CompTIA Cloud+ CV0-004 (CV0-004) — Questions 301375

499 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQhard

A cloud engineer is troubleshooting a web application that is not responding. The engineer examines the serial console output of the web-server instance and finds the error shown in the exhibit. What is the MOST likely cause of this issue?

A.The service account associated with the instance is missing the required permissions.
B.The instance is in a STOPPED state and cannot execute user data scripts.
C.The instance does not have a public IP address assigned.
D.A firewall rule is blocking traffic to the metadata server IP address 169.254.169.254.
AnswerD

The metadata server is accessed via link-local address; blocking this traffic prevents metadata retrieval.

Why this answer

The error shown in the serial console output indicates that the instance cannot reach the metadata server at 169.254.169.254. This IP address is a link-local address used by cloud providers (e.g., AWS, GCP, Azure) to serve instance metadata, including user data scripts. If a firewall rule blocks traffic to this IP, the instance cannot retrieve its user data, causing the web application to fail to start or respond.

Exam trap

The trap here is that candidates often associate connectivity issues with public IPs or firewall rules blocking external traffic, but the metadata server is an internal link-local address, so the firewall rule must be blocking internal traffic to 169.254.169.254 specifically.

How to eliminate wrong answers

Option A is wrong because the error is about network connectivity to the metadata server, not about IAM or service account permissions; missing permissions would cause API call failures, not a connection timeout to 169.254.169.254. Option B is wrong because if the instance were in a STOPPED state, there would be no serial console output or running processes to troubleshoot; the error implies the instance is running but cannot reach the metadata server. Option C is wrong because a public IP address is not required for an instance to access the metadata server; the metadata server is accessible via the link-local address 169.254.169.254 from within the instance regardless of public IP assignment.

302
MCQmedium

A company is migrating a legacy on-premises application to a cloud VM. The application requires a static private IP address for compliance. During a disaster recovery failover, the VM must automatically retain the same IP address in the secondary region. Which solution should be used?

A.Provision a reserved static private IP address that can be reassigned to the new VM.
B.Use a dynamic IP address and update DNS after failover.
C.Use a load balancer with a fixed IP and point it to the VM's current private IP.
D.Assign an elastic IP (public) and configure a VPN.
AnswerA

Reserved static IPs are portable and can be assigned to another VM in another region.

Why this answer

Option B is correct because a reserved IP address can be assigned to a VM and can be moved between regions for failover. Option A is wrong because dynamic IP will change. Option C is wrong because elastic IPs are public.

Option D is wrong because a load balancer may change the backend IP.

303
MCQeasy

A company is experiencing latency issues when accessing a cloud-based application. The cloud administrator runs a traceroute and notices high latency at the ISP's edge router. Which of the following is the MOST likely cause?

A.An internet service provider (ISP) issue is degrading the WAN connection
B.A misconfigured firewall rule is dropping packets
C.The load balancer is sending traffic to unhealthy instances
D.The virtual machine hosting the application is under-provisioned
AnswerA

High latency at ISP edge router indicates WAN connection issue.

Why this answer

High latency at the ISP's edge router indicates that the bottleneck is occurring on the WAN link between the company's network and the cloud provider, which is under the ISP's control. This is a classic symptom of an ISP issue, such as congestion, routing problems, or a degraded physical link, directly impacting the WAN connection. The traceroute output localizes the latency to the ISP's infrastructure, not to the company's internal network or the cloud application's resources.

Exam trap

CompTIA often tests the distinction between latency caused by network infrastructure (ISP) versus application or server performance issues, and the trap here is that candidates may attribute high latency to internal misconfigurations (like firewalls or load balancers) when the traceroute clearly isolates the problem to an external hop.

How to eliminate wrong answers

Option B is wrong because a misconfigured firewall rule dropping packets would cause packet loss or connectivity failures, not consistently high latency at a specific hop; dropped packets would result in retransmissions and timeouts, not a steady latency increase. Option C is wrong because a load balancer sending traffic to unhealthy instances would cause application errors or timeouts, but the latency would appear at the application layer or after the load balancer, not at the ISP's edge router. Option D is wrong because an under-provisioned virtual machine would cause high CPU or memory utilization leading to application slowness, but the latency would be observed at the VM or within the cloud provider's network, not at the ISP's edge router.

304
Multi-Selecthard

Which THREE of the following are valid methods to manage identity and access in a multi-cloud environment?

Select 3 answers
A.Set up a site-to-site VPN between the on-premises network and each cloud.
B.Implement a federation using SAML 2.0 between the corporate identity provider and each cloud.
C.Assign resource tags and use them in attribute-based access control (ABAC) policies.
D.Use a single shared API key for all clouds to simplify automation.
E.Deploy a cloud access security broker (CASB) to enforce access policies across clouds.
AnswersB, C, E

Federation allows SSO and centralized identity management.

Why this answer

Options A, B, and D are correct. A single sign-on (SSO) with federation allows centralized access control, cloud access security brokers (CASB) enforce policies across clouds, and resource tags combined with access policies can automate access. Option C is wrong because shared keys are not identity-based.

Option E is wrong because VPNs are for network, not identity.

305
Multi-Selecthard

A cloud administrator is troubleshooting performance issues with a cloud object storage bucket that is used for storing large amounts of small files. The application reads and writes objects frequently. Which three actions could improve the performance? (Choose three.)

Select 3 answers
A.Use a multi-region bucket to reduce latency.
B.Increase the number of concurrent requests from the application.
C.Enable transfer acceleration using a CDN.
D.Enable versioning to avoid overwrites.
E.Use a prefix naming scheme that distributes objects across multiple partitions.
AnswersB, C, E

Increasing concurrency can improve throughput as long as the backend can handle it.

Why this answer

Options C, D, and E are correct. Option A is wrong because multi-region buckets increase write latency due to replication. Option B is wrong because versioning adds overhead.

C uses prefix naming to increase request rate, D uses transfer acceleration for faster uploads, and E increases throughput via concurrency.

306
Multi-Selecthard

Which THREE of the following are valid considerations when selecting a cloud deployment model (public, private, hybrid)? (Choose three.)

Select 3 answers
A.Regulatory compliance requirements.
B.Budget and total cost of ownership.
C.Developers' preferred programming languages.
D.Latency sensitivity of the application.
E.Cloud provider's marketing claims.
AnswersA, B, D

Some data must remain on-premises.

Why this answer

Regulatory compliance requirements (A) are a primary consideration because certain industries (e.g., healthcare, finance) mandate data residency and privacy controls that may only be satisfied by a private or dedicated public cloud infrastructure. Budget and total cost of ownership (B) directly influence the choice between capital-intensive private cloud deployments and operational-expense-based public cloud services. Latency sensitivity (D) dictates whether an application requires on-premises private cloud resources to avoid network jitter and meet strict SLAs, or can tolerate the higher latency of a public cloud.

Exam trap

CompTIA often tests that candidates confuse operational preferences (like programming languages) with architectural constraints, leading them to select C as a valid consideration when it is irrelevant to the deployment model decision.

307
MCQhard

A company experiences a data breach where an attacker exfiltrated data from a cloud storage bucket. The security team discovers that the bucket had a policy allowing public access. The cloud administrator had previously set the bucket to be private. Which of the following is the MOST likely reason the bucket became public?

A.An IAM role with administrative privileges applied a bucket policy that overrode the private setting.
B.The bucket had versioning enabled, which reverted to a previous public state.
C.Access logs were not enabled, so the change was not recorded.
D.Server-side encryption was disabled, causing the bucket to become public.
AnswerA

A bucket policy can supersede the block public access settings if the role has sufficient permissions.

Why this answer

A bucket policy that grants public access (e.g., `Principal: "*"` with `Effect: "Allow"`) can override the private block public access setting at the bucket level. Even if the cloud administrator set the bucket to private via the console or ACLs, an IAM role with administrative privileges can apply a bucket policy that explicitly allows public access, effectively making the bucket public. This is because bucket policies are evaluated separately and can grant permissions that supersede other access controls.

Exam trap

CompTIA often tests the misconception that setting a bucket to private in the console or via ACLs is sufficient to prevent public access, ignoring that a bucket policy can independently grant public access and override those settings.

How to eliminate wrong answers

Option B is wrong because enabling versioning does not revert bucket policies or access settings to a previous state; versioning only preserves object versions and does not affect access control configurations. Option C is wrong because access logs record actions but do not prevent or cause changes to bucket permissions; the lack of logging is a monitoring issue, not a cause of the bucket becoming public. Option D is wrong because disabling server-side encryption affects data encryption at rest, not access permissions; encryption settings have no impact on whether a bucket is public or private.

308
MCQeasy

A cloud administrator needs to apply a critical security patch to a virtual machine that is part of a production application. The application must remain available during patching. Which of the following is the BEST approach?

A.Postpone the patch until the next scheduled update cycle
B.Remove the VM from the load balancer, apply the patch, then return it to service during a maintenance window
C.Patch all VMs simultaneously to minimize the time to full deployment
D.Apply the patch during peak usage hours to ensure immediate deployment
AnswerB

Rolling patching maintains availability.

Why this answer

Removing the VM from the load balancer ensures that no new traffic is sent to it while the patch is applied, maintaining application availability for users. After the patch is applied and the VM is verified as healthy, it can be returned to the load balancer pool. This approach aligns with a rolling update strategy, which is the standard method for applying patches to production VMs without downtime.

Exam trap

The trap here is that candidates may think patching all VMs simultaneously is faster and therefore better, but they overlook the critical requirement of maintaining application availability, which is explicitly stated in the question.

How to eliminate wrong answers

Option A is wrong because postponing a critical security patch leaves the application vulnerable to exploitation, which violates security best practices and compliance requirements. Option C is wrong because patching all VMs simultaneously would cause a complete application outage, as no VM would be available to serve traffic during the patching process. Option D is wrong because applying the patch during peak usage hours increases the risk of performance degradation or service disruption, and contradicts the standard practice of scheduling maintenance during low-traffic periods.

309
MCQeasy

A virtual machine in a cloud environment is experiencing high disk I/O latency. The administrator checks the performance metrics and sees that the disk queue length is consistently above 100. What is the best immediate action?

A.Attach an additional disk and stripe the data
B.Upgrade the VM's network bandwidth
C.Migrate the VM to a host with faster disks
D.Increase the VM's memory
AnswerA

Stripping adds parallelism, reducing queue depth and improving latency.

Why this answer

Option C is correct because attaching additional disks and striping (e.g., RAID 0) distributes I/O, reducing queue length. Option A is wrong because memory does not affect disk I/O. Option B is wrong because migration to a different host may not change disk performance.

Option D is wrong because network bandwidth is unrelated.

310
MCQhard

A cloud engineer is troubleshooting an issue where a virtual machine (VM) in a VPC cannot communicate with an on-premises database server through a site-to-site VPN. The VPN tunnel status shows 'UP' and the on-premises firewall logs show packets from the VM's public IP (but the VM is in a private subnet with no public IP). What is the MOST likely cause?

A.The on-premises firewall is blocking the VM's private IP address.
B.The VM's security group is blocking outbound traffic to the on-premises subnet.
C.The route table for the subnet is missing a route to the on-premises network via the VPN.
D.The VPN tunnel is misconfigured with mismatched pre-shared keys.
AnswerC

Without proper route, traffic may exit through an internet gateway or NAT, resulting in public IP source.

Why this answer

The VPN tunnel status is 'UP' and the on-premises firewall sees packets from the VM's public IP, but the VM is in a private subnet with no public IP. This indicates that the VM's traffic is being sent to the internet instead of through the VPN tunnel. The most likely cause is that the subnet's route table lacks a specific route directing traffic destined for the on-premises network to the virtual private gateway (VGW) or VPN connection, causing the traffic to be routed to the internet gateway (IGW) and source-NATed to the public IP.

Exam trap

The trap here is that candidates see 'VPN tunnel UP' and assume the VPN is fully functional, overlooking that routing (the route table) is a separate layer that must direct traffic into the tunnel; the tunnel being up does not guarantee traffic is being sent through it.

How to eliminate wrong answers

Option A is wrong because the on-premises firewall logs show packets from the VM's public IP, not its private IP, so the firewall is not blocking the private IP; the issue is that the private IP is not being used for the VPN traffic. Option B is wrong because security groups are stateful and, by default, allow all outbound traffic; even if outbound rules were restrictive, the traffic would still be dropped at the VM level, not appear at the on-premises firewall with a public IP. Option D is wrong because mismatched pre-shared keys would prevent the VPN tunnel from establishing, but the tunnel status is 'UP', indicating the Phase 1 and Phase 2 negotiations succeeded.

311
MCQhard

A financial services company is migrating a critical application to a hybrid cloud environment. The application must maintain sub-millisecond latency between the front-end and back-end components. The on-premises data center is located in New York, and the cloud region chosen is AWS us-east-1. The network team has established a dedicated AWS Direct Connect connection. After deploying the application, latency tests show 2 ms on average, which is acceptable. However, during peak hours, latency spikes to 10 ms. The cloud administrator suspects that the spike is due to increased traffic going over the VPN backup link instead of Direct Connect. What should the administrator do to resolve the issue?

A.Move the application to a different AWS region closer to the on-premises data center.
B.Configure the cloud resources to use only the Direct Connect connection and disable the VPN.
C.Increase the bandwidth of the VPN backup link.
D.Implement traffic shaping to prioritize application traffic over the Direct Connect link.
AnswerB

Ensures all traffic uses the low-latency Direct Connect.

Why this answer

Option B is correct because the latency spike during peak hours is caused by traffic failing over to the VPN backup link, which introduces higher latency and potential congestion. By configuring cloud resources to use only the Direct Connect connection and disabling the VPN, the administrator ensures all traffic stays on the low-latency, dedicated path. This eliminates the possibility of traffic being routed over the VPN, which is typically slower and less reliable than Direct Connect.

Exam trap

The trap here is that candidates may assume increasing bandwidth or traffic shaping will fix the latency issue, but the real problem is that traffic is incorrectly routed over the VPN backup link, not that the Direct Connect link is saturated.

How to eliminate wrong answers

Option A is wrong because moving the application to a different AWS region would not resolve the issue of traffic using the VPN backup link; the latency spike is due to routing misconfiguration, not geographic distance. Option C is wrong because increasing the bandwidth of the VPN backup link does not address the root cause—traffic should not be using the VPN at all during peak hours; the VPN link itself introduces higher latency regardless of bandwidth. Option D is wrong because traffic shaping prioritizes traffic on the Direct Connect link but does not prevent traffic from failing over to the VPN; the issue is that traffic is being routed over the VPN, not that the Direct Connect link is congested.

312
MCQhard

A multinational corporation is deploying a new application across multiple cloud regions for disaster recovery. The application requires consistent low latency for users globally. The architect decides to use a content delivery network (CDN) for static assets and a global load balancer for API traffic. After deployment, some users in Asia report occasional timeouts when accessing the API. The API servers are deployed in the US East and Europe regions. The load balancer is configured with latency-based routing. What is the most likely cause of the timeouts?

A.The latency-based routing is directing traffic to the farthest region due to routing table issues.
B.The API servers in Europe have insufficient capacity.
C.The CDN is misconfigured for the API endpoints.
D.The DNS TTL is set too high, causing cached resolution to a failed server.
AnswerD

High TTL means clients cache DNS results; if a server fails, they still try that IP until cache expires, causing timeouts.

Why this answer

Option D is correct because a high DNS TTL causes clients to cache the IP address of a failed or unhealthy API server for an extended period. When that server becomes unavailable, clients continue to send requests to the cached IP instead of querying DNS for a healthy endpoint, resulting in timeouts. This is a common issue with latency-based routing, where DNS resolution is critical for directing traffic to the optimal region.

Exam trap

The trap here is that candidates often overlook DNS caching behavior and instead focus on load balancer configuration or server capacity, failing to recognize that high DNS TTL can cause stale routing decisions in latency-based architectures.

How to eliminate wrong answers

Option A is wrong because latency-based routing directs traffic to the region with the lowest measured latency, not the farthest; routing table issues would affect reachability, not cause timeouts due to distance. Option B is wrong because insufficient capacity would cause errors like 503 Service Unavailable or increased latency, not intermittent timeouts specific to Asia users when servers exist in both US East and Europe. Option C is wrong because a CDN is used for static assets, not API endpoints; misconfiguring the CDN for API traffic would not cause timeouts since the API traffic is handled by the global load balancer, not the CDN.

313
Multi-Selecteasy

A cloud architect is designing a multi-tier application that must remain available during a single Availability Zone failure. Which TWO design principles should the architect apply?

Select 2 answers
A.Implement synchronous replication between the primary site and a DR site.
B.Deploy resources across multiple Availability Zones.
C.Use a single load balancer to distribute traffic across instances.
D.Place all application servers in the same subnet for low latency.
E.Use an auto-scaling group with a minimum of two instances spread across zones.
AnswersB, E

This provides redundancy if one zone fails.

Why this answer

Deploying resources across multiple Availability Zones (AZs) ensures that if one AZ fails, the application continues to run using resources in the other AZ(s). This is a fundamental principle of high availability in cloud architecture, as AZs are isolated from each other's failures. Option E complements this by using an auto-scaling group with a minimum of two instances spread across zones, which maintains capacity even if one instance or AZ fails.

Exam trap

CompTIA often tests the distinction between high availability (within a region across AZs) and disaster recovery (across regions), leading candidates to mistakenly choose synchronous replication (Option A) for AZ failure scenarios when it is actually designed for regional outages.

314
MCQmedium

Refer to the exhibit. A cloud administrator applies the bucket policy shown. After applying, users report that they can no longer access the prod-backup bucket using their applications. The applications use the AWS SDK with default configuration. What is the most likely reason?

A.The policy does not include an Allow statement.
B.The policy has a syntax error in the condition.
C.The applications are using HTTP instead of HTTPS.
D.The policy's principal "*" blocks all users.
AnswerC

Correct. The policy denies non-HTTPS requests, so if the SDK uses HTTP, access is denied.

Why this answer

The policy denies requests that do not use HTTPS. Many SDKs default to HTTP, causing the Deny statement to block access.

315
Multi-Selectmedium

A cloud administrator is troubleshooting a connectivity issue between a web server and a database server in the same VPC but different subnets. The security group for the database server allows inbound traffic from the web server's security group. However, the web server cannot establish a TCP connection to the database. What are two possible causes? (Choose two.)

Select 2 answers
A.The security group of the web server does not allow outbound traffic to the database.
B.The network ACL of the web server subnet is blocking outbound traffic.
C.The network ACL of the database subnet is blocking inbound traffic.
D.The route table of the database subnet does not contain a route to the web server subnet.
E.The database server is not listening on the correct port.
AnswersB, C

The outbound NACL on the web server subnet may block the connection request.

Why this answer

Option B is correct because network ACLs are stateless and apply to subnet boundaries. Even if the web server's security group allows outbound traffic, the subnet's network ACL must explicitly allow outbound traffic to the database server's IP and port. If the outbound rule is missing or denies the traffic, the TCP SYN packet will be dropped before it leaves the subnet.

Option C is correct because the database subnet's network ACL must allow inbound traffic from the web server's IP and port; if it blocks the inbound SYN, the connection cannot be established.

Exam trap

The trap here is that candidates often assume security groups are the only firewall layer, forgetting that network ACLs at the subnet level can override security group rules, especially when they are stateless and require explicit rules for both directions.

316
MCQmedium

A containerized application deployment fails with an 'ImagePullBackOff' error. What should the administrator verify?

A.The CPU utilization on the node
B.The cluster's DNS configuration
C.The firewall rules between nodes and registry
D.The container registry credentials and image tag
AnswerD

ImagePullBackOff commonly occurs when the image is not found or access is denied.

Why this answer

Option B is correct because the error indicates the container runtime cannot pull the image, often due to wrong tag or registry credentials. Option A is wrong while DNS could be involved, it typically gives a different error. Option C is wrong firewall issues cause timeouts, not pull errors.

Option D is wrong CPU utilization does not cause image pull errors.

317
Multi-Selecthard

A cloud administrator is investigating a performance issue with a cloud-based application. The application's response time has increased significantly. Monitoring shows low CPU and memory, but high network latency. Which two actions should the administrator take? (Choose two.)

Select 2 answers
A.Review the security group rules for any restrictive outbound rules.
B.Check the load balancer's connection draining settings.
C.Use a trace tool to identify network hops and bottlenecks.
D.Verify that the instances are in the same placement group.
E.Check for packet drops in the VPC flow logs.
AnswersC, E

Traceroute helps pinpoint where network delays occur.

Why this answer

Correct answers are A and E. Packet drops (A) and network hops (E) are diagnostic of high latency. Options B, C, and D are less relevant.

318
MCQhard

A cloud administrator is managing a hybrid cloud environment where on-premises servers connect to a public cloud VPC via a site-to-site VPN. Users report intermittent connectivity issues to cloud resources. The administrator examines the VPN tunnel logs and sees 'Phase 2 negotiation failed' errors. Which of the following is the MOST likely cause?

A.Dead Peer Detection (DPD) is disabled on one side.
B.Incorrect pre-shared key used for the VPN tunnel.
C.Packet loss due to high latency on the internet link.
D.Mismatched encryption domain definitions (traffic selectors) between on-premises and cloud VPN gateways.
AnswerD

Phase 2 negotiates encryption domains; mismatched selectors cause failure.

Why this answer

Phase 2 negotiation failures in IPsec VPNs indicate that the two gateways cannot agree on the security associations (SAs) for encrypting data traffic. This is most commonly caused by mismatched encryption domain definitions (traffic selectors), such as differing local/remote subnets, protocols, or ports. When the on-premises and cloud VPN gateways define the allowed traffic differently, they cannot establish the Phase 2 SA, leading to intermittent connectivity.

Exam trap

The trap here is that candidates often confuse Phase 1 and Phase 2 failures, incorrectly attributing the error to pre-shared key mismatches (Phase 1) instead of traffic selector mismatches (Phase 2).

How to eliminate wrong answers

Option A is wrong because Dead Peer Detection (DPD) is used to detect loss of a peer during Phase 1 or Phase 2, but disabling DPD does not cause Phase 2 negotiation failures; it only delays failure detection. Option B is wrong because an incorrect pre-shared key would cause Phase 1 (IKE) authentication to fail, not Phase 2 negotiation. Option C is wrong because packet loss or high latency can cause timeouts or retransmissions but does not directly cause a 'Phase 2 negotiation failed' error, which is a protocol-level mismatch.

319
MCQhard

A cloud administrator is troubleshooting a web application hosted on a cloud virtual machine (VM) that is experiencing intermittent high latency during peak traffic hours. The application is deployed on a single VM instance with 4 vCPUs and 8 GB RAM, running a Linux OS. The VM is connected to a virtual network with a public IP. The administrator has verified that the application code is optimized and there are no memory leaks. CPU utilization remains below 50% during peaks, but network outbound traffic shows periodic spikes up to 500 Mbps. The VM's network interface is configured with a 1 Gbps bandwidth cap. The administrator suspects that the issue is related to network throttling or packet loss. Which of the following actions should the administrator take to resolve the issue?

A.Increase the VM's vCPU count to 8 to improve processing capacity.
B.Upgrade the VM to a larger instance size with higher network bandwidth cap (e.g., 2 Gbps).
C.Configure the firewall to allow all traffic to reduce processing overhead.
D.Enable DDoS protection on the public IP to filter malicious traffic.
AnswerB

This directly addresses the network bottleneck causing latency during traffic spikes.

Why this answer

Option B is correct because the VM's network bandwidth cap of 1 Gbps is being saturated during peak traffic (spikes up to 500 Mbps, but with overhead and burst behavior, the cap can cause throttling and packet loss). Upgrading to a larger instance size with a higher network bandwidth cap (e.g., 2 Gbps) directly addresses the bottleneck by providing more headroom for outbound traffic, reducing latency caused by queueing and drops. The administrator has already ruled out CPU and memory issues, so the network cap is the likely culprit.

Exam trap

The trap here is that candidates may assume CPU or memory is the bottleneck because latency is intermittent, but the question explicitly states CPU is below 50% and memory is fine, so the real issue is the network bandwidth cap, which is a common cloud-specific limitation tied to instance size.

How to eliminate wrong answers

Option A is wrong because increasing vCPUs does not increase network bandwidth capacity; the bottleneck is network throughput, not compute, and CPU utilization is already below 50%. Option C is wrong because configuring the firewall to allow all traffic would not reduce processing overhead in a meaningful way and could actually increase security risks; firewall processing overhead is negligible compared to the bandwidth cap limitation. Option D is wrong because DDoS protection is designed to filter malicious traffic, not to resolve throttling or packet loss caused by legitimate peak traffic exceeding the bandwidth cap.

320
MCQeasy

A startup is deploying its web application in the cloud using an auto-scaling group. The application experiences variable traffic, with spikes during business hours. The team has configured the auto-scaling group to scale out when CPU utilization exceeds 70% and scale in when it drops below 30%. However, during a sudden spike, the new instances take over 5 minutes to become healthy, causing slow response times. What should the team do to improve responsiveness?

A.Use a larger instance type for the auto-scaling group.
B.Implement a predictive scaling policy based on historical patterns.
C.Reduce the threshold for scale-out to 50% CPU.
D.Increase the cooldown period for the scaling policy.
AnswerB

Predictive scaling provisions instances ahead of anticipated spikes.

Why this answer

Predictive scaling uses historical traffic patterns to proactively launch instances before CPU utilization spikes, eliminating the 5-minute lag from reactive scaling. This approach anticipates the business-hour surge and ensures capacity is ready when demand increases, directly addressing the slow response time issue.

Exam trap

The trap here is that candidates often focus on tuning thresholds or instance sizes to fix a latency problem, missing that the core issue is the reactive scaling delay, which only a proactive approach like predictive scaling can resolve.

How to eliminate wrong answers

Option A is wrong because using a larger instance type does not reduce the time for new instances to become healthy; it only increases per-instance capacity, which may still suffer from the same 5-minute startup delay during spikes. Option C is wrong because reducing the scale-out threshold to 50% CPU would trigger scaling earlier but still relies on reactive scaling, meaning instances would still take over 5 minutes to become healthy after the threshold is breached, failing to prevent slow responses. Option D is wrong because increasing the cooldown period would delay further scaling actions, making the auto-scaling group less responsive during rapid traffic spikes, worsening the problem.

321
MCQhard

A cloud administrator is troubleshooting an application that fails to connect to a database. The database server is in a private subnet, and the application server is in a public subnet. The security group for the database allows inbound traffic on port 3306 from the application's security group. Which of the following is the MOST likely reason the connection fails?

A.The network ACL for the database subnet is blocking inbound traffic on port 3306
B.The database server's operating system firewall is blocking the connection
C.The application's security group does not allow outbound traffic to the database
D.The route table for the public subnet does not have a route to the private subnet
AnswerA

NACLs are stateless and require explicit allow rules.

Why this answer

The network ACL (NACL) for the database subnet is the most likely cause because NACLs are stateless and apply to the entire subnet. Even if the database security group allows inbound traffic from the application's security group, the NACL must also allow inbound traffic on port 3306 (MySQL) from the application subnet. By default, custom NACLs deny all inbound traffic, so if the administrator did not explicitly add a rule for port 3306, the connection will be blocked at the subnet boundary.

Exam trap

CompTIA often tests the difference between stateful security groups and stateless network ACLs, and the trap here is that candidates assume security group rules are sufficient for connectivity, forgetting that NACLs must also permit the traffic at the subnet boundary.

How to eliminate wrong answers

Option B is wrong because the operating system firewall on the database server could block the connection, but it is less likely than a NACL issue since the question states the security group already allows the traffic, and OS firewalls are typically configured to allow traffic that matches security group rules. Option C is wrong because security groups are stateful; if the application's security group allows outbound traffic by default (which it does for all traffic unless explicitly denied), the response traffic from the database is automatically allowed, so outbound rules are not the issue. Option D is wrong because route tables control traffic routing between subnets, and by default, VPCs have an implicit local route that allows communication between all subnets within the VPC, so a missing route is not the problem here.

322
MCQhard

A cloud administrator is troubleshooting connectivity issues between two virtual networks in a public cloud. The networks are in the same region but different VPCs. Both VPCs have route tables and security groups configured. Instances in VPC A cannot ping instances in VPC B. Which of the following is the most likely cause?

A.VPC peering is not established between the two VPCs.
B.The instances are not assigned public IP addresses.
C.Security groups are blocking ICMP traffic.
D.Network ACLs are not configured to allow the traffic.
AnswerA

Without peering, traffic is isolated between VPCs.

Why this answer

VPC peering is a direct network connection between two VPCs that enables routing of traffic using private IPv4 or IPv6 addresses. Without an established VPC peering connection, instances in different VPCs cannot communicate, even if they are in the same region. Since the question states the VPCs are separate and no peering is mentioned, this is the most likely root cause of the connectivity failure.

Exam trap

The trap here is that candidates often focus on security groups or ACLs as the default answer for connectivity issues, but the fundamental prerequisite for cross-VPC communication is the existence of a VPC peering connection or a transit gateway, not just network access controls.

How to eliminate wrong answers

Option B is wrong because public IP addresses are not required for VPC-to-VPC communication; private IP routing via VPC peering or transit gateway is the standard method. Option C is wrong because while security groups can block ICMP, they are stateful and would not prevent all traffic unless explicitly configured to deny ICMP; the question does not indicate any such rule. Option D is wrong because network ACLs are stateless and must allow both inbound and outbound traffic, but they are not the primary enabler of cross-VPC connectivity; without VPC peering, no amount of ACL configuration will establish the link.

323
Multi-Selectmedium

A company is migrating to the cloud and needs to ensure high availability for a web application. The solution must tolerate the failure of an entire Availability Zone. Which three actions should the administrator take? (Choose three.)

Select 3 answers
A.Deploy the application across two or more Availability Zones.
B.Implement auto scaling with a minimum of one instance per AZ.
C.Use an Application Load Balancer with cross-zone load balancing enabled.
D.Use a single instance in a larger instance size.
E.Use a Multi-AZ RDS database.
AnswersA, B, E

This is fundamental to survive an AZ failure.

Why this answer

Option A is correct because deploying the application across two or more Availability Zones (AZs) ensures that if an entire AZ fails, the application remains available in the other AZ(s). This is a fundamental design pattern for achieving high availability in AWS, as AZs are physically separate data centers with independent power, cooling, and networking. By distributing resources across multiple AZs, the application can tolerate the failure of one AZ without service interruption.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing (which optimizes traffic distribution) with the fundamental requirement of deploying resources across multiple AZs to achieve AZ failure tolerance, leading them to select option C as a necessary action when it is actually a default or optional feature that does not by itself provide AZ redundancy.

324
MCQeasy

A cloud operations team uses a configuration management tool to apply patches to hundreds of Linux servers. Recently, the automation script that applies security patches has been failing with an error: 'Package not found.' The administrator verifies that the patch repository URL is correct and that the servers have internet access. The script runs every Sunday at 2:00 AM and the failures started two weeks ago. The failed patches are all for the latest kernel update. What should the administrator check FIRST?

A.Verify that the package cache is being updated before the installation step.
B.Ensure the patch repository is reachable via DNS.
C.Check if the servers have sufficient disk space for the patch download.
D.Roll back to an earlier version of the patch script.
AnswerA

The package cache must be refreshed to recognize the latest kernel package; the script may have skipped that step.

Why this answer

The error 'Package not found' typically indicates that the repository metadata is outdated. On many Linux systems, the local package cache (e.g., apt or yum) needs to be updated before installing new packages. The script likely needs to run an update command before attempting to install the patch.

325
MCQeasy

A small business plans to migrate its on-premises infrastructure to the cloud to reduce capital expenditure. They have a limited IT team and want to minimize management overhead. Which cloud deployment model should they choose?

A.Private cloud
B.Community cloud
C.Hybrid cloud
D.Public cloud
AnswerD

Public cloud is cost-effective and requires minimal management overhead.

Why this answer

The public cloud deployment model is the correct choice because it allows the small business to offload all infrastructure management to the cloud provider, eliminating the need for on-premises hardware and reducing capital expenditure. With a limited IT team, the public cloud's shared responsibility model minimizes management overhead by handling physical security, hardware maintenance, and hypervisor updates, while the business only manages its applications and data.

Exam trap

CompTIA often tests the misconception that 'public cloud means zero management overhead,' but the shared responsibility model still requires the customer to manage the guest OS, applications, and data, which is a key trap in this question.

How to eliminate wrong answers

Option A is wrong because a private cloud requires the business to own or lease dedicated hardware, which increases capital expenditure and management overhead, contradicting the goal of reducing both. Option B is wrong because a community cloud is shared among several organizations with common concerns, still requiring significant coordination and often dedicated infrastructure, which does not minimize management overhead for a small business. Option C is wrong because a hybrid cloud combines public and private clouds, introducing complexity in networking, orchestration, and data synchronization, which increases management overhead and does not fully eliminate capital expenditure.

326
MCQeasy

A company is using a cloud provider's object storage for archival data. The data is rarely accessed but must be retained for 7 years for compliance. The current storage class is Standard, and the monthly bill is increasing. The cloud administrator wants to minimize costs while meeting compliance requirements. The data must be accessible within 24 hours if needed. Which of the following actions should the administrator take?

A.Compress the objects using server-side encryption.
B.Delete the objects after 7 years to save cost.
C.Move the data to a cold storage tier like Glacier or Archive.
D.Use a lifecycle policy to transition objects to a cheaper storage class after a period.
AnswerD

Lifecycle policies automate transition to lower-cost storage (e.g., after 30 days to Infrequent Access, then to Glacier), optimizing cost while retaining data.

Why this answer

Option D is correct because a lifecycle policy automates the transition of objects from a higher-cost storage class (e.g., Standard) to a cheaper class (e.g., S3 Glacier Deep Archive or Azure Archive) after a specified period, reducing costs while retaining data for the required 7 years. The data remains accessible within 24 hours via a restore request, meeting the compliance and retrieval time requirement.

Exam trap

The trap here is that candidates may think moving data to a cold storage tier (Option C) is the best immediate action, but they overlook that a lifecycle policy (Option D) automates the transition and avoids manual intervention, which is more efficient and cost-effective over time.

How to eliminate wrong answers

Option A is wrong because server-side encryption (e.g., AES-256) does not reduce storage costs; it only secures data at rest. Option B is wrong because deleting objects after 7 years does not address the immediate cost increase and violates the compliance requirement to retain data for the full 7 years. Option C is wrong because moving data directly to a cold storage tier like Glacier or Archive without a lifecycle policy is a manual, non-automated action that does not leverage cost-saving transitions over time; also, some cold tiers may have minimum storage durations that could increase costs if data is moved too early.

327
Multi-Selectmedium

A cloud administrator receives an alert that a VM's disk usage is at 95%. The VM is running a critical database. Which TWO actions should the administrator take to resolve the issue while minimizing downtime?

Select 2 answers
A.Increase the size of the existing disk
B.Shrink an existing partition to free space
C.Clear temporary files and logs
D.Restore the VM from a recent backup to a larger disk
E.Add a new disk and move data to it
AnswersA, C

Many cloud providers allow online disk resizing without rebooting.

Why this answer

Increasing the size of the existing disk (Option A) is correct because it allows the VM to gain additional storage capacity without requiring a reboot or migration, minimizing downtime. Modern hypervisors and cloud platforms support live resizing of virtual disks, and once the disk is expanded, the OS can extend the partition online using tools like `resize2fs` (Linux) or Disk Management (Windows). This directly addresses the 95% disk usage alert for the critical database with minimal service interruption.

Exam trap

The trap here is that candidates often choose Option E (add a new disk) thinking it is safer or more standard, but they overlook that expanding the existing disk is faster and causes less downtime for a critical database, and that adding a new disk introduces additional management overhead and potential service interruption.

328
Matchingmedium

Match each disaster recovery term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum time to restore services after outage

Maximum acceptable data loss in time

Automatic switch to standby system

Copy of data for restoration

Documented plan for disaster recovery

Why these pairings

Key metrics and concepts for business continuity.

329
MCQhard

A cloud administrator receives an alert that a storage bucket containing sensitive customer data has been accessed from an unknown IP address at 3:00 AM. The bucket policy is configured to allow access only from the corporate VPN CIDR block (10.0.0.0/8). The administrator checks the access logs and sees that the request originated from 203.0.113.50, which is not within the allowed range. The bucket policy also includes a condition that restricts access to Secure Transport (SSL). What is the most likely reason the request succeeded despite the policy?

A.The access logs are spoofed; the request actually came from a corporate IP.
B.The policy has an Allow statement that permits all accesses using SSL, without restricting the source IP.
C.The unknown IP address is part of a misconfigured VPN client that still appears as the corporate CIDR.
D.The bucket policy is missing an explicit Deny statement for IP addresses outside the allowed range.
AnswerB

If the Allow statement only requires SSL but does not enforce the IP condition, then any SSL request would be allowed, bypassing the intended IP restriction.

Why this answer

If the bucket policy has a condition that checks only for Secure Transport (aws:SecureTransport) but does not explicitly deny IP addresses, a Deny statement with a Null condition on IP address might be misconfigured, or the IP address condition is not applied correctly. The most common error is that the policy allows all requests that use SSL, overriding the IP restriction. Option C correctly identifies that the SSL condition might be too permissive.

330
MCQhard

A DevOps engineer is designing a CI/CD pipeline for a microservices application. The team wants to isolate each build job to avoid interference. Which cloud concept should be utilized?

A.Dedicated hosts
B.Containerization with orchestration
C.Virtual private cloud (VPC)
D.Serverless functions
AnswerB

Containers provide lightweight, isolated environments ideal for CI/CD jobs, and orchestration manages them.

Why this answer

Containerization with orchestration (e.g., Docker and Kubernetes) provides isolated runtime environments for each build job by packaging the application and its dependencies into lightweight containers. This ensures that build processes do not interfere with each other, as each container runs in its own isolated user space with dedicated resources, and orchestration manages scheduling, scaling, and lifecycle. This approach is ideal for CI/CD pipelines in microservices architectures where build isolation is critical.

Exam trap

CompTIA often tests the misconception that network-level isolation (VPC) or physical isolation (dedicated hosts) is required for build job isolation, when in fact containerization provides sufficient and more efficient isolation at the process level.

How to eliminate wrong answers

Option A is wrong because dedicated hosts provide physical server isolation but are overkill for build job isolation; they do not offer per-job isolation within the same host and incur higher cost and management overhead. Option C is wrong because a Virtual Private Cloud (VPC) is a network-level isolation construct for cloud resources, not a mechanism to isolate individual build jobs; it cannot prevent interference between processes running on the same compute instance. Option D is wrong because serverless functions (e.g., AWS Lambda) are stateless and ephemeral, but they are not designed for running CI/CD build jobs that require persistent storage, longer execution times, or custom runtime environments; they also lack the fine-grained resource isolation needed for concurrent builds.

331
Multi-Selecthard

Which THREE of the following are common causes of VM migration failures in a cloud environment? (Choose three.)

Select 3 answers
A.Expired software licenses on the target host
B.Incompatible CPU instruction sets or features between source and target hosts
C.Stale DNS records for the VM's hostname
D.Insufficient storage space on the target host
E.Network connectivity issues between the source and target hypervisors
AnswersB, D, E

Different CPU generations can prevent live migration.

Why this answer

Options A, C, and D are correct. Incompatible CPU features (A) can cause migration failures, insufficient storage capacity (C) on target, and network connectivity issues (D) between hosts. Option B is wrong: stale DNS records may cause name resolution problems but not migration failure.

Option E is wrong: license checks may block migration but are less common than resource issues.

332
Multi-Selecthard

Which TWO design patterns can help a cloud architect achieve a Recovery Time Objective (RTO) of less than 5 minutes for a critical application?

Select 2 answers
A.Warm standby
B.Multi-site active-active
C.Backup and restore
D.Pilot light
E.Hot standby (active/passive) with automatic failover
AnswersB, E

Multiple active sites can take over instantly, achieving RTO under 5 minutes.

Why this answer

Multi-site active-active (B) distributes the application workload across two or more geographically separated sites, with all sites actively serving traffic. If one site fails, traffic is instantly rerouted to the remaining sites via DNS load balancing or global server load balancing (GSLB), enabling sub-5-minute RTO because there is no cold start or failover delay. Hot standby (active/passive) with automatic failover (E) maintains a fully provisioned standby environment that mirrors the primary, with automatic health checks and failover mechanisms (e.g., using AWS Route 53 health checks or Azure Traffic Manager) that can redirect traffic within seconds to minutes, meeting a strict RTO of under 5 minutes.

Exam trap

CompTIA often tests the misconception that warm standby or pilot light can achieve sub-5-minute RTO, but candidates forget that these patterns require manual scaling or provisioning steps that add significant delay, unlike the fully pre-provisioned and automated failover in active-active or hot standby.

333
MCQhard

A company is designing a multi-cloud disaster recovery solution. They need to ensure RPO of 15 minutes and RTO of 1 hour for critical workloads. Which of the following should be implemented?

A.Asynchronous replication to a secondary cloud with a 30-minute delay
B.Synchronous replication to a standby environment in another cloud provider
C.Pilot light environment that is started manually during a disaster
D.Daily backups to object storage in a different region
AnswerB

Correct; synchronous replication provides low RPO and fast failover.

Why this answer

Synchronous replication ensures that data is written to both the primary and standby environments simultaneously, guaranteeing zero data loss and meeting the 15-minute RPO. With a pre-configured standby environment in another cloud provider, failover can occur within minutes, satisfying the 1-hour RTO. This approach provides the lowest possible RPO and RTO for critical workloads.

Exam trap

CompTIA often tests the distinction between synchronous and asynchronous replication, where candidates mistakenly choose asynchronous replication for low RPO requirements, not realizing that asynchronous replication inherently introduces a delay equal to the replication interval.

How to eliminate wrong answers

Option A is wrong because asynchronous replication with a 30-minute delay cannot achieve a 15-minute RPO, as data loss could be up to 30 minutes. Option C is wrong because a pilot light environment that is started manually during a disaster typically has an RTO of hours, not 1 hour, due to the time required to provision and configure resources. Option D is wrong because daily backups to object storage cannot meet a 15-minute RPO, as data loss could be up to 24 hours, and recovery from backups often takes longer than 1 hour.

334
MCQeasy

The exhibit shows the output of the df command and an application error. What is the most likely cause of the error?

A.The /dev/shm partition is full.
B.The /var partition is full.
C.The filesystem is corrupt.
D.The inode usage on the root filesystem is exhausted.
AnswerB

The root partition is at 95% usage, and since /var is under /, it is likely full.

Why this answer

Option A is correct because the root partition is at 95% usage, and the application writes to /var/log which is on the root filesystem. Option B is wrong because tmpfs is empty. Option C is plausible but df shows space, not inodes; inode exhaustion would also give same error, but more likely space.

Option D is wrong because no corruption indicated.

335
Multi-Selectmedium

A cloud engineer is troubleshooting a VM that is experiencing high latency. The VM is hosted on a hypervisor with other VMs. Which TWO metrics should the engineer review to identify if resource contention is occurring?

Select 2 answers
A.Memory ballooning
B.CPU ready time
C.Network packet drops
D.Swap usage
E.Disk queue length
AnswersA, B

Correct; memory ballooning indicates memory contention.

Why this answer

Memory ballooning (A) is a VMware mechanism where the hypervisor reclaims idle memory from a VM by inflating a balloon driver, forcing the VM to swap. High ballooning indicates memory overcommitment and contention, directly causing latency. CPU ready time (B) measures the time a VM is ready to run but waiting for a physical CPU core; elevated ready time signals CPU contention among VMs on the same hypervisor.

Exam trap

CompTIA often tests the distinction between guest-level metrics (swap usage, disk queue length) and hypervisor-level metrics (ballooning, ready time), and the trap here is that candidates confuse swap usage (guest OS paging) with memory ballooning (hypervisor reclaim), or assume network packet drops indicate VM contention rather than network issues.

336
MCQeasy

A user reports being unable to upload files to an S3 bucket named 'my-bucket'. The IAM policy attached to the user is shown in the exhibit. What is the most likely reason for the failure?

A.The policy requires a condition that is not met.
B.The policy does not include s3:PutObjectAcl, which is needed.
C.The policy has a typo in the Action field.
D.The bucket policy denies the upload.
AnswerB

Many upload operations require PutObjectAcl.

Why this answer

The IAM policy grants s3:PutObject, which allows uploading an object, but it does not include s3:PutObjectAcl. When uploading to an S3 bucket, if the bucket is configured to require bucket-owner-full-control ACLs (e.g., via a bucket policy or default settings), the upload will fail unless the user also has permission to set the ACL. The s3:PutObjectAcl action is necessary to specify the ACL during the PUT request, and its absence is the most likely cause of the failure.

Exam trap

CompTIA often tests the distinction between s3:PutObject and s3:PutObjectAcl, trapping candidates who assume that upload permission alone is sufficient when ACL requirements are enforced.

How to eliminate wrong answers

Option A is wrong because the exhibit does not show any condition block in the policy, so there is no condition to be unmet. Option C is wrong because 's3:PutObject' is a valid action with correct casing and syntax, so there is no typo. Option D is wrong because the bucket policy is not mentioned in the scenario; the failure is attributed to the user's IAM policy, and bucket policies are separate from IAM policies.

337
Multi-Selecteasy

A cloud administrator is troubleshooting a virtual machine that is experiencing high memory usage. The VM is running a web server. Which two metrics should the administrator monitor to determine if the VM needs additional memory? (Choose two.)

Select 2 answers
A.Swap usage
B.Disk I/O wait
C.Page fault rate
D.Available memory
E.CPU ready time
AnswersA, D

High swap usage indicates the OS is using disk as memory, a sign of insufficient physical memory.

Why this answer

Options A and C are correct. Available memory directly shows free memory, and swap usage indicates the OS is using disk as memory, which is a sign of insufficient RAM. Option B (CPU ready time) is a CPU metric.

Option D (disk I/O wait) is disk-related. Option E (page fault rate) indicates paging but is not as direct as swap usage.

338
MCQhard

An organization uses a cloud-based infrastructure with multiple VPCs peered together. The security team notices that traffic between VPCs is not being inspected by the central firewall. What design change should be implemented to ensure all inter-VPC traffic passes through a centralized firewall?

A.Use VPC endpoints for all inter-VPC communication
B.Apply network ACLs to all subnets in each VPC
C.Set up a transit VPC with a firewall appliance and route traffic through it
D.Implement VPC peering between all VPCs and attach a firewall to each VPC
AnswerC

A transit VPC acts as a hub, routing all inter-VPC traffic through a central firewall for inspection.

Why this answer

Option C is correct because a transit VPC architecture uses a centralized hub VPC containing a firewall appliance (e.g., a next-generation firewall) and routes all inter-VPC traffic through it via VPC peering or VPN connections. By configuring route tables in each spoke VPC to point the destination CIDR of other VPCs to the transit VPC's firewall, every packet between VPCs is forced through the firewall for inspection, ensuring compliance with security policies.

Exam trap

The trap here is that candidates confuse VPC peering (which allows direct, non-inspected traffic) with a transit VPC (which forces traffic through a central inspection point), or they mistakenly think network ACLs or VPC endpoints can provide centralized traffic inspection.

How to eliminate wrong answers

Option A is wrong because VPC endpoints (e.g., Gateway or Interface endpoints) are designed for private connectivity to AWS services (like S3 or DynamoDB) without traversing the internet, not for routing general inter-VPC traffic through a central firewall. Option B is wrong because network ACLs are stateless, subnet-level filters that control inbound/outbound traffic at the subnet boundary but do not force traffic through a centralized inspection point; they only allow or deny traffic based on rules, not route it. Option D is wrong because implementing VPC peering between all VPCs creates a full mesh, but attaching a firewall to each VPC would require managing multiple firewalls and does not guarantee centralized inspection; traffic would flow directly between peered VPCs without passing through a single firewall, defeating the goal of centralized inspection.

339
MCQeasy

A cloud engineer is responsible for securing a multi-tier application deployed on IaaS. The application consists of web servers, application servers, and database servers. The engineer needs to implement network segmentation to minimize the attack surface. Which of the following is the BEST approach?

A.Use a single security group for all instances and define rules to allow traffic between tiers.
B.Create separate subnets for each tier and configure security groups to allow only required traffic between them.
C.Place web servers in a public subnet and application and database servers in the same private subnet with a common security group.
D.Place all instances in the same subnet and use network ACLs to restrict traffic between tiers.
AnswerB

Separate subnets with security groups enforce network segmentation and least privilege.

Why this answer

Option B is correct because creating separate subnets for each tier enforces network segmentation at the IP layer, which is a fundamental security best practice for multi-tier applications. By configuring security groups (stateful firewalls) to allow only the specific required traffic (e.g., HTTP/HTTPS from web to app, SQL from app to database), the engineer minimizes the attack surface by preventing lateral movement if one tier is compromised. This approach aligns with the principle of least privilege and is the most effective method in IaaS environments like AWS, Azure, or GCP.

Exam trap

The trap here is that candidates often confuse security groups with network ACLs or assume that placing servers in the same subnet with restrictive rules is sufficient, but Cisco tests the understanding that true network segmentation requires separate subnets (or VLANs) to prevent layer-2 adjacency and lateral movement.

How to eliminate wrong answers

Option A is wrong because using a single security group for all instances violates network segmentation; any instance can potentially communicate with any other if rules are too permissive, and it does not isolate tiers, increasing the blast radius. Option C is wrong because placing application and database servers in the same private subnet with a common security group fails to isolate the database tier from the application tier, allowing an attacker who compromises the app server to directly access the database without additional network-level controls. Option D is wrong because placing all instances in the same subnet and relying solely on network ACLs (stateless) is insufficient; network ACLs evaluate rules in order and require explicit allow rules for return traffic, making them more complex to manage and easier to misconfigure, and they do not provide the same granular, stateful control as security groups.

340
MCQmedium

A cloud architect is designing a deployment strategy for a web application that must handle unpredictable traffic spikes. The application runs in containers on a Kubernetes cluster. The architect wants to minimize costs while ensuring that the cluster can scale out rapidly during spikes. Which deployment strategy best meets these requirements?

A.Pre-provision a fixed number of pods to handle peak load at all times.
B.Manually scale the deployment when monitoring alerts indicate high traffic.
C.Implement horizontal pod autoscaling based on CPU utilization.
D.Use vertical pod autoscaling to increase resource limits on existing pods.
AnswerC

HPA automatically adds/removes pods to match demand.

Why this answer

Horizontal Pod Autoscaling (HPA) automatically adjusts the number of pod replicas based on observed CPU utilization (or custom metrics), enabling rapid scale-out during traffic spikes without manual intervention. This minimizes costs by running only the necessary pods during low traffic while ensuring the cluster can react quickly to increased demand, which aligns with the requirement for unpredictable spikes.

Exam trap

CompTIA often tests the distinction between horizontal and vertical scaling in the context of cost and rapid elasticity; the trap here is that candidates may choose vertical autoscaling (Option D) thinking it is cheaper, but it cannot scale out quickly enough for unpredictable spikes and is limited by node resources.

How to eliminate wrong answers

Option A is wrong because pre-provisioning a fixed number of pods to handle peak load at all times results in over-provisioning and higher costs, as resources are wasted during low-traffic periods. Option B is wrong because manually scaling the deployment when monitoring alerts indicate high traffic introduces latency and cannot react quickly enough to unpredictable spikes, risking performance degradation. Option D is wrong because vertical pod autoscaling increases resource limits on existing pods, which does not provide rapid scale-out; it is limited by node capacity and cannot handle sudden traffic surges as effectively as adding more pod replicas.

341
MCQmedium

A cloud administrator is troubleshooting connectivity issues between two virtual networks in different regions. The VNets are peered, but instances cannot communicate. The administrator verifies that the peering status is 'Connected' and route tables appear correct. Which of the following should be checked next?

A.Network Security Group (NSG) rules on the instances and subnets
B.DNS resolution settings
C.Gateway subnet configuration
D.Service endpoint status
AnswerA

Correct; NSGs can block traffic even if VNet peering is established.

Why this answer

Even when VNet peering status shows 'Connected' and route tables are correct, Network Security Group (NSG) rules can still block traffic. NSGs act as a stateful firewall at the subnet or NIC level, and by default they deny all inbound traffic unless explicitly allowed. Since the administrator has already verified routing, the next logical step is to check NSG rules for any implicit deny or missing allow rules that could be dropping the inter-region traffic.

Exam trap

The trap here is that candidates assume a 'Connected' peering status guarantees traffic flow, but they overlook that NSGs can silently drop traffic even when peering and routing are correctly configured.

How to eliminate wrong answers

Option B is wrong because DNS resolution settings affect name resolution, not IP-level connectivity; if instances cannot communicate via IP, DNS is irrelevant. Option C is wrong because gateway subnets are only used for VPN or ExpressRoute gateways, not for VNet peering; peering does not require a gateway. Option D is wrong because service endpoints are used to secure Azure service access (e.g., Storage, SQL) from a VNet, not for traffic between peered VNets; they do not control inter-VNet communication.

342
MCQhard

A company has a hybrid cloud environment with on-premises servers and AWS. They deploy a new application using AWS Elastic Beanstalk with a load balancer and auto scaling group. The application is a Node.js API that connects to an RDS MySQL database. After deployment, users report that the API returns a '500 Internal Server Error' intermittently. The application logs show 'ETIMEDOUT' errors when connecting to the database. The database is deployed in a private subnet with a security group that allows inbound traffic from the Elastic Beanstalk environment's security group. The database connection string uses the RDS endpoint. The same application works perfectly when deployed on-premises. What is the most likely cause?

A.The database connection string uses the wrong port number
B.The Elastic Beanstalk environment is in a different VPC or subnet that cannot reach the RDS instance
C.The security group attached to the RDS instance does not allow traffic from the Elastic Beanstalk environment
D.The RDS instance is in a failed state and needs to be rebooted
AnswerB

Network connectivity between VPCs or subnets is likely misconfigured, causing timeouts.

Why this answer

The intermittent 'ETIMEDOUT' errors indicate a network connectivity issue between the Elastic Beanstalk environment and the RDS database. Since the application works on-premises, the problem is specific to the AWS networking configuration. The most likely cause is that the Elastic Beanstalk environment is deployed in a different VPC or subnet that lacks routing or a VPC peering connection to reach the RDS instance's private subnet, causing timeouts when the load balancer or auto scaling group instances attempt to connect.

Exam trap

The trap here is that candidates often assume security group misconfiguration is the cause, but Cisco tests the understanding that 'ETIMEDOUT' specifically indicates a network layer reachability problem (routing or VPC isolation) rather than a firewall or authentication issue.

How to eliminate wrong answers

Option A is wrong because the database connection string uses the RDS endpoint, which includes the correct port (default 3306 for MySQL); a wrong port would cause a 'Connection refused' error, not 'ETIMEDOUT'. Option C is wrong because the security group is already configured to allow inbound traffic from the Elastic Beanstalk environment's security group, so if that were the issue, the error would be consistent, not intermittent, and would likely be 'Connection refused' or 'Access denied'. Option D is wrong because an RDS instance in a failed state would produce persistent errors or a 'Can't connect to MySQL server' message, not intermittent 'ETIMEDOUT' errors, and rebooting would not resolve a network connectivity problem.

343
MCQeasy

A cloud administrator notices that a web application is experiencing intermittent latency spikes. The application runs on a load-balanced set of virtual machines in a public cloud. Which of the following should the administrator investigate FIRST?

A.Verify that the VMs are in the same availability zone.
B.Inspect the network ACLs for any recent changes.
C.Check the load balancer health checks to ensure all instances are healthy.
D.Review the application logs for errors or performance issues.
AnswerD

Application logs can reveal slow queries, resource contention, or code errors that cause intermittent latency.

Why this answer

Option D is correct because intermittent latency spikes in a load-balanced web application are most effectively diagnosed by first reviewing application logs for errors or performance issues. Application logs can reveal slow database queries, memory exhaustion, or code-level bottlenecks that cause latency, which is the most direct source of evidence before investigating network or infrastructure components.

Exam trap

CompTIA often tests the principle of starting with the most direct evidence (application logs) rather than jumping to network or infrastructure checks, trapping candidates who assume latency must be a network issue.

How to eliminate wrong answers

Option A is wrong because VMs in the same availability zone do not prevent latency spikes; in fact, placing all VMs in one zone increases risk of zone failure and does not address intermittent performance issues. Option B is wrong because network ACLs are stateless and changes would typically cause consistent connectivity failures or denials, not intermittent latency spikes. Option C is wrong because load balancer health checks only verify instance reachability and basic responsiveness, not application-level performance; healthy instances can still suffer from internal latency issues.

344
Multi-Selectmedium

Which TWO of the following are benefits of a multi-cloud strategy? (Select exactly two.)

Select 2 answers
A.Reduces data transfer costs
B.Ensures regulatory compliance in all regions
C.Avoids vendor lock-in
D.Improves disaster recovery by allowing failover across providers
E.Simplifies management by using a single cloud provider
AnswersC, D

Multi-cloud allows portability and reduces dependency on a single provider.

Why this answer

Options B and D are correct. Multi-cloud avoids vendor lock-in (B) and provides geographic redundancy (D). Option A is wrong because multi-cloud typically increases complexity.

Option C is wrong because it doesn't directly reduce bandwidth costs. Option E is wrong because it does not guarantee compliance.

345
MCQmedium

A company is migrating its on-premises application to the cloud and wants to ensure high availability across multiple geographic regions. The application consists of stateless web servers and a stateful database. Which architecture should the company implement?

A.Active-passive web servers in two regions with a single database in the primary region
B.Active-active web servers in two regions with read replicas in each region
C.Active-active web servers in two regions with a multi-region database replication
D.Active-active web servers in one region with a standby database in another region
AnswerC

Multi-region replication allows failover for both reads and writes.

Why this answer

Option C is correct because the application requires high availability across multiple geographic regions for both stateless web servers and a stateful database. Active-active web servers in two regions ensure traffic distribution and failover, while multi-region database replication (e.g., using synchronous or asynchronous replication such as MySQL Group Replication or Aurora Global Database) keeps the stateful database synchronized across regions, enabling read/write capabilities and automatic failover without data loss.

Exam trap

CompTIA often tests the misconception that read replicas alone provide high availability for a stateful database, but candidates must remember that read replicas are read-only and cannot handle writes, so they do not ensure full database availability during a primary failure.

How to eliminate wrong answers

Option A is wrong because a single database in the primary region creates a single point of failure; if the primary region fails, the database becomes unavailable, breaking high availability. Option B is wrong because read replicas are read-only and cannot handle write operations; if the primary database fails, writes cannot be processed, so the stateful database is not fully highly available. Option D is wrong because active-active web servers in one region cannot survive a regional outage; the standby database in another region is passive and requires manual or automated failover, which introduces downtime and potential data loss.

346
MCQmedium

An organization uses a cloud-based monitoring service to track CPU utilization across a fleet of virtual machines. The administrator notices that one VM consistently shows 100% CPU utilization at the same time each day. Which of the following should the administrator do NEXT?

A.Add the VM to an auto scaling group to distribute the load
B.Immediately increase the VM size to accommodate the peak
C.Check the VM's local task scheduler for any jobs running during the peak times
D.Scan the VM for malware that might be causing the activity
AnswerC

Scheduled tasks could be the cause of the recurring CPU spike.

Why this answer

Option C is correct because the consistent daily spike in CPU utilization at the same time strongly suggests a scheduled task or cron job is triggering the load. Checking the VM's local task scheduler (e.g., Task Scheduler on Windows or cron on Linux) is the logical first step to identify the specific process causing the spike before taking any remediation actions.

Exam trap

The trap here is that candidates may jump to scaling or security responses (auto scaling, resizing, malware scan) without first performing basic troubleshooting to identify the predictable, recurring process causing the CPU spike.

How to eliminate wrong answers

Option A is wrong because adding the VM to an auto scaling group does not distribute the load within a single VM; auto scaling adds or removes instances horizontally, which would not address a local process consuming 100% CPU on one VM. Option B is wrong because immediately increasing the VM size (vertical scaling) is a reactive, costly approach that does not identify the root cause; the administrator should first investigate what is causing the spike. Option D is wrong because while malware can cause high CPU usage, the predictable daily pattern at the same time is more indicative of a scheduled job than malware, which typically exhibits random or persistent activity.

347
MCQeasy

A company is migrating its on-premises e-commerce application to a public cloud provider. The application consists of a web tier, an application tier, and a database tier. The cloud architect has designed a three-tier architecture using virtual machines (VMs) in a virtual private cloud (VPC). During the deployment, the web servers are placed in a public subnet, the application servers in a private subnet, and the database servers in a separate private subnet. All security groups and network ACLs have been configured to allow the required traffic. After deploying the application, the operations team reports that the web servers cannot communicate with the application servers. The web servers are able to reach the internet, and the application servers can be reached from the operations team's management bastion host. Which of the following is the MOST likely cause of the issue?

A.The route table associated with the web servers' subnet is missing a route to the application servers' subnet.
B.The web servers do not have a route to the internet gateway.
C.The network ACL on the application servers' subnet is blocking inbound traffic from the web servers.
D.The security group on the web servers is blocking outbound traffic to the application servers.
AnswerA

Correct: Without a route to the private subnet, traffic is dropped.

Why this answer

The web servers are in a public subnet with a route table that typically includes a default route (0.0.0.0/0) pointing to an internet gateway, enabling internet access. However, for the web servers to reach the application servers in a private subnet, the route table associated with the web servers' subnet must also contain a route to the destination CIDR block of the application servers' subnet, pointing to a local route or a virtual private cloud (VPC) peering connection. Without this explicit route, traffic from the web servers to the application servers is dropped because the route table does not know how to forward packets to that subnet, even though security groups and network ACLs are correctly configured.

Exam trap

CompTIA often tests the misconception that security groups or network ACLs are the primary cause of connectivity issues between subnets, when in reality the missing route in the subnet's route table is the root cause, especially when internet access works but inter-subnet communication fails.

How to eliminate wrong answers

Option B is wrong because the web servers can already reach the internet, which means they have a valid route to the internet gateway (0.0.0.0/0 via IGW), so the issue is not a missing internet gateway route. Option C is wrong because the network ACL on the application servers' subnet is stateless and must allow both inbound and outbound traffic; if it were blocking inbound traffic from the web servers, the operations team's management bastion host (which is in a different subnet) would also likely be blocked, but the bastion host can reach the application servers, indicating the network ACL is not the issue. Option D is wrong because the security group on the web servers controls inbound traffic to the web servers, not outbound traffic; outbound traffic from the web servers is controlled by the security group on the web servers' outbound rules, but the problem states all security groups have been configured to allow required traffic, and the web servers can reach the internet (which requires outbound rules), so outbound rules are not blocking traffic to the application servers.

348
MCQmedium

A cloud load balancer is not distributing traffic evenly to backend servers. All servers pass health checks. Which of the following is the most likely cause?

A.The health check interval is set too long.
B.One of the backend servers has reached its connection limit.
C.Session persistence is enabled and directing traffic to specific servers.
D.The health check path is incorrect.
AnswerC

Sticky sessions bind clients to a server, causing imbalance.

Why this answer

Option A is correct because session persistence (sticky sessions) can cause uneven distribution. Option B is incorrect because health checks pass. Option C is incorrect as capacity is sufficient.

Option D is incorrect because health check interval affects removal, not distribution.

349
MCQeasy

A cloud administrator notices that a storage bucket in a cloud object storage service is publicly accessible. The bucket contains sensitive customer data. What is the most likely cause of this issue?

A.The bucket policy or ACL was set to allow public access.
B.The bucket has versioning enabled.
C.The bucket has a lifecycle policy to transition objects to archival storage.
D.The bucket is using server-side encryption with customer-provided keys.
AnswerA

Misconfigured permissions are the typical cause of public buckets.

Why this answer

Option B is correct because misconfigured bucket policies or ACLs often lead to public access. Option A is wrong because encryption does not affect access control. Option C is wrong because versioning does not cause public access.

Option D is wrong because lifecycle policies do not change access permissions.

350
MCQhard

A cloud administrator runs the `iostat` command on a Linux VM experiencing slow performance. Based on the exhibit, what is the most likely bottleneck?

A.Disk I/O is saturated.
B.Network bandwidth is limited.
C.CPU is overloaded.
D.Memory is insufficient.
AnswerA

High %iowait and disk utilization indicate I/O bottleneck.

Why this answer

The `iostat` command reports CPU and I/O statistics. The exhibit shows high `%util` (e.g., 99.9%) and elevated `await` or `svctm` values, indicating that the disk device is operating at or near its maximum capacity. This means the disk I/O subsystem is saturated, causing requests to queue and slowing overall VM performance.

Exam trap

The trap here is that candidates may misinterpret high `%util` as a CPU bottleneck because `iostat` also displays CPU stats, but the question specifically asks about the bottleneck indicated by the exhibit, which clearly points to disk I/O saturation.

How to eliminate wrong answers

Option B is wrong because `iostat` does not measure network bandwidth; network issues would be diagnosed with tools like `netstat`, `ss`, or `iperf`. Option C is wrong because `iostat` shows CPU statistics (e.g., `%user`, `%system`), and if the CPU were overloaded, those values would be high while disk `%util` might remain low; the exhibit indicates disk saturation, not CPU exhaustion. Option D is wrong because insufficient memory would manifest as high swap usage or out-of-memory (OOM) events, not as high disk `%util`; memory issues are diagnosed with `free`, `vmstat`, or `top`.

351
Multi-Selectmedium

A cloud operations team is analyzing a security incident in which an unauthorized user accessed a storage bucket. The bucket was configured with public access. Which three best practices should the team implement to prevent such incidents in the future? (Select THREE).

Select 3 answers
A.Enable access logging and monitor logs.
B.Enable encryption on the storage bucket.
C.Implement least privilege access policies.
D.Enable versioning on the bucket.
E.Use bucket policies to deny all public access.
AnswersA, C, E

Correct. Logging provides visibility into access patterns and aids in detecting anomalies.

Why this answer

Implementing least privilege, denying public access, and enabling access logging help prevent and detect unauthorized access.

352
Multi-Selectmedium

Which TWO factors should be considered when choosing a cloud deployment model (public, private, hybrid)? (Select TWO.)

Select 2 answers
A.Number of monitors connected to the server
B.Data sensitivity and classification
C.Compliance requirements (e.g., GDPR, HIPAA)
D.Brand of physical servers used
E.Color of server racks in the data center
AnswersB, C

Sensitive data may require private cloud for tighter control.

Why this answer

Data sensitivity and classification (B) are critical because public cloud providers operate a shared responsibility model where the customer retains control over data classification and access policies, while the provider manages the infrastructure. Highly sensitive data (e.g., PII, trade secrets) often mandates a private or hybrid model to maintain strict network isolation and encryption at rest/in transit. Compliance requirements (C) such as GDPR or HIPAA impose legal obligations on data residency, audit logging, and breach notification, which may restrict the use of certain public cloud regions or require dedicated hardware, directly influencing the deployment model choice.

Exam trap

CompTIA often tests the misconception that physical hardware attributes (brand, color, monitor count) influence cloud deployment decisions, when in fact the choice is driven solely by data governance, compliance, and operational requirements.

353
Matchingmedium

Match each high-availability concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Distribute traffic across multiple servers

Isolated location within a region

One node active, one standby

All nodes serve traffic simultaneously

Why these pairings

Architectures and components for high availability.

354
MCQmedium

A DevOps team sets up a CI/CD pipeline for a containerized application on Kubernetes. They want to test a new version with a small subset of users before full rollout. Which deployment method should they use?

A.Canary
B.Recreate
C.Rolling update
D.Blue/green
AnswerA

Canary sends a small percentage of traffic to the new version for testing.

Why this answer

A canary deployment releases the new version to a small subset of users (e.g., 5-10% of traffic) while the rest continue using the stable version. This allows the team to monitor performance, errors, and user feedback before gradually increasing the rollout. Kubernetes supports canary deployments natively through techniques like multiple Deployments with shared labels and service mesh traffic splitting (e.g., Istio or Linkerd).

Exam trap

CompTIA often tests the distinction between canary and rolling update by implying that rolling updates can also target a subset of users, but rolling updates replace pods gradually across the entire cluster without user-based traffic splitting.

How to eliminate wrong answers

Option B (Recreate) is wrong because it terminates all existing pods before creating new ones, causing full downtime and no ability to test with a subset of users. Option C (Rolling update) is wrong because it gradually replaces pods but does not allow fine-grained traffic splitting to a specific user subset; all users eventually receive the new version during the update. Option D (Blue/green) is wrong because it runs two full environments and switches all traffic at once, which does not provide a gradual, user-subset testing phase.

355
MCQeasy

A cloud administrator sets up a monitoring alarm to trigger when CPU utilization exceeds 90% for 5 minutes. The alarm uses a period of 5 minutes and an evaluation period of 1. The alarm does not trigger even though CPU spikes above 90% for several minutes. What is the most likely cause?

A.The monitoring service does not support CPU utilization.
B.The alarm's evaluation period is set to 2 periods.
C.The alarm's statistic is set to 'Average', which smooths out short spikes.
D.The alarm action is not configured.
AnswerC

The 5-minute average might not exceed 90% if the spike is not sustained for most of the period.

Why this answer

Option C is correct because the average statistic smooths out the spike. Options A, B, and D are incorrect or not the cause.

356
MCQmedium

A company uses a cloud-based object storage service to store backups. The backups must be retained for seven years to meet compliance requirements. Which storage tier should be used to minimize cost while meeting the retention requirement?

A.Archival storage with a minimum retention period of 90 days.
B.Cold storage with a retrieval time of several hours.
C.Infrequent access storage with a retrieval fee.
D.Standard storage with life-cycle policies to delete after seven years.
AnswerB

Correct. Cold storage offers low cost for long-term retention, and retrieval time is acceptable for backup restoration.

Why this answer

Cold storage (e.g., Glacier) is designed for long-term archival with infrequent access, offering low cost per GB and suitable for compliance retention.

357
MCQmedium

A company is deploying a containerized microservices application on a cloud platform. The operations team needs to manage secrets, such as database credentials and API keys, securely without embedding them in container images. Which solution should they use?

A.Include secrets in the container image at build time and encrypt the image
B.Use a cloud-native secrets management service to inject secrets at runtime
C.Encrypt secrets and store them in a cloud storage bucket
D.Store secrets as environment variables in the container orchestration platform
AnswerB

Provides secure storage and access control.

Why this answer

Option C is correct because a dedicated secrets management service (e.g., AWS Secrets Manager, Azure Key Vault) securely stores and rotates secrets, and containers can retrieve them at runtime via API. Option A is wrong because environment variables in the orchestration platform may expose secrets in logs. Option B is wrong because encrypted configuration files in a storage bucket still require key management.

Option D is wrong because storing secrets in the image build process is insecure.

358
Matchingmedium

Match each acronym to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Software as a Service

Platform as a Service

Infrastructure as a Service

Function as a Service

Desktop as a Service

Why these pairings

These are common cloud service models tested in Cloud+.

359
MCQeasy

A company has a policy that all cloud resources must be tagged with 'CostCenter' and 'Project' tags. The cloud operations team uses a monitoring tool to alert when untagged resources are created. The team receives an alert for a new EC2 instance that lacks the required tags. The instance was launched two hours ago by a DevOps engineer who is on leave. The instance is critical for production. What should the administrator do to resolve the compliance violation?

A.Terminate the instance immediately and launch a new one with proper tags.
B.Apply the required tags to the existing instance using the cloud provider's console or CLI.
C.Ignore the alert because the instance is critical and the engineer will fix it when back.
D.Modify the tag policy to exempt instances launched by senior engineers.
AnswerB

Tagging can be applied post-creation; this resolves the compliance issue without affecting operations.

Why this answer

The best practice is to apply the missing tags to the existing instance, as it is a critical production resource. Removing or stopping the instance would cause downtime. Applying tags ensures compliance without disrupting operations.

360
Multi-Selecteasy

Which TWO are advantages of using containers over virtual machines? (Select TWO.)

Select 2 answers
A.Better hardware isolation
B.Less overhead because they share the host OS kernel
C.Requires a hypervisor to run
D.Larger resource consumption
E.Faster startup time
AnswersB, E

Shared kernel reduces memory and CPU overhead.

Why this answer

Option B is correct because containers share the host operating system kernel, eliminating the need for a separate guest OS per instance. This reduces overhead significantly compared to virtual machines, which each require their own full OS, leading to more efficient use of system resources.

Exam trap

CompTIA often tests the misconception that containers provide stronger isolation than VMs, when in fact VMs offer better security boundaries due to hardware-level virtualization.

361
Matchingmedium

Match each troubleshooting command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Test network connectivity

Trace path to destination

Query DNS records

Display network connections and ports

Transfer data using various protocols

Why these pairings

Common CLI tools for network troubleshooting.

362
MCQmedium

A company's compliance policy requires that all virtual machine (VM) instances must have security patches applied within 30 days of release. The cloud environment automatically deploys VMs from a golden image. Which strategy would BEST ensure compliance without manual intervention?

A.Use a configuration management tool like Ansible to apply patches on boot.
B.Schedule a nightly job to scan each VM for missing patches and apply them.
C.Update the golden image with the latest patches and redeploy all VMs from it.
D.Install a patch management server and configure VMs to update from it on startup.
AnswerC

This ensures that any VM provisioned from the image is compliant at launch, meeting the 30-day requirement.

Why this answer

Regularly updating the golden image and using it to create new VMs ensures that all new instances are patched within the required timeframe. Automated patch scanning per instance is reactive and may not enforce the golden image. Using a configuration management tool to apply patches after VM creation can work but may cause a delay; updating the golden image is proactive and ensures consistency.

A patch management server is good but not as comprehensive as updating the baseline.

363
MCQeasy

An Azure administrator runs the command and gets the output shown. The virtual machine 'web-01' is not accessible over the network. Which of the following is the MOST likely reason?

A.The VM name is incorrect.
B.The VM is stopped and deallocated.
C.The VM failed to provision.
D.The VM is in the wrong region.
AnswerB

PowerState shows deallocated, so the VM is not running.

Why this answer

Option B is correct because the VM is deallocated, meaning it is not running and cannot be reached. Option A is wrong because the provisioning state is Succeeded, not Failed. Option C is wrong because the location is correct.

Option D is wrong because the name is correct.

364
MCQmedium

A company is designing a disaster recovery plan for its cloud infrastructure. The primary site is in US-East, and the DR site is in US-West. The RPO is 15 minutes, and the RTO is 2 hours. Which replication strategy best meets these requirements at the lowest cost?

A.Scheduled nightly backups to DR
B.Asynchronous replication from primary to DR
C.Synchronous replication between sites
D.No replication; manual failover
AnswerB

Asynchronous replication achieves near-real-time RPO with lower cost and bandwidth requirements.

Why this answer

Asynchronous replication sends data changes from the primary site to the DR site with minimal delay, typically within seconds to minutes, which meets the 15-minute RPO. It does not require the low-latency link that synchronous replication demands, making it more cost-effective for geographically separated sites. The 2-hour RTO is achievable because the DR site can be activated quickly from the replicated data, without the overhead of restoring from backups.

Exam trap

CompTIA often tests the misconception that synchronous replication is always better for DR, but the trap here is that the 15-minute RPO allows asynchronous replication, which is far more cost-effective across long distances than the expensive low-latency links required for synchronous replication.

How to eliminate wrong answers

Option A is wrong because scheduled nightly backups cannot achieve a 15-minute RPO; the backup window is too long, and recovery from backups would likely exceed the 2-hour RTO due to restore time. Option C is wrong because synchronous replication requires very low latency between sites (typically under 5-10 ms round-trip) to avoid application performance impact, and the distance between US-East and US-West introduces latency that makes this impractical and expensive (dedicated high-bandwidth circuits). Option D is wrong because no replication means no data is copied to the DR site, so manual failover would result in data loss exceeding the RPO and recovery time far beyond the RTO.

365
MCQmedium

A company is deploying a stateful application that requires persistent storage. They are using Kubernetes. Which resource should they create to ensure data persists across pod restarts?

A.Deployment
B.Secret
C.PersistentVolumeClaim
D.ConfigMap
AnswerC

PVC provides persistent storage that survives pod restarts.

Why this answer

A PersistentVolumeClaim (PVC) is the correct resource because it abstracts the underlying storage details and allows a pod to request persistent storage that survives pod restarts. When a pod is recreated, the PVC ensures the same volume is reattached, preserving application state. This is essential for stateful applications in Kubernetes, as pods are ephemeral by default.

Exam trap

The trap here is that candidates confuse a Deployment's ability to manage replicas with data persistence, overlooking that a Deployment alone does not guarantee storage survival across pod restarts without an explicit PVC.

How to eliminate wrong answers

Option A is wrong because a Deployment manages stateless replicas and does not inherently provide persistent storage; it can use PVCs but is not a storage resource itself. Option B is wrong because a Secret is used to store sensitive data like passwords or tokens, not for persistent application data. Option D is wrong because a ConfigMap is designed for non-sensitive configuration data (e.g., environment variables or config files) and does not persist across pod restarts as a volume.

366
Multi-Selectmedium

Which TWO of the following are valid considerations when deploying a virtual machine in a cloud environment? (Choose two.)

Select 2 answers
A.The log retention policy
B.The password complexity requirements
C.The instance size and family
D.The number of virtual CPUs assigned to the hypervisor
E.The type of storage (SSD or HDD)
AnswersC, E

Instance size determines vCPU, memory, and cost.

Why this answer

Option C is correct because the instance size and family directly determine the virtual machine's compute capacity, including vCPUs, memory, and network performance. Selecting the appropriate size and family ensures the workload has sufficient resources without over-provisioning, which is a fundamental deployment consideration in cloud environments like AWS EC2 or Azure VMs.

Exam trap

CompTIA often tests the distinction between VM-level deployment decisions (instance size, storage type) and post-deployment or hypervisor-level configurations (log retention, password policies, hypervisor vCPU assignment) to catch candidates who confuse operational settings with provisioning choices.

367
MCQeasy

A company's cloud environment has experienced a sudden spike in network traffic, causing a critical application to become unresponsive. Which of the following is the FIRST step the cloud administrator should take to address this issue?

A.Restart the application server to restore service.
B.Analyze the network traffic logs to identify the source of the spike.
C.Contact the cloud provider to report the issue.
D.Increase the bandwidth for the affected application.
AnswerB

Log analysis is the first step in troubleshooting to understand the cause of the spike.

Why this answer

Option D is correct because the first step in troubleshooting is to identify the problem, which involves analyzing traffic logs. Option A is wrong because increasing resources without understanding the cause can waste resources. Option B is wrong because contacting the provider should be done after internal diagnosis.

Option C is wrong because restarting may resolve symptoms but not the root cause.

368
MCQhard

An organization uses a cloud management platform (CMP) to orchestrate resources across multiple cloud providers. The CMP has a policy that automatically terminates any VM that exceeds 85% CPU utilization for more than 15 minutes. The operations team receives complaints that some VMs are being terminated while performing legitimate batch processing jobs. What should the operations team do to resolve this issue?

A.Create a separate VM group with a different policy that allows higher CPU for longer.
B.Disable the automatic termination policy.
C.Add an exclusion list for known batch processing VMs.
D.Increase the CPU threshold to 95% and extend the duration to 30 minutes.
AnswerC

Excluding specific VMs allows the policy to remain effective while protecting batch jobs.

Why this answer

Option C is correct because adding an exclusion list for known batch processing VMs prevents unnecessary termination without disabling the entire policy. Option A is wrong because disabling the policy removes important auto-healing. Option B is wrong because increasing thresholds may still affect long-running batch jobs.

Option D is wrong because creating a separate group is more complex than simply excluding specific VMs.

369
Multi-Selecthard

A cloud security team is investigating a potential data breach. Which THREE actions should be taken immediately?

Select 3 answers
A.Delete all logs to prevent further evidence exposure
B.Isolate the affected systems from the network
C.Capture a forensic snapshot of the affected storage
D.Notify all users via email
E.Preserve logs and system state
AnswersB, C, E

Isolation contains the breach and prevents lateral movement.

Why this answer

Isolating affected systems from the network (B) is a critical immediate action to contain a potential data breach. This prevents lateral movement by an attacker and stops further data exfiltration, aligning with incident response best practices such as NIST SP 800-61. In a cloud environment, this could involve applying a security group rule to deny all traffic or disconnecting a virtual network interface.

Exam trap

CompTIA often tests the misconception that deleting logs or notifying all users immediately is a valid first response, when in fact containment and evidence preservation are the top priorities.

370
MCQmedium

A load balancer log entry shows the above for a request. What is the MOST likely cause of the 504 error?

A.The DNS resolution for the domain name has failed.
B.The backend server took too long to respond to the request.
C.The requested resource does not exist on the backend server.
D.The load balancer's health check is misconfigured.
AnswerB

The 30s response time exceeds typical timeouts, causing the gateway to timeout.

Why this answer

A 504 Gateway Timeout error from a load balancer indicates that the load balancer sent the request to a backend server but did not receive a timely response. The load balancer has a configured timeout value (often 30-120 seconds), and if the backend server fails to respond within that window, the load balancer terminates the connection and returns a 504. This is the most common cause of 504 errors in load-balanced environments.

Exam trap

CompTIA often tests the distinction between 502 (bad gateway, often DNS or upstream connection failure) and 504 (gateway timeout, upstream response delay), and candidates mistakenly attribute 504 errors to health check failures or DNS issues.

How to eliminate wrong answers

Option A is wrong because a DNS resolution failure would typically result in a 502 Bad Gateway error (the load balancer cannot resolve the backend server's hostname) or a 503 Service Unavailable, not a 504 timeout. Option C is wrong because a missing resource on the backend server would return a 404 Not Found response from the backend itself, which the load balancer would forward to the client; the load balancer does not generate a 504 for missing resources. Option D is wrong because a misconfigured health check would cause the load balancer to mark the backend as unhealthy and stop sending traffic to it, resulting in a 503 Service Unavailable error, not a 504 timeout.

371
MCQeasy

A cloud administrator runs a deployment script that creates multiple resources using Infrastructure as Code (IaC). The script fails with a "400 Bad Request" error when attempting to create a storage account. Which troubleshooting step should the administrator take first?

A.Check the network connectivity to the cloud API endpoint.
B.Increase the timeout value for the API call.
C.Review the error message details for a specific validation error.
D.Verify that the script has the correct region parameter.
AnswerC

The first step is to examine the error message to identify the invalid parameter.

Why this answer

Option C is correct because a 400 error indicates a client error, so the first step is to examine the error details to understand what parameter is invalid. Option A is wrong because 400 is not a network error (would be 5xx). Option B is wrong but plausible; however, the error message would specify the exact issue.

Option D is wrong because timeouts result in different errors.

372
MCQeasy

Refer to the exhibit. An administrator runs the command shown and receives the output. The administrator wants to ensure the VM uses SSDs for the OS disk. Based on the output, what is the current storage type?

A.Premium SSD (Premium_LRS)
B.Ultra Disk (UltraSSD_LRS)
C.Standard HDD (Standard_LRS)
D.Standard SSD (StandardSSD_LRS)
AnswerA

Correct; Premium_LRS indicates premium SSD.

Why this answer

The output shows the OS disk is using `Premium_LRS` as the storage account type, which corresponds to Premium SSD. This is confirmed by the `storageAccountType` field in the JSON output, indicating the disk is backed by solid-state drives with premium performance characteristics.

Exam trap

CompTIA often tests the distinction between storage account type names and their corresponding hardware (e.g., confusing `StandardSSD_LRS` with `Premium_LRS`), leading candidates to overlook the exact string in the output and assume any SSD type is correct.

How to eliminate wrong answers

Option B is wrong because Ultra Disk (UltraSSD_LRS) is a separate storage type that offers higher IOPS and lower latency but is not shown in the output; the output explicitly lists `Premium_LRS`. Option C is wrong because Standard HDD (Standard_LRS) uses magnetic spinning disks, not SSDs, and would appear as `Standard_LRS` in the output. Option D is wrong because Standard SSD (StandardSSD_LRS) is a different tier that uses SSDs but with lower performance than Premium SSD; the output shows `Premium_LRS`, not `StandardSSD_LRS`.

373
MCQeasy

A startup is deploying a web application on a public cloud and expects variable traffic throughout the day. The team wants to minimize costs while ensuring that the application can handle sudden spikes in demand. Which scaling strategy best meets these requirements?

A.Auto scaling based on CPU utilization thresholds
B.Horizontal scaling using a fixed schedule
C.Vertical scaling during off-peak hours
D.Manual scaling based on historical data
AnswerA

Auto scaling adjusts resources dynamically to meet demand.

Why this answer

Auto scaling based on CPU utilization thresholds is the correct strategy because it dynamically adjusts the number of compute instances in response to real-time demand, ensuring the application can handle sudden spikes while minimizing costs during low-traffic periods. This approach aligns with the startup's requirement for variable traffic and cost efficiency, as it only provisions resources when needed, unlike fixed schedules or manual interventions that cannot react to unpredictable spikes.

Exam trap

CompTIA often tests the misconception that vertical scaling is more cost-effective than horizontal scaling, but the trap here is that vertical scaling requires downtime and has a hard limit on instance size, making it unsuitable for handling sudden, unpredictable spikes in a cost-minimizing, variable-traffic scenario.

How to eliminate wrong answers

Option B is wrong because horizontal scaling using a fixed schedule cannot handle sudden spikes that occur outside the scheduled times, leading to either over-provisioning during low demand or under-provisioning during unexpected surges. Option C is wrong because vertical scaling during off-peak hours involves resizing an existing instance (e.g., increasing vCPUs or RAM), which requires downtime and cannot react to real-time spikes, plus it is limited by the maximum size of a single instance. Option D is wrong because manual scaling based on historical data relies on human intervention, which introduces latency and cannot respond to sudden, unpredictable spikes in demand, making it unsuitable for a startup needing automated, cost-effective scaling.

374
MCQhard

Refer to the exhibit. A cloud administrator sees this log after a nightly backup job. Which of the following is the most likely cause of the timeout?

A.The volume has a high I/O load during the snapshot.
B.The volume is attached to an instance that is powered off.
C.The snapshot target region is unreachable.
D.The backup agent is not installed.
AnswerA

High I/O can slow snapshot creation and cause timeouts.

Why this answer

Option B is correct because high I/O load on the volume during the snapshot can cause the snapshot creation to exceed the timeout. Option A is incorrect because a powered-off instance does not affect snapshot creation. Option C is incorrect because the timeout is for creation, not transfer to another region.

Option D is incorrect because a missing backup agent would generate a different error.

375
Multi-Selecthard

A DevOps team is implementing an automated deployment pipeline for a cloud application. Which THREE steps are essential components of a continuous delivery pipeline? (Select THREE.)

Select 3 answers
A.Deploying to a staging environment for integration tests
B.Deploying to production automatically without approval
C.Monitoring and rollback capability
D.Source code compilation
E.Running unit tests
AnswersA, D, E

Staging allows integration testing in an environment similar to production before final deployment.

Why this answer

Option A is correct because deploying to a staging environment for integration tests is a core step in a continuous delivery pipeline. It validates that the application works correctly in an environment that mirrors production before any release decision is made, ensuring that integration and end-to-end tests can run safely without impacting live users.

Exam trap

CompTIA often tests the distinction between continuous delivery and continuous deployment, where candidates mistakenly select automatic production deployment as an essential step, but the question explicitly asks for continuous delivery, which requires a manual approval before production.

Page 4

Page 5 of 7

Page 6

All pages