delaying additional capacity.

Why this answer

Option B is correct because a scale-out threshold of 80% delays the addition of new instances, causing performance degradation. Option A is wrong because a 20% scale-in threshold is low, but not the primary cause of slowness. Option C is wrong because the symptoms point to scaling configuration rather than a memory leak.

Option D is wrong because load balancer misconfiguration would likely cause direct failures, not gradual slowdown.

258
MCQeasy

An organization is deploying a new application using Infrastructure as Code (IaC) with Terraform. The development team needs to ensure that the same configuration is applied consistently across development, staging, and production environments. What is the best practice for managing these Terraform configurations?

A.Hardcode environment-specific values within the main configuration file.
B.Manually update the configuration for each environment before deployment.
C.Use a single Terraform configuration with different variable files for each environment.
D.Maintain separate Terraform workspaces or directories for each environment.
AnswerD

Best practice for isolation and consistency.

Why this answer

Option D is correct because using separate Terraform workspaces or directories for each environment enforces isolation of state files and configuration, preventing accidental cross-environment changes. This approach aligns with Infrastructure as Code best practices by allowing environment-specific variables and resources while maintaining a single source of truth for the core configuration.

Exam trap

The trap here is that candidates confuse using variable files (Option C) with proper environment isolation, not realizing that Terraform workspaces or separate directories are required to manage distinct state files and prevent cross-environment interference.

How to eliminate wrong answers

Option A is wrong because hardcoding environment-specific values within the main configuration file violates the principle of configuration drift and makes the code non-reusable across environments. Option B is wrong because manually updating the configuration for each environment before deployment introduces human error and defeats the purpose of IaC automation. Option C is wrong because using a single Terraform configuration with different variable files for each environment still shares the same state file, risking state corruption and making it impossible to manage environments independently.

259
MCQeasy

A company uses a multi-cloud strategy with workloads on AWS and Azure. An application running on an Amazon EC2 instance in a VPC uses an Azure SQL Database as its backend via a site-to-site VPN. Recently, users reported intermittent timeouts when accessing the application. The EC2 instance passes health checks, and the VPN tunnel status shows as 'UP' from both sides. The application logs show 'Cannot open server 'azuresql.database.windows.net' requested by the login. The login failed.' Which of the following is the MOST likely cause of the issue?

A.The EC2 instance has exhausted its CPU credits, causing the application to become unresponsive.
B.The Azure SQL Database firewall does not allow traffic from the EC2 instance's IP address or the VPN gateway's IP.
C.The VPN tunnel is not properly routing traffic to Azure, causing intermittent connectivity.
D.The EC2 instance does not have sufficient IAM permissions to connect to Azure SQL Database.
AnswerB

Azure SQL has a firewall that must explicitly permit the source IP. The error 'login failed' often indicates the IP is blocked. The admin should add the VPN gateway's public IP to the allowed list.

Why this answer

The error message 'Cannot open server 'azuresql.database.windows.net' requested by the login. The login failed.' indicates that the Azure SQL Database server rejected the connection attempt. Since the VPN tunnel is 'UP' and the EC2 instance passes health checks, the most likely cause is that the Azure SQL Database firewall rules do not include the source IP address of the traffic coming from the EC2 instance — either the EC2 instance's private IP (if traffic is routed through the VPN) or the public IP of the VPN gateway.

Azure SQL Database uses server-level firewall rules to allow client IP addresses, and without an explicit rule, all connections are blocked.

Exam trap

The trap here is that candidates see a VPN tunnel status of 'UP' and assume connectivity is fully functional, overlooking that Azure SQL Database has its own separate firewall layer that must explicitly permit the source IP address of the connecting client.

How to eliminate wrong answers

Option A is wrong because CPU credit exhaustion would cause performance degradation or throttling, not a specific login failure error from Azure SQL Database; the application logs clearly show a database authentication error, not a timeout or resource exhaustion. Option C is wrong because the VPN tunnel status is 'UP' from both sides, and the error is a login failure from the database server, not a routing or connectivity issue; if routing were broken, the application would likely see a network timeout or unreachable host error, not a specific SQL login failure. Option D is wrong because IAM permissions are an AWS construct used for AWS services (e.g., S3, DynamoDB) and have no bearing on authenticating to an Azure SQL Database; Azure SQL uses SQL authentication or Azure AD authentication, not AWS IAM.

260
Multi-Selectmedium

A cloud administrator is troubleshooting a failed backup job that was supposed to back up a database to a cloud storage bucket. The job fails with an access denied error. Which two likely causes should the administrator investigate? (Choose two.)

Select 2 answers
A.The database is offline during backup
B.The IAM role assigned to the backup service lacks write permissions to the bucket
C.The backup schedule is misconfigured
D.The storage bucket has been deleted
E.The backup software version is incompatible
AnswersB, D

Insufficient permissions directly cause access denied errors.

Why this answer

Correct options are B and C. Option B is likely because missing IAM permissions cause access denied. Option C is likely because a deleted bucket would also produce an access denied error.

Option A is wrong because version incompatibility would cause a different error. Option D is wrong because an offline database would cause a connection error, not access denied. Option E is wrong because schedule misconfiguration would prevent the job from running, not cause access denied.

261
Multi-Selectmedium

A cloud administrator is troubleshooting a connectivity issue between two VPCs in the same region. Which TWO actions should the administrator verify? (Choose two.)

Select 2 answers
A.VPC peering connection status
B.Route table entries
C.Security group rules
D.VPN tunnel configuration
E.Internet gateway attachment
AnswersA, B

The peering connection must be active.

Why this answer

Options A and C are correct because route tables must have routes to the peering connection, and the VPC peering connection must be in the 'active' state. Option B is wrong because security groups don't block traffic between peered VPCs unless explicitly configured, but they are not the primary check. Option D is wrong because an internet gateway is not required for VPC peering.

Option E is wrong because VPN tunnel is a different connectivity method.

262
MCQhard

A company is migrating a legacy monolithic application to a microservices architecture on the cloud. The application has tight coupling and shared database schemas. Which migration strategy should the company adopt to reduce risk and enable iterative migration?

A.Re-platform to a managed service and rewrite later
B.Use the strangler fig pattern to gradually replace components
C.Containerize the monolithic application and run it on a cluster
D.Lift and shift the entire application, then refactor in-place
AnswerB

Allows iterative migration with risk reduction.

Why this answer

The strangler fig pattern is the correct migration strategy because it allows the company to incrementally replace specific functionalities of the legacy monolithic application with new microservices, reducing risk by keeping the existing system operational during the transition. This approach directly addresses the tight coupling and shared database schema issues by enabling gradual decomposition without requiring a complete rewrite or a risky big-bang migration.

Exam trap

The trap here is that candidates often confuse the strangler fig pattern with containerization or lift-and-shift, mistakenly believing that simply moving the monolith to containers or a managed service constitutes a migration strategy, when in fact those approaches do not break the tight coupling or enable iterative decomposition.

How to eliminate wrong answers

Option A is wrong because re-platforming to a managed service and rewriting later does not address the tight coupling and shared database schema issues; it merely shifts the monolithic application to a different hosting environment without breaking dependencies, and the deferred rewrite introduces significant technical debt and risk. Option C is wrong because containerizing the monolithic application and running it on a cluster (e.g., Kubernetes) preserves the tight coupling and shared database schema, offering no architectural decomposition and failing to enable iterative migration to microservices. Option D is wrong because lift and shift followed by in-place refactoring is a high-risk, big-bang approach that attempts to refactor the entire monolith at once, which is prone to extended downtime and regression issues, and does not support the iterative, low-risk migration required.

263
MCQhard

A company is migrating a legacy application to a public cloud. The application requires a static IP address for licensing. The security team insists on encrypting all traffic between the application and the database. Which of the following should the cloud architect implement?

A.Create a VPN connection between the application and database subnets.
B.Assign an elastic IP and use NAT.
C.Use TLS certificates on the web server.
D.Deploy a site-to-site VPN from the cloud to the on-premises data center.
AnswerA

A VPN encrypts traffic between the two subnets, and a static IP can be assigned to the application.

Why this answer

Option A is correct because creating a VPN connection between the application and database subnets establishes an encrypted tunnel (using IPsec or TLS-based VPN protocols) that ensures all traffic between the two subnets is encrypted, meeting the security team's requirement. Additionally, the application's need for a static IP address can be satisfied by assigning a static private IP to the application instance within its subnet, while the VPN provides secure communication without exposing traffic to the public internet.

Exam trap

The trap here is that candidates may confuse encrypting traffic between application and database with encrypting external web traffic (TLS) or assume that a site-to-site VPN is needed, but the key is that both components are in the cloud and the encryption must cover internal subnet-to-subnet communication, not just internet-facing connections.

How to eliminate wrong answers

Option B is wrong because assigning an elastic IP and using NAT only provides a static public IP address for outbound internet access and does not encrypt traffic between the application and database; NAT translates IP addresses but does not provide encryption. Option C is wrong because TLS certificates on the web server only encrypt traffic between clients and the web server (typically HTTPS), not the internal traffic between the application and the database, which is a different communication path. Option D is wrong because a site-to-site VPN connects the cloud VPC to an on-premises data center, but the question specifies that the application and database are both in the public cloud, so this would not encrypt traffic between them within the same cloud environment.

264
Multi-Selecthard

Which THREE are common causes of network latency in a cloud environment? (Choose three.)

Select 3 answers
A.Firewall rule misconfiguration
B.DNS resolution delays
C.Jumbo frame misconfiguration
D.High bandwidth utilization
E.Packet loss
AnswersA, C, E

Misconfigured firewall rules can cause dropped packets or added inspection delay.

Why this answer

Options A, B, and E are correct. Jumbo frame misconfiguration (A) causes fragmentation or mismatch, leading to latency. Packet loss (B) triggers retransmission delays.

Firewall rule misconfiguration (E) can cause additional processing or drops. Option C (high bandwidth utilization) typically causes congestion only if capacity is exceeded, but not always latency. Option D (DNS resolution delays) affects initial connections but not ongoing latency.

265
MCQhard

A cloud operations team is investigating why a batch processing job that runs nightly in a cloud environment has been failing intermittently. The job processes data from an external API and writes results to a database. The error logs show "Connection timed out" when calling the external API. However, manual calls from the same cloud environment succeed. What is the most likely cause?

A.The external API rate limit has been exceeded.
B.The database connection pool is exhausted.
C.The batch job's service account has been disabled.
D.The cloud firewall is blocking outbound traffic during the batch window.
AnswerA

Correct. Rate limiting causes intermittent timeouts when batch calls exceed the allowed threshold, while manual calls succeed.

Why this answer

Intermittent timeouts during batch execution suggest the external API is rate-limiting the high volume of automated calls, while manual calls succeed because they are infrequent.

266
MCQeasy

A cloud administrator needs to design a storage solution that provides block-level access for a database server and must be highly durable. Which storage type should be used?

A.File storage
B.Block storage
C.Archive storage
D.Object storage
AnswerB

Block storage provides raw volumes that databases can use and is durable.

Why this answer

Block storage is the correct choice because it provides raw, low-latency block-level access that database servers require for high-performance read/write operations. It also supports features like RAID, snapshots, and replication to achieve high durability, making it ideal for transactional databases.

Exam trap

CompTIA often tests the misconception that object storage can serve as a high-performance block store, but candidates must remember that object storage lacks the low-latency, block-level access and filesystem semantics required for transactional databases.

How to eliminate wrong answers

Option A is wrong because file storage uses a hierarchical file system with network protocols like NFS or SMB, which introduces overhead and is not optimized for the low-latency, block-level I/O patterns of a database server. Option C is wrong because archive storage is designed for long-term retention of infrequently accessed data, with high latency and no block-level access, making it unsuitable for active database workloads. Option D is wrong because object storage uses a flat namespace with HTTP-based APIs (e.g., S3) and is optimized for unstructured data, not for the block-level, random read/write operations required by databases.

267
MCQhard

A company is migrating its on-premises application to a public cloud. The application requires low-latency access to a legacy database that cannot be moved to the cloud. The cloud deployment must use a hybrid architecture. Which network connectivity solution should the cloud architect recommend to minimize latency and provide secure, reliable communication?

A.Use a dedicated private connection via a cloud provider's direct connect service.
B.Route traffic through the public internet with encryption.
C.Deploy a CloudFront distribution to cache database queries.
D.Establish a site-to-site VPN over the internet.
AnswerA

Dedicated connections offer consistent performance and security.

Why this answer

A dedicated private connection via a cloud provider's direct connect service (e.g., AWS Direct Connect, Azure ExpressRoute, or Google Cloud Interconnect) establishes a private, physical link between the on-premises data center and the cloud VPC. This bypasses the public internet entirely, providing consistent low-latency performance, higher bandwidth, and a more reliable connection for hybrid architectures where the legacy database remains on-premises.

Exam trap

CompTIA often tests the misconception that a site-to-site VPN is sufficient for low-latency hybrid connectivity, but the trap here is that VPNs over the internet cannot guarantee consistent latency or bandwidth, whereas a dedicated private connection provides a Service Level Agreement (SLA) for performance and reliability.

How to eliminate wrong answers

Option B is wrong because routing traffic through the public internet with encryption (e.g., HTTPS or IPsec) introduces variable latency, potential packet loss, and security risks from exposure to internet-based threats, making it unsuitable for low-latency requirements. Option C is wrong because CloudFront (or any CDN) is a content delivery service for caching static or dynamic web content at edge locations; it cannot cache database queries or provide a network path to an on-premises database, and it adds unnecessary complexity without addressing the hybrid connectivity need. Option D is wrong because a site-to-site VPN over the internet, while encrypted and secure, relies on the public internet's best-effort routing, which introduces jitter and higher latency compared to a dedicated private connection, failing the low-latency requirement.

268
MCQmedium

A company is designing a disaster recovery (DR) plan for a critical application hosted in a public cloud. The application requires a recovery time objective (RTO) of 1 hour and a recovery point objective (RPO) of 15 minutes. Which of the following DR strategies BEST meets these requirements?

A.Backup and restore with daily backups.
B.Cold standby with nightly backups.
C.Pilot light with hourly snapshots.
D.Warm standby with continuous data replication.
AnswerD

Warm standby with continuous replication meets both RTO and RPO targets.

Why this answer

Warm standby with continuous data replication meets the RTO of 1 hour and RPO of 15 minutes because it maintains a partially scaled-down replica of the production environment that can be quickly scaled up, and continuous replication (e.g., using asynchronous replication or Change Block Tracking) ensures data loss is limited to seconds or minutes, well within the 15-minute RPO.

Exam trap

CompTIA often tests the distinction between 'pilot light' and 'warm standby' — the trap here is that candidates confuse hourly snapshots (pilot light) with continuous replication, failing to recognize that hourly snapshots cannot achieve a 15-minute RPO.

How to eliminate wrong answers

Option A is wrong because daily backups provide an RPO of up to 24 hours, far exceeding the required 15 minutes, and the restore process would take much longer than 1 hour, failing the RTO. Option B is wrong because cold standby involves no pre-provisioned resources, requiring manual provisioning and configuration that typically takes hours, exceeding the 1-hour RTO, and nightly backups provide an RPO of up to 24 hours. Option C is wrong because pilot light with hourly snapshots provides an RPO of up to 1 hour, which exceeds the 15-minute requirement, and the snapshots are not continuous, so data loss could be significant.

269
Drag & Dropmedium

Arrange the steps to configure a VPN connection between an on-premises network and a cloud VPC.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with cloud-side gateway, on-premises gateway representation, configure on-prem device, create connection, then routing.

270
MCQeasy

A cloud user is unable to connect to a web server VM from the internet after a security group rule was modified. The VM is running and can be pinged from other VMs in the same subnet. What is the most likely cause?

A.The VM's local firewall is blocking the traffic.
B.The VM's routing table is missing a default gateway.
C.The inbound rule for HTTP/HTTPS was removed or misconfigured.
D.The VM's DNS settings are incorrect.
AnswerC

Security groups control inbound traffic; missing rule blocks internet access.

Why this answer

Option A is correct because the security group rule likely blocks inbound HTTP/HTTPS traffic. Option B is incorrect because DNS resolution affects hostnames, not connectivity. Option C is incorrect because routing between VMs works.

Option D is incorrect because a firewall on the OS would affect all traffic, not just internet.

271
MCQhard

An e-commerce company is deploying a disaster recovery solution across two cloud regions. The primary region runs the production workload. The recovery region should have a fully provisioned environment that can take over immediately in case of a failure. Which deployment strategy BEST meets this requirement while minimizing costs?

A.Backup and restore to the recovery region upon failure
B.Multi-site active-active with load balancers
C.Pilot light with minimal resources running in recovery
D.Warm standby in the recovery region
AnswerD

Warm standby has a fully provisioned but potentially smaller environment that can be scaled up quickly for failover.

Why this answer

Warm standby is the correct strategy because it maintains a fully provisioned, scaled-down copy of the production environment in the recovery region that can be activated immediately upon failover. This meets the requirement for immediate takeover while minimizing costs by running only the essential resources (e.g., a minimal number of compute instances, a standby database) instead of a full active-active deployment.

Exam trap

The trap here is confusing 'pilot light' with 'warm standby'—pilot light has minimal core services running but requires manual scaling and provisioning of the full stack, whereas warm standby has a fully provisioned (though scaled-down) environment ready to take over instantly.

How to eliminate wrong answers

Option A is wrong because backup and restore requires time to provision and boot resources from backups, which cannot achieve immediate takeover. Option B is wrong because multi-site active-active runs full production capacity in both regions simultaneously, which maximizes costs and is not minimal. Option C is wrong because pilot light runs only core services (e.g., database replicas) and requires manual provisioning of the full application stack upon failover, delaying recovery.

272
MCQmedium

A financial services company is deploying a PCI-DSS compliant workload in a public cloud. The deployment must include a web application (port 443) and a database (port 3306). The security requirements mandate that the web application is internet-facing, but the database must be in a private subnet with no direct internet access. The cloud administrator creates two VPCs: one for the web tier and one for the database tier. The web tier is deployed in VPC-A with a public subnet and an internet gateway. The database tier is deployed in VPC-B with a private subnet and a NAT gateway for outbound updates. The administrator configures VPC peering between VPC-A and VPC-B, and updates route tables accordingly. The web application can connect to the database, but the database cannot initiate outbound connections to the internet for updates. What is the most likely issue?

A.The database security group does not allow outbound traffic to the internet
B.The route table in VPC-B does not have a default route to the NAT gateway
C.The VPC peering connection does not support DNS resolution between VPCs
D.The NAT gateway in VPC-B cannot be used for internet access through a VPC peering connection
AnswerD

NAT gateways do not support traffic through VPC peering; each VPC needs its own NAT gateway.

Why this answer

The NAT gateway in VPC-B cannot be used for internet access through a VPC peering connection because VPC peering does not support transitive routing. When the database in VPC-B tries to reach the internet via the NAT gateway, traffic must go through the VPC peering connection to VPC-A and then to the internet gateway, but VPC peering does not allow a route that forwards traffic from one VPC to another VPC's internet gateway. The database's outbound traffic to the internet is effectively blocked because the NAT gateway's default route (0.0.0.0/0) points to the internet gateway in VPC-B, but the database's traffic must first traverse the peering connection, which is not a valid path for internet-bound traffic in this architecture.

Exam trap

The trap here is that candidates assume a NAT gateway in the same VPC as the database can provide internet access through a VPC peering connection, but they overlook the non-transitive nature of VPC peering, which prevents routing traffic from a peered VPC to an internet gateway or NAT gateway in the other VPC.

How to eliminate wrong answers

Option A is wrong because the database security group's outbound rules are not the issue; security groups are stateful, so if the database initiates outbound traffic, the return traffic is automatically allowed, but the problem is that the database cannot reach the internet at all due to routing limitations. Option B is wrong because the route table in VPC-B likely does have a default route to the NAT gateway (as stated in the scenario), but even with that route, the database cannot use the NAT gateway for internet access because the NAT gateway resides in VPC-B and cannot route traffic through a VPC peering connection to another VPC's internet gateway. Option C is wrong because DNS resolution between VPCs is not relevant to the database's inability to initiate outbound internet connections; the issue is about network routing and internet access, not DNS.

273
Multi-Selectmedium

A company is experiencing intermittent connectivity issues between its on-premises data center and a public cloud environment over a VPN connection. Which TWO of the following should the administrator check to troubleshoot the problem?

Select 2 answers
A.Verify that the internet bandwidth is sufficient.
B.Validate the route tables on both sides of the VPN.
C.Ensure the cloud storage performance is adequate.
D.Check the DNS resolution of cloud endpoints.
E.Review the VPN logs and monitor packet loss.
AnswersB, E

Incorrect routes can cause traffic to be dropped or misrouted.

Why this answer

Route tables control the path that traffic takes between networks. If the route tables on either the on-premises VPN device or the cloud virtual network gateway do not have the correct entries (e.g., missing routes for the remote subnet or incorrect next-hop IPs), traffic can be dropped or misdirected, causing intermittent connectivity. Validating these routes ensures that packets destined for the cloud or on-premises are properly forwarded over the VPN tunnel.

Exam trap

CompTIA often tests the misconception that intermittent VPN issues are always bandwidth-related, but the real culprit is usually routing misconfiguration or tunnel instability, which is why route validation and log/packet-loss analysis are the correct pair.

274
MCQeasy

A cloud administrator notices that a virtual machine is unresponsive. The VM is running on a hypervisor host that shows high CPU utilization. What should the administrator do first?

A.Reboot the hypervisor host
B.Increase the VM's vCPU count
C.Migrate the VM to another host
D.Check the VM console for OS-level issues
AnswerD

Checking the console allows direct assessment of the VM's OS state, such as a hung process or login prompt.

Why this answer

Option C is correct because the first step in troubleshooting an unresponsive VM is to check the VM console for OS-level issues. Option A is wrong because migrating the VM might be premature without diagnosing the root cause. Option B is wrong because increasing vCPU could exacerbate resource contention if the host is overloaded.

Option D is wrong because rebooting the host would affect all VMs and should be a last resort.

275
MCQeasy

A cloud administrator is tasked with reducing costs for a development environment that runs 24/7. The environment consists of several virtual machines and a load balancer. Which action would most effectively reduce costs without affecting developer access during business hours?

A.Implement auto-scaling to run only one instance during off-hours.
B.Schedule the VMs to shut down during nights and weekends.
C.Use reserved instances for all VMs.
D.Change all VMs to burstable instance types.
AnswerB

Correct. Shutting down VMs eliminates compute costs during idle periods, directly reducing expenses.

Why this answer

Scheduling VMs to shut down during nights and weekends stops compute charges while not impacting developers who only work during business hours.

276
MCQhard

A company runs a containerized application on a Kubernetes cluster. The application logs indicate occasional 'CrashLoopBackOff' errors. The developer says the application works fine locally. What is the most likely cause in the cloud environment?

A.The readiness probe is misconfigured and returning false.
B.The memory limit set in the pod spec is too low, causing the container to be OOMKilled.
C.The container image is not being pulled correctly from the registry.
D.The persistent volume claim is not bound to a storage class.
AnswerB

OOMKill causes container to restart, resulting in CrashLoopBackOff.

Why this answer

The 'CrashLoopBackOff' error indicates that the container is repeatedly crashing after startup. Since the application works locally, the issue is likely environmental. A memory limit set too low in the pod spec causes the container to exceed its allowed memory, triggering an OOMKill (Out of Memory Kill) by the kubelet.

The container restarts, fails again, and enters CrashLoopBackOff, which is a common cloud-specific resource constraint not present in local development.

Exam trap

CompTIA often tests the distinction between pod statuses: candidates confuse 'CrashLoopBackOff' (container crashes after starting) with 'ImagePullBackOff' (image pull failure) or 'Pending' (resource unavailability), so they incorrectly attribute the error to image or volume issues rather than resource limits.

How to eliminate wrong answers

Option A is wrong because a misconfigured readiness probe returning false would cause the pod to be marked as not ready and removed from service endpoints, but it would not cause the container to crash or enter CrashLoopBackOff; the container would continue running. Option C is wrong because if the container image were not being pulled correctly, the pod would show an 'ImagePullBackOff' or 'ErrImagePull' status, not 'CrashLoopBackOff'. Option D is wrong because an unbound persistent volume claim would cause the pod to remain in 'Pending' state, not crash after starting; the container would never run to begin with.

277
MCQhard

A cloud administrator is trying to attach an EBS volume to an EC2 instance for a database migration. The attachment fails with the error shown in the exhibit. The volume contains critical data. Which of the following is the MOST appropriate action to take?

A.Create a new volume and copy the data from the existing volume.
B.Terminate instance 'i-0123ijkl' to release the volume.
C.Force-detach the volume from the other instance.
D.Detach the volume from instance 'i-0123ijkl' first, then attach to the new instance.
AnswerD

Properly detaching ensures data integrity.

Why this answer

The error indicates the EBS volume is already attached to another EC2 instance (i-0123ijkl). An EBS volume can only be attached to one instance at a time in a standard attachment. The correct procedure is to first detach the volume from instance i-0123ijkl, then attach it to the target instance.

This preserves the critical data without risk of corruption or data loss.

Exam trap

CompTIA often tests the misconception that force-detach is the quickest fix, but the trap here is that force-detach can corrupt a database volume with critical data, whereas a proper detach is the safest and most appropriate action.

How to eliminate wrong answers

Option A is wrong because creating a new volume and copying data is unnecessary and time-consuming; the existing volume is intact and can be reattached. Option B is wrong because terminating instance i-0123ijkl would destroy the instance and potentially cause data loss if the volume is not first detached; it is an extreme and destructive action. Option C is wrong because force-detaching the volume can cause data corruption or filesystem inconsistency, especially for a database volume that may have pending writes; it should only be used as a last resort when the instance is unresponsive.

278
MCQmedium

A cloud administrator receives an alert that the CPU utilization on a production web server has exceeded 90% for the past hour. The administrator checks the metrics and sees that the request rate has increased. Which of the following is the MOST appropriate action to resolve the issue in the short term?

A.Increase the memory allocation for the virtual machine.
B.Implement rate limiting to reduce incoming requests.
C.Increase the number of vCPUs or add additional instances behind a load balancer.
D.Optimize the application code to reduce CPU usage.
AnswerC

Scaling up or out quickly addresses the increased load.

Why this answer

Option A is correct because adding more compute resources allows the server to handle the increased load. Option B is wrong because increasing memory may not help CPU-bound issues. Option C is wrong because optimizing code is a long-term solution.

Option D is wrong because throttling requests degrades user experience.

279
Multi-Selecthard

Which THREE of the following are valid methods to automate the deployment of cloud resources?

Select 3 answers
A.Employing configuration management tools to enforce desired state
B.Using snapshots to clone instances
C.Using infrastructure as code templates
D.Implementing orchestration tools that chain API calls
E.Writing scripts that use cloud provider CLI commands
AnswersA, C, D

Configuration management automates server configuration.

Why this answer

Option A is correct because configuration management tools like Ansible, Puppet, or Chef enforce a desired state on cloud resources. They continuously ensure that the system configuration matches the defined state, automatically correcting any drift. This is a valid method for automating deployment and maintenance of cloud resources.

Exam trap

The trap here is that candidates may confuse basic scripting (Option E) with dedicated automation methods, or think snapshot cloning (Option B) is a form of automation, when in fact the exam expects recognition of configuration management, IaC, and orchestration as the three primary valid methods for automating cloud resource deployment.

280
MCQmedium

Refer to the exhibit. A cloud load balancer is returning 502 Bad Gateway errors to clients. What is the most likely cause?

A.The load balancer's SSL certificate is invalid.
B.The security group allows inbound traffic from the load balancer.
C.The DNS record points to the wrong IP.
D.The backend web servers are not responding correctly.
AnswerD

502 errors and health check failures indicate the backend servers are not serving correctly.

Why this answer

A 502 Bad Gateway error indicates that the load balancer (acting as a proxy or gateway) received an invalid or no response from the upstream backend web servers. This typically occurs when the backend servers are overloaded, have crashed, or are misconfigured (e.g., incorrect health check path, application pool failure). The load balancer successfully forwards the request but fails to get a valid HTTP response, triggering the 502 error.

Exam trap

CompTIA often tests the distinction between HTTP status codes (502 vs. 504 vs. 503) and their root causes, trapping candidates who confuse a backend response failure (502) with a timeout (504) or an overload condition (503).

How to eliminate wrong answers

Option A is wrong because an invalid SSL certificate on the load balancer would cause SSL/TLS handshake failures (e.g., 525 or 526 errors in Cloudflare, or certificate warnings), not a 502 Bad Gateway, which is a proxy-level error unrelated to certificate validity. Option B is wrong because allowing inbound traffic from the load balancer in the security group is actually a correct configuration; if it were blocked, the load balancer would receive connection timeouts or 504 errors, not 502 errors. Option C is wrong because a DNS record pointing to the wrong IP would cause clients to reach an incorrect server or no server at all, resulting in connection failures or 404 errors, not a 502 Bad Gateway from the load balancer.

281
MCQmedium

A cloud engineer is tasked with setting up a disaster recovery (DR) plan for a critical application that runs on virtual machines in a private cloud. The DR site is a public cloud. The application requires low recovery time objective (RTO) of less than 15 minutes and recovery point objective (RPO) of less than 5 minutes. Which of the following replication strategies BEST meets these requirements?

A.Replicate virtual machine images to the DR site daily.
B.Use synchronous replication to keep data identical.
C.Configure agent-based backup to the DR site every 5 minutes.
D.Use continuous asynchronous replication to the DR site.
AnswerD

Continuous replication provides near-real-time RPO (seconds to minutes) and if VMs are pre-configured, can achieve RTO under 15 minutes.

Why this answer

Option B is correct because continuous asynchronous replication can achieve low RPO (under 5 minutes) and low RTO (under 15 minutes) if VMs can be quickly started from the replicated data. Option A is wrong because daily replication cannot achieve RPO < 5 minutes. Option C is wrong because synchronous replication may introduce latency and is typically used for high consistency, but RTO may be higher if recovery involves starting VMs; also, it can affect primary performance.

Option D is wrong because backup every 5 minutes may meet RPO but RTO would be higher due to restoration time from backup.

282
MCQmedium

A cloud engineer is designing a disaster recovery plan for a critical application. The application requires a Recovery Time Objective (RTO) of 15 minutes and a Recovery Point Objective (RPO) of 1 hour. Which replication strategy should be used?

A.Asynchronous replication with snapshots every 30 minutes.
B.Daily backups stored in a different region.
C.No replication; rely on infrastructure rebuild.
D.Synchronous replication between two regions.
AnswerA

Snapshots every 30 minutes meet RPO of 1 hour; RTO achieved by failover.

Why this answer

Asynchronous replication with snapshots every 30 minutes meets the RPO of 1 hour because data loss is limited to at most 30 minutes of changes, which is within the 1-hour window. The RTO of 15 minutes is achievable because the replicated data is readily available in the secondary region, allowing for rapid failover without the delay of restoring from backups.

Exam trap

CompTIA often tests the misconception that synchronous replication is always the best choice for disaster recovery, but the trap here is that synchronous replication over long distances introduces unacceptable latency, making it unsuitable for applications with strict performance requirements, while asynchronous replication with appropriate snapshot intervals can meet moderate RPO/RTO goals without performance degradation.

How to eliminate wrong answers

Option B is wrong because daily backups stored in a different region cannot meet the RPO of 1 hour (data loss could be up to 24 hours) or the RTO of 15 minutes (restoring from backups typically takes hours). Option C is wrong because relying on infrastructure rebuild would result in an RTO far exceeding 15 minutes and an RPO of potentially all data since the last backup, failing both objectives. Option D is wrong because synchronous replication between two regions introduces significant latency that can degrade application performance, and while it provides an RPO of near zero, it is overkill for a 1-hour RPO and may not be feasible over long distances due to network constraints.

283
MCQeasy

A cloud security team needs to ensure that all API calls made to the cloud provider are logged and monitored for suspicious activity. Which service should be enabled?

A.Deploy a web application firewall (WAF).
B.Configure an intrusion detection system (IDS) on the network.
C.Enable cloud audit logging for the management console and API calls.
D.Implement a security information and event management (SIEM) system.
AnswerC

Audit logs capture every API call for compliance and monitoring.

Why this answer

Option A is correct because a cloud audit log (e.g., AWS CloudTrail, Azure Monitor) records all API calls. Option B is wrong because WAF inspects web traffic, not API calls. Option C is wrong because SIEM is a separate system that ingests logs.

Option D is wrong because IDS/IPS focuses on network traffic, not API-level actions.

284
MCQmedium

An organization is using a hybrid cloud model with an on-premises data center connected to a public cloud via a dedicated Direct Connect circuit. Users on the corporate network report that access to cloud resources is intermittently failing. The cloud administrator pings the cloud gateway and sees packet loss. The on-premises network team confirms no issues on their side. The administrator reviews the cloud provider's status page and finds no outages. What should the administrator do next?

A.Submit a support ticket to the cloud provider
B.Reboot the on-premises router
C.Check the bandwidth utilization on the Direct Connect circuit
D.Failover to a backup VPN connection
AnswerC

High utilization can cause packet loss and intermittent failures.

Why this answer

Option C is correct because intermittent packet loss and no provider outage suggest bandwidth saturation on the Direct Connect circuit. Option A is wrong because failing over to a VPN may not address the root cause and could mask it. Option B is wrong because rebooting the on-premises router is disruptive and doesn't troubleshoot bandwidth.

Option D is wrong because a support ticket is unlikely to help if the provider has no issues and the circuit is simply congested.

285
MCQmedium

A company uses a cloud-based logging service to aggregate logs from multiple servers. Suddenly, the logging service stops receiving logs from several servers. The administrator checks the logging agent status on those servers and finds that the agents are running but not sending data. The network connectivity between the servers and the logging service is verified as working. Which of the following is the MOST likely cause?

A.The logging service has reached its storage quota.
B.The logging endpoint configuration on the agents is incorrect.
C.The logging agent is out of memory.
D.A firewall is blocking the outbound traffic from the servers.
AnswerB

Wrong endpoint will cause logs to be sent to an invalid destination.

Why this answer

The logging agents are running but not sending data, and network connectivity is verified as working. This points to a configuration issue where the agents are pointing to an incorrect logging endpoint (e.g., wrong URL, port, or API key). Even if the service is healthy, misconfigured agents will fail to transmit logs, which matches the symptom of agents running but idle.

Exam trap

The trap here is that candidates assume a running agent implies correct configuration, but agents can run idle if they cannot reach or authenticate to the configured endpoint, even when network connectivity is fine.

How to eliminate wrong answers

Option A is wrong because if the logging service had reached its storage quota, the service would typically reject new logs or return an error, but the agents would still attempt to send data (and likely log the rejection). Option C is wrong because an out-of-memory agent would likely crash, hang, or produce errors, not remain in a running state without sending data. Option D is wrong because network connectivity between the servers and the logging service is verified as working, which directly rules out a firewall blocking outbound traffic.

286
Multi-Selecthard

Which THREE of the following are best practices when deploying a cloud application using Infrastructure as Code (IaC)? (Choose three.)

Select 3 answers
A.Store IaC templates in a version control system.
B.Break down complex deployments into reusable modules.
C.Embed credentials directly in the IaC templates.
D.Manually modify resources after deployment to tune performance.
E.Use immutable infrastructure patterns where possible.
AnswersA, B, E

Version control enables collaboration and rollback.

Why this answer

Storing IaC templates in a version control system (e.g., Git) is a best practice because it enables change tracking, rollback, collaboration, and auditability. This aligns with GitOps principles, where the version control repository serves as the single source of truth for infrastructure state, ensuring all changes are reviewed and recorded.

Exam trap

CompTIA often tests the distinction between mutable and immutable infrastructure, and the trap here is that candidates may think manual tuning (Option D) is acceptable for performance optimization, but it violates the core IaC principle of idempotent, automated deployments.

287
MCQmedium

A cloud engineer deploys the Kubernetes manifest shown in the exhibit. After deployment, the frontend pods are in CrashLoopBackOff state. The engineer checks the logs and finds 'OOMKilled' errors. Which of the following changes would resolve the issue?

A.Increase the memory limit to 1Gi.
B.Increase the number of replicas to 5.
C.Reduce the CPU limit to 250m.
D.Change the service type to ClusterIP.
AnswerA

Increasing memory limit allows the container to use more memory without being killed.

Why this answer

The 'OOMKilled' error indicates the container's memory usage exceeded its configured limit, causing the kernel's Out-Of-Memory (OOM) killer to terminate the process. Increasing the memory limit to 1Gi provides the container with more memory headroom, preventing the OOM kill and allowing the pod to run without crashing.

Exam trap

CompTIA often tests the distinction between resource limits (memory vs. CPU) and scaling strategies, trapping candidates who confuse horizontal scaling (replicas) with vertical scaling (resource limits).

How to eliminate wrong answers

Option B is wrong because increasing the number of replicas does not address the per-pod memory exhaustion; it only distributes traffic across more pods, each still subject to the same insufficient memory limit. Option C is wrong because reducing the CPU limit does not affect memory allocation; OOM kills are triggered by memory, not CPU, and lowering CPU could cause throttling but not resolve the memory shortage. Option D is wrong because changing the service type to ClusterIP only alters network exposure (internal vs. external) and has no impact on container resource limits or OOM behavior.

288
MCQmedium

During a disaster recovery test, a cloud administrator discovers that the standby database in a different region is not synchronized with the primary. The primary database uses asynchronous replication. What is the MOST likely reason for the sync failure?

A.License expiration on the standby database
B.Network latency causing replication lag
C.Firewall rules blocking port 3306 between regions
D.Incorrect replication configuration using a read replica instead of a standby
AnswerB

Asynchronous replication allows lag; high latency can increase lag, causing data not to be current.

Why this answer

Option C is correct because asynchronous replication can have lag; if the primary fails before sync, data may be lost. Option A is wrong because DR test is not about licensing. Option B is wrong because replication configurations are typically cross-region.

Option D is wrong because a firewall blocking port 3306 would prevent any replication, not just async lag.

289
MCQhard

A company operates a multi-tier web application on AWS. The web tier runs on EC2 instances behind an Application Load Balancer. The application tier runs on EC2 instances that connect to an RDS MySQL database. Recently, users have reported slow page load times. The cloud administrator investigates and finds the following: CPU utilization on web and app tier instances is below 50%, memory usage is normal, but the RDS instance's CPU utilization is consistently above 80% and the number of database connections is at the maximum. The administrator also notices that the application code opens a new database connection for each HTTP request and does not close them properly. Which action should the administrator take to resolve the performance issue?

A.Scale the RDS instance vertically to a larger instance class.
B.Implement a connection pooling mechanism in the application tier.
C.Increase the timeout for idle database connections.
D.Increase the maximum number of database connections on RDS.
AnswerB

Reduces the number of concurrent connections and reuses them, lowering CPU load.

Why this answer

The performance issue is caused by the application opening a new database connection for each HTTP request and not closing them properly, which exhausts the maximum connections on RDS. Implementing a connection pooling mechanism in the application tier reuses existing connections, reduces connection overhead, and prevents connection exhaustion without requiring a larger instance or increasing the connection limit. This directly addresses the root cause—inefficient connection management—rather than treating symptoms like high CPU or connection limits.

Exam trap

CompTIA often tests the misconception that scaling resources (vertical scaling or increasing limits) is the primary fix for performance issues, when the real problem is inefficient resource usage like connection leaks that require architectural changes such as connection pooling.

How to eliminate wrong answers

Option A is wrong because vertically scaling the RDS instance would increase CPU and memory capacity but does not fix the underlying connection leak; the application would still exhaust connections, leading to the same bottleneck. Option C is wrong because increasing the timeout for idle database connections would keep more connections open longer, exacerbating the connection exhaustion problem rather than resolving it. Option D is wrong because increasing the maximum number of database connections on RDS would allow more concurrent connections but does not address the application's failure to close connections, leading to eventual resource exhaustion and potential instability.

290
MCQeasy

A cloud administrator needs to ensure that application logs are retained for three years to comply with regulatory requirements. Which of the following is the MOST cost-effective solution?

A.Configure log rotation so only the last 30 days of logs are kept in the instance
B.Store all logs in block storage for three years
C.Use a lifecycle policy to transition logs to archive storage after 90 days and delete after three years
D.Compress old logs manually and store them in a separate volume
AnswerC

Lifecycle policies automate tiering to cost-effective storage.

Why this answer

Option B is correct because setting a lifecycle policy to transition logs to cold storage after a period and then delete after three years reduces cost. Option A is wrong because storing all logs in hot storage for three years is expensive. Option C is wrong because preventing log rotation would not help with cost and may cause storage issues.

Option D is wrong because compressing old logs manually is less efficient than automated lifecycle.

291
Multi-Selecteasy

A cloud administrator is investigating why a virtual machine is running slowly. The administrator checks the hypervisor performance metrics. Which TWO of the following metrics indicate CPU contention? (Choose TWO.)

Select 2 answers
A.High CPU ready time
B.High disk queue depth
C.High CPU co-stop time
D.High memory ballooning
E.High CPU usage percentage
AnswersA, C

CPU ready time directly measures wait time due to contention.

Why this answer

CPU ready time and co-stop time are both indicators of CPU contention. Ready time is time a VM is ready to run but waiting for CPU, co-stop time is time a VM is stopped because another vCPU in the same VM is contending. Option A (CPU usage percentage) is normal utilization, not contention.

Option D (Memory ballooning) is memory-related. Option E (Disk latency) is storage-related.

292
Matchingmedium

Match each cloud deployment model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Shared infrastructure over the internet

Dedicated to a single organization

Combination of public and private

Shared by several organizations with common concerns

Why these pairings

Deployment models define ownership and access scope.

293
MCQmedium

A company uses a cloud load balancer to distribute traffic to a group of web servers. After a recent update, some users report being redirected to a maintenance page when the application is actually available. What is the most likely cause?

A.The load balancer health check is misconfigured and marking healthy instances as unhealthy.
B.The load balancer's SSL certificate has expired.
C.The DNS record for the load balancer has a short TTL.
D.The web servers are not configured with the same security group.
AnswerA

A misconfigured health check can cause the load balancer to stop sending traffic to healthy instances, redirecting users to a maintenance page.

Why this answer

The most likely cause is that the load balancer's health check is misconfigured, causing it to incorrectly mark healthy web servers as unhealthy. When all instances are marked unhealthy, the load balancer has no available targets and may route traffic to a fallback maintenance page or return an error. This explains why users see a maintenance page despite the application being available.

Exam trap

CompTIA often tests the distinction between health check misconfiguration and other common issues like SSL or DNS, so candidates may mistakenly choose an expired SSL certificate because they associate 'maintenance page' with security errors, but the correct cause is the load balancer's health check marking healthy instances as unhealthy.

How to eliminate wrong answers

Option B is wrong because an expired SSL certificate would cause TLS handshake errors (e.g., certificate warnings or connection failures), not a redirect to a maintenance page. Option C is wrong because a short TTL on the DNS record affects how quickly DNS changes propagate, but it does not cause the load balancer to redirect traffic to a maintenance page. Option D is wrong because mismatched security groups would block traffic at the network level, resulting in timeouts or connection refused errors, not a maintenance page redirect.

294
MCQhard

An organization is adopting Infrastructure as Code (IaC) for their cloud deployments. They need to ensure that the configuration files are version-controlled and changes are audited. Which combination of tools should they use?

A.Puppet and Jenkins
B.Terraform and Ansible
C.Terraform and Git
D.CloudFormation and Chef
AnswerC

Terraform for IaC, Git for version control and audit.

Why this answer

Option C is correct because Git provides version control and audit trails for Infrastructure as Code (IaC) configuration files, while Terraform is the IaC tool that manages cloud resources declaratively. Together, they satisfy the requirement for version-controlled, auditable configuration files, as Git tracks every change with commit history and Terraform's state files can be stored in Git for change tracking.

Exam trap

CompTIA often tests the distinction between Infrastructure as Code tools (like Terraform) and configuration management tools (like Ansible, Puppet, Chef), and the trap here is that candidates confuse configuration management with version control, assuming tools like Ansible or Puppet provide audit trails when they do not.

How to eliminate wrong answers

Option A is wrong because Puppet is a configuration management tool, not a version control system, and Jenkins is a CI/CD automation server; neither directly provides version control or audit trails for IaC configuration files. Option B is wrong because while Terraform is an IaC tool, Ansible is a configuration management tool that does not inherently provide version control; the combination lacks a dedicated version control system like Git. Option D is wrong because CloudFormation is an IaC tool for AWS, but Chef is a configuration management tool, not a version control system; this pair does not include a tool for version control or auditing.

295
MCQhard

A company is using AWS CloudFormation to deploy a multi-tier application. The stack includes an Auto Scaling group and an Application Load Balancer. The operations team reports that deployments are failing because the new instances are not passing health checks. Which CloudFormation template attribute should be modified to ensure that the stack update rolls back automatically if the health check fails?

A.Add an UpdatePolicy attribute to the Auto Scaling group.
B.Use a CreationPolicy attribute on the Auto Scaling group with a timeout and signal count.
C.Modify the DeletionPolicy attribute of the instances.
D.Set the DependsOn attribute to ensure the load balancer is created first.
AnswerB

CreationPolicy ensures instances are healthy before marking resource as created.

Why this answer

Option B is correct because the CreationPolicy attribute on an Auto Scaling group, when combined with a timeout and a signal count, instructs CloudFormation to wait for a specified number of success signals from the new instances before considering the resource creation complete. If the signals are not received within the timeout (e.g., because the instances fail health checks and never report as healthy), CloudFormation treats the creation as failed and automatically rolls back the stack update. This directly addresses the requirement to roll back on health check failure.

Exam trap

CompTIA often tests the distinction between CreationPolicy (which waits for signals before marking resource creation as complete) and UpdatePolicy (which manages rolling updates but does not inherently enforce health check-based rollbacks), leading candidates to incorrectly choose UpdatePolicy when the question specifically asks for rollback on health check failure.

How to eliminate wrong answers

Option A is wrong because the UpdatePolicy attribute on an Auto Scaling group controls rolling update behavior (e.g., batch size, pause time) but does not inherently trigger a rollback based on health check failures; it relies on the CreationPolicy or a separate health check configuration. Option C is wrong because the DeletionPolicy attribute determines what happens to resources when a stack is deleted (e.g., retain, snapshot), not how creation or update failures are handled. Option D is wrong because the DependsOn attribute only ensures resource creation order (e.g., load balancer before Auto Scaling group) but does not affect rollback behavior on health check failures.

296
Multi-Selectmedium

A cloud administrator is planning a migration of on-premises workloads to a public cloud. Which THREE factors should the administrator consider to ensure minimal downtime? (Choose three.)

Select 3 answers
A.Application compatibility
B.Data compression
C.Network bandwidth
D.Transfer time window
E.Cost of data transfer
AnswersA, C, D

Ensuring the application runs in the cloud avoids rollbacks and extended downtime.

Why this answer

Options A, C, and E are correct. Network bandwidth (A) affects transfer speed. Application compatibility (C) determines if the migration will succeed without issues.

Transfer time window (E) is the scheduled period for migration to minimize business impact. Option B (data compression) can help but is not essential for minimal downtime. Option D (cost) is important but does not directly affect downtime.

297
MCQhard

During a security audit, an organization discovers their cloud-based database is accessible from any public IP address due to a firewall rule allowing 0.0.0.0/0 on port 3306 (MySQL). The database must remain accessible to remote developers working from home. What is the most effective remediation?

A.Remove the firewall rule entirely and rely on database IAM authentication.
B.Enable encryption in transit using TLS and keep the rule as is.
C.Change the firewall rule to allow only specific known developer IP ranges.
D.Move the database to a private subnet without a NAT gateway.
AnswerC

This minimizes attack surface while preserving access.

Why this answer

Option C is correct because restricting to specific trusted IP ranges reduces exposure while maintaining remote access.

298
MCQeasy

A cloud administrator is troubleshooting a performance issue where a web application experiences intermittent slowdowns. The application is deployed on a public cloud IaaS with auto-scaling. What should the administrator check first?

A.Verify load balancer configuration
B.Check CPU utilization of all instances
C.Analyze database query performance
D.Review network latency between tiers
AnswerA

Load balancer misconfiguration can cause intermittent failures.

Why this answer

Option D is correct because a misconfigured load balancer can cause uneven traffic distribution, leading to intermittent slowdowns. Option A is wrong because CPU utilization spikes might be a symptom, not the root cause, and auto-scaling should handle it. Option B is wrong because network latency is less likely to be intermittent.

Option C is wrong because database queries are a deeper layer to investigate after network and application tiers.

299
MCQmedium

Refer to the exhibit. A cloud engineer is troubleshooting network connectivity to a server with IP 10.0.0.5. The server is on the same subnet. Based on the iptables rules shown, what is the most likely cause of the connectivity failure?

A.The FORWARD chain policy drops all traffic
B.The OUTPUT chain rejects all traffic to the server
C.The DROP rule in INPUT has zero packet count, so it is not effective
D.The INPUT chain drops all traffic destined to the 10.0.0.0/8 network
AnswerD

Correct; the DROP rule in INPUT blocks traffic to 10.0.0.0/8.

Why this answer

Option D is correct because the INPUT chain has a rule that drops all traffic destined to the 10.0.0.0/8 network, which includes the target server at 10.0.0.5. Since the server is on the same subnet, traffic to it must traverse the INPUT chain on the local system, and this DROP rule will match and discard packets before any other rule can accept them. The rule's position and destination match make it the most direct cause of the connectivity failure.

Exam trap

The trap here is that candidates often overlook the INPUT chain's destination match and assume the FORWARD chain is responsible for same-subnet traffic, or they misinterpret a zero packet count as an inactive rule, when in fact the rule is simply waiting for matching traffic.

How to eliminate wrong answers

Option A is wrong because the FORWARD chain only applies to traffic being routed through the system, not to traffic destined for the local system itself; since the server is on the same subnet, packets to 10.0.0.5 are not forwarded but processed locally via the INPUT chain. Option B is wrong because the OUTPUT chain controls traffic leaving the local system, not incoming traffic to the server; rejecting OUTPUT traffic would prevent the local system from sending packets, but the issue is about connectivity to the server, which is inbound. Option C is wrong because a DROP rule with a zero packet count simply means no packets have matched it yet; it is still present and effective in the ruleset, and once traffic matches, the count will increment—zero count does not imply the rule is inactive or ineffective.

300
MCQeasy

A company uses a cloud-based backup solution for its virtual machines. The backup policy specifies daily backups with a retention of 30 days. The backup administrator notices that backups are failing with an error indicating insufficient storage space in the backup repository. Which of the following is the most likely reason for this issue?

A.The retention period is too long for the available storage.
B.The backup frequency is too low.
C.Compression is not enabled on the backup.
D.The backup window is too short.
AnswerA

Longer retention means more backups accumulate, consuming storage.

Why this answer

The error indicates insufficient storage space in the backup repository. With a daily backup policy and a 30-day retention period, the repository must accommodate at least 30 full backups (or the equivalent incremental/differential chain). If the repository's capacity is less than the total size of 30 backups, the retention period exceeds the available storage, causing failures.

This is the most direct cause of the error.

Exam trap

The trap here is that candidates may confuse 'insufficient storage' with backup window or frequency issues, but the error is explicitly capacity-related, making retention period length the root cause when storage is fixed.

How to eliminate wrong answers

Option B is wrong because a lower backup frequency (e.g., weekly instead of daily) would reduce storage consumption, not cause an insufficient space error; the issue is high consumption relative to retention, not frequency. Option C is wrong because while compression reduces backup size, its absence would increase storage usage but not directly cause a failure unless the repository is already at capacity; the error message specifically cites insufficient space, not a configuration issue. Option D is wrong because a short backup window might cause timeouts or incomplete backups, but it would not produce an 'insufficient storage space' error; that error is purely capacity-related.

Page 3

Page 4 of 7

Page 5

All pages