CCNA Deployment Questions

75 of 81 questions · Page 1/2 · Deployment · Answers revealed

1
Drag & Dropmedium

Arrange the steps to implement a cloud security group that allows only specific IPs to access an application.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Identify IPs, create security group with rule, set source, associate, test.

2
MCQmedium

Refer to the exhibit. A cloud administrator launched a CloudFormation stack to deploy an EC2 instance, but the stack is rolling back. What is the MOST likely cause?

A.The security group referenced in the template does not exist.
B.The subnet ID is in a different VPC.
C.The AMI ID is invalid or has been deregistered.
D.The instance type is not available in the selected region.
AnswerC

The error directly states 'ImageId is invalid', so the AMI ID is incorrect or no longer exists.

Why this answer

Option C is correct because CloudFormation validates the AMI ID during stack creation. If the AMI ID is invalid (e.g., mistyped, belongs to a different region, or has been deregistered), the EC2 instance launch fails, causing CloudFormation to roll back the stack. This is a common misconfiguration when copying templates across regions without updating AMI IDs.

Exam trap

The trap here is that candidates often assume a missing security group or wrong subnet causes rollbacks, but CloudFormation performs upfront validation for those parameters, whereas an invalid AMI ID is only detected at launch time, making it the most likely cause of a rollback.

How to eliminate wrong answers

Option A is wrong because CloudFormation validates security group references before launching resources; if the security group does not exist, the stack would fail with a validation error rather than rolling back after launch attempts. Option B is wrong because a subnet ID in a different VPC would cause a network interface error, but CloudFormation would catch this during parameter validation or resource creation, not typically trigger a rollback after launch. Option D is wrong because if the instance type is unavailable in the region, CloudFormation would fail with an 'Unsupported' error during resource creation, but the question specifies the stack is rolling back, which implies the launch was attempted and failed, whereas instance type unavailability is usually caught earlier.

3
MCQhard

A Kubernetes StatefulSet is deployed to run a database. The pods are stuck in pending state. The administrator checks and finds that the PersistentVolumeClaim is not bound to any PersistentVolume. Which of the following is the MOST likely cause?

A.The PVC and PV have different access modes.
B.The PV is already bound to another PVC.
C.The PVC requests storage size that exceeds available PV capacity.
D.The storage class provisioner is not installed.
AnswerB

If the PV is already claimed, the new PVC cannot bind, leaving it unbound. This is a common scenario.

Why this answer

When a PersistentVolumeClaim (PVC) remains unbound, the most common cause is that no PersistentVolume (PV) matches its requirements. If a PV is already bound to another PVC, it cannot be reused unless released and reclaimed. This leaves the PVC in a pending state, preventing the StatefulSet pods from starting.

Exam trap

CompTIA often tests the distinction between a PVC being unbound due to no matching PV versus a PV being already bound, leading candidates to incorrectly select access mode or size mismatches when the real issue is PV exhaustion.

How to eliminate wrong answers

Option A is wrong because different access modes (e.g., ReadWriteOnce vs. ReadWriteMany) prevent binding, but the question states the PVC is not bound to any PV, implying a lack of available PVs rather than a mismatch. Option C is wrong because while a size mismatch can prevent binding, the PV would still exist and be available; the issue here is that no PV is bound at all.

Option D is wrong because if the storage class provisioner were not installed, dynamic provisioning would fail, but the PVC would still attempt to bind to an existing PV; the question does not mention dynamic provisioning or a StorageClass.

4
Multi-Selecteasy

A hybrid cloud deployment connects an on-premises data center to a public cloud. Which TWO components are typically required to establish this connectivity? (Select TWO.)

Select 2 answers
A.Load balancer in the cloud
B.Direct peering or dedicated connection (e.g., AWS Direct Connect)
C.Virtual private network (VPN) gateway
D.Public internet with HTTPS
E.Cloud-based DNS resolver
AnswersB, C

Direct connection provides a private, high-bandwidth link between on-premises and cloud.

Why this answer

Option B is correct because a dedicated connection like AWS Direct Connect provides a private, high-bandwidth, low-latency link between an on-premises data center and a public cloud, bypassing the public internet for consistent performance and security. Option C is correct because a VPN gateway establishes an encrypted tunnel over the public internet (using protocols like IPsec) to securely connect the on-premises network to the cloud VPC, which is a standard requirement for hybrid cloud connectivity.

Exam trap

The trap here is that candidates confuse application-layer components (like load balancers or DNS) with network-layer connectivity components, or mistakenly think that public internet with HTTPS alone is sufficient for site-to-site hybrid cloud connectivity.

5
MCQeasy

A cloud engineer is reviewing a Terraform configuration for deploying a web server. The instance is created successfully, but the web server does not start. What is the most likely cause?

A.The subnet is in a private zone without internet access.
B.The security group does not allow inbound HTTP traffic.
C.The AMI ID is for a Windows instance, but the script uses yum.
D.The user_data script lacks execute permissions.
AnswerB

The web server may be running but unreachable due to security group blocking HTTP.

Why this answer

Option D is correct because the user_data script uses yum, which is for Amazon Linux or CentOS, but the AMI ID likely corresponds to an Amazon Linux 2 instance. However, the user_data script is not automatically executed if the AMI does not support cloud-init with the correct user data type. But more directly, the script has no shebang? Actually it does have #!/bin/bash.

But the most common issue is that the security group does not allow HTTP traffic. The exhibit does not show security group rules. Therefore, the most likely cause among options is that the security group does not allow inbound HTTP (option D).

Option A might be true if the script fails, but it seems plausible. Option B: AMI is for different OS. Option C: subnet may be incorrect but instance launched.

Given typical exam scenarios, security group misconfiguration is a frequent issue. I'll go with D. But let's think: The script uses yum, which is typical for Amazon Linux.

The AMI id is example. The issue is that user_data may not execute if not properly configured? Actually cloud-init typically executes scripts. But the options: A: script missing execute permission? User data is passed as text, no permissions needed.

B: wrong AMI? Could be, but the script uses yum, which is available on Amazon Linux. C: subnet not public? The instance may not have public IP. But the web server not starting could be because the security group blocks HTTP.

That is common. I'll choose D.

6
MCQeasy

A company needs to deploy a web application quickly and reliably. Which approach is best?

A.FTP the application to each server individually
B.Perform a blue-green deployment manually
C.Use a CI/CD pipeline with automated deployment
D.Manually copy the application files to the server
AnswerC

CI/CD automates testing and deployment, improving reliability and speed.

Why this answer

Option B is correct because CI/CD pipelines automate testing and deployment, ensuring consistency and speed. Option A is wrong because manual deployment is error-prone and slow. Option C is wrong because copy/paste to servers is not scalable.

Option D is wrong because blue-green is a deployment strategy, not a full pipeline.

7
Multi-Selectmedium

Which THREE of the following are best practices for deploying applications in a cloud environment? (Choose three.)

Select 3 answers
A.Use immutable infrastructure patterns.
B.Design for horizontal scaling rather than vertical.
C.Open all ports in security groups to simplify connectivity.
D.Keep unused resources to avoid reprovisioning delays.
E.Implement blue/green deployment to minimize downtime.
AnswersA, B, E

Immutable infrastructure ensures consistency and security.

Why this answer

Immutable infrastructure patterns (A) are a best practice because they ensure that once a server or container is deployed, it is never modified in place. Instead, any change requires building a new instance from a golden image or template, which eliminates configuration drift and makes rollbacks trivial. This approach aligns with cloud-native principles where infrastructure is treated as disposable and version-controlled, reducing the risk of snowflake servers and improving reliability.

Exam trap

CompTIA often tests the misconception that 'keeping unused resources avoids delays' (D) is a valid cost-saving strategy, when in fact cloud environments are designed for rapid provisioning from images or snapshots, making idle resources an unnecessary expense and security risk.

8
MCQmedium

A cloud engineer is deploying a containerized application using Kubernetes. The application consists of a frontend, a backend API, and a database. The engineer needs to ensure that the backend API can be reached by the frontend but not from outside the cluster. Which Kubernetes resource should the engineer use to expose the backend API?

A.NodePort service
B.ClusterIP service
C.Ingress resource
D.LoadBalancer service
AnswerB

ClusterIP provides internal-only access.

Why this answer

A ClusterIP service exposes the backend API on a cluster-internal IP address, making it reachable only from within the Kubernetes cluster. This meets the requirement that the frontend can communicate with the backend API, but external traffic is blocked. ClusterIP is the default service type and is ideal for internal service-to-service communication.

Exam trap

The trap here is that candidates often confuse Ingress as a method to expose services internally, but Ingress is specifically designed for external HTTP/HTTPS traffic and does not restrict access to cluster-internal communication.

How to eliminate wrong answers

Option A is wrong because a NodePort service exposes the backend API on a static port on each node's IP address, allowing external traffic to reach the service from outside the cluster, which violates the requirement. Option C is wrong because an Ingress resource is not a service type; it provides HTTP/HTTPS routing to services from outside the cluster and typically requires an Ingress controller, thus exposing the backend externally. Option D is wrong because a LoadBalancer service provisions an external load balancer (e.g., from a cloud provider) with a public IP, making the backend API accessible from outside the cluster, which contradicts the requirement.

9
Multi-Selectmedium

A company is considering a multi-cloud deployment to avoid vendor lock-in. Which TWO factors should they consider? (Select TWO.)

Select 2 answers
A.Unified management tools support
B.Consistent security policies across clouds
C.Data egress costs between clouds
D.Performance differences between providers
E.Software licensing compatibility
AnswersB, C

Ensuring consistent security across different cloud providers is essential to avoid gaps.

Why this answer

Option B is correct because consistent security policies across clouds ensure a unified security posture, which is critical for compliance and risk management in a multi-cloud environment. Without consistent policies, vulnerabilities can arise from misconfigurations or gaps in coverage between providers. Option C is correct because data egress costs between clouds can be significant, as each cloud provider charges for data leaving their network, and these costs must be factored into the total cost of ownership to avoid budget overruns.

Exam trap

The trap here is that candidates often confuse operational benefits (like unified management or performance tuning) with strategic lock-in avoidance, leading them to select options A or D instead of focusing on cost and security consistency as the key differentiators.

10
MCQhard

A company is deploying a microservices architecture that must scale dynamically based on traffic. Which technology should be used?

A.Manually add more virtual machines during peak hours
B.Deploy a monolithic application on a single large instance
C.Kubernetes with Horizontal Pod Autoscaler
D.Use a single large instance with a load balancer
AnswerC

Kubernetes automates container orchestration and HPA scales pods based on demand.

Why this answer

Option A is correct because Kubernetes with HPA automatically scales pods based on metrics. Option B is wrong because monolithic deployments are not scalable. Option C is wrong because manual scaling is not dynamic.

Option D is wrong while a large instance may handle more load, it does not provide dynamic scaling.

11
MCQmedium

A company is deploying a cloud-based application that requires consistent, low-latency access to shared database files. Which storage option should be used for the database files?

A.Block storage volumes attached to the database server
B.Network file system (NFS) mount
C.Object storage (e.g., Amazon S3)
D.Ephemeral instance storage
AnswerA

Block storage offers high performance and low latency for random I/O, making it ideal for databases.

Why this answer

Block storage volumes (e.g., Amazon EBS or Azure Managed Disks) provide consistent, low-latency I/O performance because they are directly attached to the database server via a high-speed network and support protocols like NVMe or SCSI. This allows the database to perform synchronous writes and reads with minimal jitter, which is critical for transactional workloads that require ACID compliance. Unlike shared file systems or object storage, block storage offers the raw disk-level access that database engines (e.g., MySQL, PostgreSQL, SQL Server) expect for their data and log files.

Exam trap

CompTIA often tests the misconception that NFS is suitable for database workloads because it provides shared access, but the trap is that NFS lacks the low-latency, synchronous write guarantees required for transactional databases, and candidates overlook the performance penalties of network file locking and cache coherency protocols.

How to eliminate wrong answers

Option B is wrong because NFS mounts introduce network latency and protocol overhead (e.g., lock management, stateless operations) that can cause performance degradation and consistency issues for database workloads, especially under concurrent write operations. Option C is wrong because object storage (e.g., Amazon S3) uses a RESTful API with eventual consistency models and higher latency, making it unsuitable for low-latency database file access that requires immediate read-after-write consistency. Option D is wrong because ephemeral instance storage is temporary and data is lost when the instance is stopped or terminated, which violates the requirement for persistent, shared database files.

12
Matchingmedium

Match each networking concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Isolated private network in the cloud

Logical subdivision of a VPC

Enables private instances to access internet

Secure tunnel over public internet

Distributed network for content delivery

Why these pairings

These are fundamental cloud networking components.

13
MCQhard

A cloud architect must design a deployment for a containerized microservices application. The requirements include automated scaling based on CPU utilization, rolling updates with zero downtime, and service discovery. Which orchestration feature should be used?

A.Docker Compose with a reverse proxy
B.Kubernetes with Horizontal Pod Autoscaler
C.Ansible playbooks with Docker modules
D.AWS ECS with Fargate
AnswerB

Kubernetes natively supports autoscaling, rolling updates, and service discovery.

Why this answer

Kubernetes with Horizontal Pod Autoscaler (HPA) is the correct choice because HPA automatically scales the number of pod replicas based on observed CPU utilization (or custom metrics), meeting the automated scaling requirement. Kubernetes also supports rolling updates with zero downtime via its Deployment controller, which gradually replaces old pods with new ones while maintaining service availability. Additionally, Kubernetes provides built-in service discovery through DNS (CoreDNS) and Services, allowing microservices to find each other by name without external dependencies.

Exam trap

The trap here is that candidates may confuse a container runtime or provisioning tool (like Docker Compose or Ansible) with a full orchestration platform, or assume that a managed service like ECS is an orchestration feature rather than a cloud implementation, missing that Kubernetes is the specific feature set that directly satisfies all three requirements.

How to eliminate wrong answers

Option A is wrong because Docker Compose with a reverse proxy lacks native automated scaling based on CPU utilization; it requires manual intervention or external tools to adjust replica counts, and it does not provide built-in rolling updates with zero downtime or integrated service discovery beyond a static reverse proxy configuration. Option C is wrong because Ansible playbooks with Docker modules are configuration management and provisioning tools, not an orchestration platform; they cannot natively perform automated scaling based on CPU metrics, manage rolling updates with zero downtime, or provide service discovery without additional components like Consul or etcd. Option D is wrong because AWS ECS with Fargate is a managed container service that supports scaling and service discovery, but it is a cloud-specific solution, not an orchestration feature; the question asks for an orchestration feature, and Kubernetes is the platform-agnostic, industry-standard orchestrator that directly provides HPA, rolling updates, and DNS-based service discovery.

14
MCQhard

After reviewing the Terraform plan, a cloud administrator notices that the instance will be created with a public IP address. However, the company policy requires that all instances in this subnet remain private. What should the administrator do to meet the policy before applying the plan?

A.Add a shell command in user_data to remove the public IP after boot.
B.Use a different AMI that does not require public access.
C.Change the 'associate_public_ip_address' argument to 'false' in the resource block.
D.Modify the subnet_id to point to a private subnet with no internet gateway.
AnswerC

Correct: This explicitly disables public IP assignment.

Why this answer

Option B is correct because setting 'associate_public_ip_address' to false will prevent the instance from receiving a public IP. Option A is wrong because changing subnet may not resolve the policy if the new subnet also allows public IP. Option C is wrong because using a non-default VPC does not automatically prevent public IPs.

Option D is wrong because user_data does not affect network configuration.

15
MCQmedium

Refer to the exhibit. After deploying a new version of the application, users report that some requests fail intermittently. The administrator checks the load balancer configuration and health checks, and both servers are marked as healthy. Which of the following is the MOST likely cause of the intermittent failures?

A.The health check interval is too short, marking servers down incorrectly.
B.The backend servers are not configured to accept traffic on port 80.
C.The health check path '/health' is no longer valid after the application update.
D.The load balancer is configured for round-robin, which is causing session persistence issues.
AnswerC

After an update, the health check endpoint might change; if the load balancer still points to the old path, servers may be considered healthy but actually serve errors on the new application.

Why this answer

Option D is correct because the health check is using the path '/health', but the application may have changed its health endpoint to '/status' after the update. This would cause the load balancer to think servers are healthy when they are not responding correctly to the new health check path.

16
MCQhard

A DevOps engineer runs a rollout status command for a Kubernetes deployment and receives the error shown. The deployment specification includes a rolling update strategy with maxSurge=25% and maxUnavailable=25%. What is the most likely cause of the failure?

A.The cluster does not have enough CPU resources to schedule new pods
B.The new pod template contains an invalid container image tag
C.The maxSurge and maxUnavailable settings are too restrictive
D.The old ReplicaSet is still running and preventing the new one from scaling up
AnswerB

Invalid image causes pods to fail readiness, leading to rollout timeout.

Why this answer

The error message from the rollout status command indicates that the new ReplicaSet is unable to create pods, which typically occurs when the pod template in the deployment specification references an invalid container image tag. Kubernetes attempts to pull the image, fails, and marks the pods as ImagePullBackOff or ErrImagePull, preventing the rollout from progressing. The rolling update strategy with maxSurge=25% and maxUnavailable=25% is not the cause, as these settings control the rate of pod replacement, not the validity of the image reference.

Exam trap

CompTIA often tests the distinction between resource constraints (which cause Pending pods) and image-related errors (which cause ImagePullBackOff), tempting candidates to choose CPU or memory issues when the error message points to a pod template problem.

How to eliminate wrong answers

Option A is wrong because insufficient CPU resources would cause pods to remain in a Pending state due to resource constraints, not produce an error related to image pulling or invalid container configuration. Option C is wrong because maxSurge=25% and maxUnavailable=25% are standard, permissive settings that allow the rollout to proceed; they are not too restrictive and would not cause a rollout failure unless the cluster has zero capacity. Option D is wrong because the old ReplicaSet is expected to remain running during a rolling update until the new ReplicaSet becomes healthy; its presence does not prevent the new ReplicaSet from scaling up, as the rolling update strategy explicitly allows both ReplicaSets to coexist within the surge and unavailable limits.

17
MCQmedium

A cloud administrator is debugging a failed CloudFormation stack creation. The exhibit shows the stack events. What is the most likely cause of the failure?

A.The instance type is not supported in the region.
B.The stack name already exists.
C.The AMI ID is incorrect.
D.The referenced security group does not exist in the chosen VPC.
AnswerD

The error explicitly mentions invalid groupId.

Why this answer

The stack creation fails with a 'CREATE_FAILED' status on the security group resource, and the error message indicates that the security group does not exist in the specified VPC. This is a common issue when a CloudFormation template references a security group by ID or name that is not present in the target VPC, causing the resource creation to fail. The stack events show the security group resource as the point of failure, confirming that the referenced security group is missing.

Exam trap

CompTIA often tests the ability to read CloudFormation stack events and correlate the failing resource with the specific error message, rather than assuming a generic failure like an incorrect AMI or instance type.

How to eliminate wrong answers

Option A is wrong because an unsupported instance type would cause a failure on the EC2 instance resource, not on a security group resource, and the error would typically mention 'instance type' or 'not supported'. Option B is wrong because a stack name that already exists would cause a stack creation to fail immediately with a 'Stack with id [name] already exists' error, not a failure on a specific resource like a security group. Option C is wrong because an incorrect AMI ID would cause a failure on the EC2 instance resource with an error like 'AMI [ami-id] does not exist' or 'AMI not found', not on a security group resource.

18
MCQhard

Refer to the exhibit. A developer is trying to upload an object to S3 bucket 'example-bucket' using the IAM policy shown. The upload fails with an AccessDenied error. Which of the following is the MOST likely reason?

A.The IAM policy requires server-side encryption with AES256, but the upload request did not specify that header.
B.The bucket policy has a deny that overrides this IAM policy.
C.The developer's user is not in the same account as the bucket.
D.The IAM policy does not grant the s3:ListBucket permission.
AnswerB

The bucket policy denies PutObject unless encryption is aws:kms, which conflicts with the IAM policy's AES256 requirement, resulting in a deny.

Why this answer

Option C is correct because the bucket policy denies PutObject unless the encryption is aws:kms, while the IAM policy requires AES256. The bucket policy's explicit deny overrides the IAM allow, causing the failure.

19
MCQhard

A company is deploying a multi-tier application with web servers and a database. Which architecture ensures high availability?

A.Deploy web servers in an auto-scaling group across two AZs and database in a multi-AZ configuration
B.Deploy a single large web server and a single database instance
C.Deploy web servers in an auto-scaling group in one AZ and database in single instance
D.Deploy web servers and database in a single availability zone
AnswerA

This provides redundancy for both web and database tiers.

Why this answer

Option A is correct because deploying web servers in an auto-scaling group across two Availability Zones (AZs) ensures that if one AZ fails, the other continues serving traffic, while a multi-AZ database configuration (e.g., Amazon RDS Multi-AZ) automatically synchronously replicates data to a standby instance in a different AZ, enabling automatic failover. This combination eliminates single points of failure at both the web and database tiers, meeting high availability requirements.

Exam trap

The trap here is that candidates often assume auto-scaling alone guarantees high availability, but without distributing instances across multiple AZs, a single AZ failure still causes downtime.

How to eliminate wrong answers

Option B is wrong because a single large web server and a single database instance create a single point of failure; if either component or its underlying hardware fails, the entire application becomes unavailable. Option C is wrong because deploying web servers in an auto-scaling group within a single AZ still leaves the web tier vulnerable to an AZ-level outage, and a single database instance lacks failover capability. Option D is wrong because placing both web servers and the database in a single AZ means any failure affecting that AZ (e.g., power loss, network partition) will bring down the entire application, violating high availability principles.

20
MCQmedium

A company is deploying a new web application in a hybrid cloud environment. The application must be highly available and able to handle traffic spikes. The cloud team decides to use an auto-scaling group across multiple availability zones with a load balancer. Which additional step should the team take to ensure session persistence during scaling events?

A.Implement a stateless application design
B.Increase the instance size to handle more sessions
C.Configure the load balancer to use a round-robin algorithm
D.Enable sticky sessions on the load balancer
AnswerD

Sticky sessions maintain session affinity during scaling.

Why this answer

Sticky sessions (also known as session affinity) ensure that all requests from a user during a session are directed to the same backend instance. In an auto-scaling group, instances are added or removed dynamically; without sticky sessions, a load balancer using a default algorithm could route a user to a different instance after a scale-out event, losing the in-memory session state. Enabling sticky sessions on the load balancer preserves session persistence across scaling events by binding the user's session to a specific instance for its duration.

Exam trap

The trap here is that candidates often confuse high availability with session persistence, assuming that distributing traffic evenly (round-robin) or scaling instances is sufficient, but they overlook that stateful applications require session affinity to maintain user context during dynamic scaling events.

How to eliminate wrong answers

Option A is wrong because implementing a stateless application design would eliminate the need for session persistence entirely, but the question asks how to ensure session persistence during scaling events, implying the application is stateful and requires sticky sessions. Option B is wrong because increasing the instance size does not solve session persistence; it only increases the capacity of individual instances, but during scaling events, new instances are added and traffic can still be routed to instances that do not hold the user's session. Option C is wrong because configuring the load balancer to use a round-robin algorithm distributes traffic evenly but does not guarantee that a user's subsequent requests go to the same instance, which breaks session persistence during scaling events.

21
MCQmedium

A deployment fails with a message about missing dependencies. What should the administrator check first?

A.Change the instance type to one with more memory
B.Review the deployment logs to identify missing packages
C.Reinstall the operating system
D.Restart the server and retry the deployment
AnswerB

Logs provide details on what dependencies are missing.

Why this answer

When a deployment fails with a 'missing dependencies' message, the first step is to review the deployment logs. Logs will contain specific error messages indicating which packages or libraries are absent, allowing the administrator to install them directly. This aligns with standard troubleshooting methodology: identify the root cause from logs before taking corrective action.

Exam trap

The trap here is that candidates may assume a generic 'fix' like restarting or resizing the instance will resolve the issue, when the specific error message about missing dependencies demands log inspection to identify and install the exact missing packages.

How to eliminate wrong answers

Option A is wrong because changing the instance type to one with more memory addresses resource constraints (e.g., out-of-memory errors), not missing dependencies, which are package or library absences. Option C is wrong because reinstalling the operating system is an extreme, time-consuming measure that would likely resolve the dependency issue only if the OS image already includes the required packages, but it bypasses the need to identify the specific missing dependencies from logs. Option D is wrong because restarting the server and retrying the deployment does not install missing packages; it merely re-executes the same failing process without addressing the root cause.

22
MCQmedium

A company is deploying a containerized application using Kubernetes on a public cloud. The development team has created a Docker image and pushed it to a private container registry. The deployment YAML points to the registry. However, when the deployment is applied, the pods fail to start with an 'ImagePullBackOff' error. The cloud administrator verifies that the registry is reachable from the cluster nodes and that the image exists. What is the most likely reason for the failure?

A.The deployment lacks a secret for registry authentication.
B.The cluster nodes are out of disk space.
C.The image tag is incorrect.
D.The pod does not have sufficient CPU resources.
AnswerA

Without authentication, the private registry denies pull requests.

Why this answer

The most likely reason for the ImagePullBackOff error is that the deployment lacks a Kubernetes secret for registry authentication. Since the image is stored in a private container registry, the kubelet must authenticate with the registry to pull the image. Without a properly configured imagePullSecret in the pod spec, the kubelet cannot obtain credentials, resulting in a failed pull and the ImagePullBackOff status.

Exam trap

CompTIA often tests the distinction between image existence and registry authentication, trapping candidates who assume that because the image is present and the registry is reachable, the pull should succeed without considering the need for explicit credentials.

How to eliminate wrong answers

Option B is wrong because if the cluster nodes were out of disk space, the error would typically be 'Evicted' or 'OutOfDisk', not ImagePullBackOff, and the administrator would see disk pressure events. Option C is wrong because an incorrect image tag would cause a 'ErrImagePull' or 'ImagePullBackOff' error, but the administrator has already verified that the image exists; the issue is authentication, not a missing tag. Option D is wrong because insufficient CPU resources would cause a 'Pending' state with 'Insufficient cpu' events, not an ImagePullBackOff error, which is specific to image retrieval failures.

23
MCQmedium

A company is deploying a new web application in a hybrid cloud environment. The application must be able to scale out automatically during peak usage and scale in during low usage. The deployment must also ensure that the application remains available if a single Availability Zone fails. Which deployment strategy should the architect recommend?

A.Deploy a cluster of instances in a single Availability Zone with a load balancer.
B.Create an auto-scaling group spanning multiple Availability Zones.
C.Use a single large instance and manually resize during peak periods.
D.Deploy a load balancer in front of a single instance.
AnswerB

Auto-scaling provides automatic scaling and multi-AZ ensures high availability.

Why this answer

Option B is correct because an auto-scaling group spanning multiple Availability Zones ensures both automatic scaling based on demand and high availability. If one Availability Zone fails, the load balancer distributes traffic to healthy instances in the remaining zones, meeting the requirement for continuous availability during a zone failure.

Exam trap

The trap here is that candidates may think a load balancer alone provides high availability, but without multiple instances across zones and auto-scaling, a single zone failure still causes downtime.

How to eliminate wrong answers

Option A is wrong because deploying instances in a single Availability Zone creates a single point of failure; if that zone fails, the entire application becomes unavailable, violating the availability requirement. Option C is wrong because manually resizing a single large instance does not provide automatic scaling and still results in a single point of failure; it also lacks the elasticity needed for peak usage. Option D is wrong because a load balancer in front of a single instance does not provide automatic scaling or fault tolerance; if the instance or its Availability Zone fails, the application goes down.

24
MCQmedium

A company is migrating a legacy application to the cloud using a replatforming strategy. The application uses a proprietary logging framework that writes logs to local disk. The cloud architecture uses ephemeral storage for the application servers. The operations team notices that logs are lost when servers are replaced during auto-scaling events. What is the best solution to ensure logs are preserved?

A.Increase the size of the ephemeral storage.
B.Use memory-only logging to speed up disk I/O.
C.Disable auto-scaling for the application servers.
D.Configure the logging framework to write to a central log server over the network.
AnswerD

Ensures logs are stored externally and persist beyond instance lifecycle.

Why this answer

Option D is correct because the core issue is that ephemeral storage is lost when instances are terminated or replaced during auto-scaling events. By configuring the logging framework to write to a central log server over the network (e.g., using syslog, HTTP, or a dedicated log aggregation service), logs are persisted independently of the application server's lifecycle. This decouples log storage from compute resources, ensuring logs survive scaling events.

Exam trap

The trap here is that candidates may think increasing storage or optimizing local I/O solves the persistence problem, but the exam tests understanding that ephemeral storage is inherently non-persistent and that logs must be sent off-instance to survive instance replacement.

How to eliminate wrong answers

Option A is wrong because increasing the size of ephemeral storage does not solve the fundamental problem that ephemeral storage is non-persistent and is destroyed when the instance is terminated or replaced. Option B is wrong because memory-only logging would cause logs to be lost even more quickly on instance termination or crash, and it does not address the persistence requirement; it also introduces performance and capacity constraints. Option C is wrong because disabling auto-scaling defeats the purpose of cloud elasticity and scalability, and it does not address the logging persistence issue—logs would still be lost if a server fails or is manually replaced.

25
Multi-Selectmedium

Which TWO of the following are advantages of using a configuration management tool (e.g., Ansible, Chef, Puppet) in cloud deployments? (Choose two.)

Select 2 answers
A.Automatically configure network devices.
B.Enable idempotent infrastructure changes.
C.Ensure consistent software configurations across multiple instances.
D.Provide dynamic auto-scaling of resources.
E.Monitor application performance in real-time.
AnswersB, C

Idempotency ensures repeated runs converge to the same state.

Why this answer

Option B is correct because configuration management tools like Ansible, Chef, and Puppet enforce idempotency, meaning that applying the same configuration multiple times results in the same desired state without unintended side effects. This is achieved by checking the current state of the system before making changes, ensuring that resources are only modified when necessary. Idempotency is critical for reliable, repeatable infrastructure changes in cloud deployments.

Exam trap

The trap here is that candidates confuse configuration management tools with broader cloud management or monitoring services, mistakenly attributing capabilities like auto-scaling or real-time monitoring to tools that are strictly focused on state-based configuration and idempotent provisioning.

26
MCQeasy

An organization wants to migrate its on-premises virtual machines to the cloud with minimal changes. Which deployment model is most appropriate?

A.Re-platform to PaaS
B.Refactor into SaaS
C.Lift-and-shift to IaaS
D.Re-architect as containerized applications
AnswerC

Lift-and-shift moves VMs without modifications, using infrastructure as a service.

Why this answer

The lift-and-shift (rehost) model migrates on-premises virtual machines to IaaS with minimal changes, preserving the OS, applications, and configurations. This approach avoids refactoring or re-architecting, making it the most appropriate for minimizing modifications during cloud migration.

Exam trap

CompTIA often tests the misconception that 'minimal changes' means using a fully managed service (PaaS or SaaS), but the correct answer is IaaS because it preserves the existing VM architecture without requiring code or configuration modifications.

How to eliminate wrong answers

Option A is wrong because re-platforming to PaaS requires modifying the application to use platform-managed services (e.g., replacing a database with a cloud-native DB), which introduces changes beyond minimal. Option B is wrong because refactoring into SaaS involves rewriting the application as a multi-tenant service, which is a fundamental architectural change and not minimal. Option D is wrong because re-architecting as containerized applications requires packaging the VM workloads into containers, altering the deployment model and often requiring orchestration (e.g., Kubernetes), which is not minimal.

27
Multi-Selectmedium

A cloud architect is designing a deployment pipeline for a multi-tier application. The team wants to automate testing and deployment while ensuring that only healthy code reaches production. Which TWO practices should they implement?

Select 2 answers
A.Infrastructure as Code
B.Immutable infrastructure
C.Blue/green deployment
D.Canary releases
E.Manual approval gates
AnswersC, D

Blue/green enables automated switchover after health checks.

Why this answer

Blue/green deployment (C) is correct because it allows the team to route traffic to a new 'green' environment while keeping the old 'blue' environment idle, enabling instant rollback if testing fails. Canary releases (D) are correct because they incrementally shift a small percentage of traffic to a new version, allowing automated monitoring to detect issues before full rollout. Both practices ensure only healthy code reaches production by validating changes in a controlled, reversible manner.

Exam trap

CompTIA often tests the distinction between deployment strategies (blue/green, canary) and infrastructure management practices (IaC, immutable), so candidates mistakenly select IaC or immutable infrastructure because they associate 'automation' with provisioning rather than traffic management and health gating.

28
MCQhard

A DevOps engineer is deploying an application on Kubernetes. The exhibit shows the status of pods and a describe output. The frontend pod is stuck in Pending state. Which action should the engineer take to resolve the issue?

A.Reduce the resource requests in the frontend deployment manifest.
B.Add a node affinity rule to schedule on nodes with more memory.
C.Change the service type from ClusterIP to NodePort.
D.Modify the image pull policy to Always.
AnswerA

Decreasing requests may allow the pod to fit on a node.

Why this answer

The frontend pod is stuck in Pending state because the cluster nodes lack sufficient resources (CPU or memory) to satisfy the pod's resource requests. Reducing the resource requests in the deployment manifest lowers the scheduling threshold, allowing the pod to fit on an available node. This directly addresses the most common cause of Pending pods: insufficient allocatable resources on any node.

Exam trap

CompTIA often tests the misconception that changing service types or image pull policies can resolve scheduling failures, when the root cause is almost always resource insufficiency or taints/tolerations.

How to eliminate wrong answers

Option B is wrong because adding a node affinity rule does not free up resources; it only constrains scheduling to specific nodes, which would likely fail if those nodes already lack capacity. Option C is wrong because changing the service type from ClusterIP to NodePort affects external access, not pod scheduling or resource availability. Option D is wrong because modifying the image pull policy to Always only forces a fresh image pull on pod start; it does not resolve resource constraints that prevent the pod from being scheduled.

29
MCQeasy

A startup wants to develop a new web application with minimal upfront infrastructure management. They want to focus on writing code and not worry about operating system patches or scaling servers. Which cloud service model is MOST appropriate?

A.Functions as a Service (FaaS)
B.Infrastructure as a Service (IaaS)
C.Platform as a Service (PaaS)
D.Software as a Service (SaaS)
AnswerC

PaaS abstracts the underlying infrastructure, so the startup only writes and deploys code.

Why this answer

Platform as a Service (PaaS) provides a managed platform where the startup can deploy and run their web application code without managing the underlying infrastructure, including operating system patches and server scaling. This aligns with the requirement to focus on writing code while the cloud provider handles the operational overhead.

Exam trap

CompTIA often tests the distinction between PaaS and FaaS, where candidates mistakenly choose FaaS for any 'code-only' scenario, but FaaS is unsuitable for stateful web applications requiring persistent connections or long-running processes.

How to eliminate wrong answers

Option A (FaaS) is wrong because it is designed for event-driven, stateless functions that execute in response to triggers, not for hosting a full web application with persistent state and routing. Option B (IaaS) is wrong because it requires the startup to manage virtual machines, including OS patches and scaling, which contradicts the goal of minimal infrastructure management. Option D (SaaS) is wrong because it delivers ready-to-use software applications over the internet, not a platform for developing and deploying custom web applications.

30
MCQmedium

During a deployment using a script, an administrator receives a 'Permission Denied' error. What is the most likely cause?

A.The service account lacks necessary IAM roles
B.Network latency is causing timeouts
C.The deployment is targeting the wrong region
D.The instance has insufficient storage
AnswerA

Insufficient permissions are a common cause of permission denied errors.

Why this answer

Option A is correct because the service account may not have the required IAM roles to execute the actions. Option B is wrong because region does not affect permissions. Option C is wrong because storage issues cause different errors.

Option D is wrong because network latency does not cause permission errors.

31
Multi-Selectmedium

A cloud architect is evaluating deployment strategies for a microservices application that requires high availability and minimal downtime during updates. Which TWO deployment methods should the architect consider?

Select 2 answers
A.Immutable deployment
B.Rolling deployment
C.In-place deployment
D.Canary deployment
E.Blue/green deployment
AnswersB, E

Correct: Rolling updates a subset of instances at a time, maintaining availability.

Why this answer

Blue/green deployment allows instant switchover with minimal downtime. Rolling deployment updates instances gradually, maintaining availability.

32
MCQeasy

What is the primary benefit of using Infrastructure as Code (IaC)?

A.Improved network performance
B.Full manual control over resources
C.Consistent and repeatable deployments
D.Lower cloud service costs
AnswerC

IaC codifies infrastructure, ensuring the same environment every time.

Why this answer

Option C is correct because IaC ensures consistent and repeatable deployments by defining infrastructure in code. Option A is wrong while improved network performance is not a direct benefit. Option B is wrong because IaC may reduce costs through automation but consistency is key.

Option D is wrong because manual control is the opposite of automation.

33
MCQhard

An organization is migrating a legacy monolithic application to the cloud using a re-platform approach (lift and shift with minimal changes). After migration, performance is worse than on-premises. Which of the following is the BEST next step to improve performance without significant application changes?

A.Refactor the application into microservices and use Kubernetes.
B.Increase the size of the virtual machines and allocate more vCPUs.
C.Move the application to a containerized environment using Docker.
D.Implement a content delivery network (CDN) to cache static assets.
AnswerB

Scaling up provides more CPU and memory, which can improve performance for resource-intensive applications without requiring architectural changes.

Why this answer

In a re-platform (lift and shift) migration, the application's architecture remains unchanged, so performance issues often stem from insufficient cloud resources. Increasing the VM size and allocating more vCPUs directly addresses resource contention without requiring code modifications, making it the best immediate step.

Exam trap

CompTIA often tests the misconception that cloud-native solutions like containers or microservices are always the answer, but the trap here is that the question explicitly limits changes, making vertical scaling the only viable option without re-architecting.

How to eliminate wrong answers

Option A is wrong because refactoring into microservices and using Kubernetes requires significant application changes, contradicting the 'minimal changes' constraint. Option C is wrong because containerization with Docker still requires application packaging and orchestration changes, and does not inherently improve performance without addressing resource allocation. Option D is wrong because a CDN caches only static assets, which does not resolve performance bottlenecks in a monolithic application's dynamic processing or database queries.

34
MCQeasy

Users are unable to load a web page on a newly deployed web server. The security group for the server allows inbound HTTP from 0.0.0.0/0. The web service is running and listening on port 80. Which of the following is the MOST likely cause?

A.The DNS record for the domain is not yet propagated.
B.The VM's firewall is blocking inbound requests on port 80.
C.The load balancer target group is unhealthy.
D.The web server is listening on the wrong IP address.
AnswerD

A common misconfiguration is binding the web server to 127.0.0.1 or a private IP instead of the public-facing IP, causing external requests to fail.

Why this answer

Option D is correct because if the web server is listening on an IP address other than the one clients are reaching (e.g., 127.0.0.1 or a different private IP), inbound HTTP requests will not be processed even though the security group allows traffic on port 80. This is a common misconfiguration where the server binds to a loopback or incorrect interface, causing it to ignore external packets.

Exam trap

CompTIA often tests the distinction between network-level security groups and OS-level firewall or binding configurations, trapping candidates who assume that allowing inbound traffic in the security group is sufficient for connectivity.

How to eliminate wrong answers

Option A is wrong because DNS propagation affects name resolution, not the ability to load a page via IP address; if the server is reachable by IP, DNS is irrelevant. Option B is wrong because the VM's firewall (e.g., iptables or Windows Firewall) is a separate layer from the cloud security group, and the question states the security group allows HTTP, but the VM's OS-level firewall could still block port 80—however, this is less likely than a binding issue given the server is 'newly deployed' and listening on port 80. Option C is wrong because a load balancer target group being unhealthy would only affect traffic through the load balancer, not direct access to the web server; the question does not mention a load balancer.

35
MCQeasy

An organization is migrating its on-premises virtualization environment to a public cloud. The current environment uses VMware vSphere with VM templates. The cloud provider supports importing VMs in OVF format. Which step should the cloud administrator take to prepare the VMs for migration?

A.Take a snapshot of each VM and copy the snapshot files.
B.Export each VM as an OVF template.
C.Convert each VM to an ISO image.
D.Copy the VM's VMDK files and import them as VHDX.
AnswerB

OVF is a standard format for VM import/export.

Why this answer

The cloud provider supports importing VMs in OVF format, which is an open standard for packaging and distributing virtual appliances. Exporting each VM as an OVF template from VMware vSphere creates the necessary .ovf descriptor file and accompanying disk files (e.g., .vmdk) that the provider can directly import. This is the correct preparation step because it produces the exact format required by the target cloud platform.

Exam trap

The trap here is that candidates may confuse 'export as OVF' with other common VMware operations like taking snapshots or copying VMDK files, not realizing that OVF is the specific format required by the cloud provider for direct import.

How to eliminate wrong answers

Option A is wrong because a snapshot captures a point-in-time state of the VM but does not produce a portable, importable format like OVF; snapshot files are tied to the original VM and cannot be directly imported into a cloud provider. Option C is wrong because an ISO image is used for OS installation media or data discs, not for virtual machine disk images; converting a VM to ISO would lose the VM's configuration, snapshots, and file system structure. Option D is wrong because VMDK files are VMware's native disk format, but the provider expects OVF format, not raw VMDK or VHDX; importing VMDK files directly would require additional conversion steps and the provider's import process specifically requires the OVF package.

36
MCQhard

Which deployment strategy minimizes risk by gradually shifting a small percentage of traffic to a new version before full rollout?

A.Canary deployment
B.In-place deployment
C.Rolling deployment
D.Blue-green deployment
AnswerA

Canary releases send a small amount of traffic to the new version to test stability.

Why this answer

A canary deployment minimizes risk by routing a small percentage of traffic (e.g., 5-10%) to the new version while the majority continues to use the stable version. This allows real-world validation of the new version under production load before a full rollout, and if issues are detected, traffic can be instantly redirected back to the old version. The strategy is named after the 'canary in a coal mine' concept, where early detection of problems prevents widespread impact.

Exam trap

CompTIA often tests the distinction between canary and rolling deployments, where candidates mistakenly think rolling deployment also uses a small traffic percentage, but rolling updates instances sequentially without the deliberate traffic-splitting and validation phase that defines a canary.

How to eliminate wrong answers

Option B (In-place deployment) is wrong because it directly replaces the existing version on the same infrastructure without any traffic shifting or gradual rollout, meaning any failure affects all users immediately. Option C (Rolling deployment) is wrong because it gradually replaces instances one by one (or in batches) but does not intentionally isolate a small traffic percentage for validation; it updates all instances over time without a canary's targeted risk assessment. Option D (Blue-green deployment) is wrong because it maintains two identical environments (blue and green) and switches all traffic at once from the old to the new version, which does not involve a gradual traffic shift or small percentage testing.

37
Multi-Selecthard

A large enterprise is migrating multiple applications to the cloud. They need to ensure compliance with industry regulations and maintain security during the transition. Which THREE best practices should they follow?

Select 3 answers
A.Use a single cloud provider for simplicity
B.Disable logging to reduce data exposure
C.Encrypt data in transit and at rest
D.Conduct vulnerability assessments on migrated applications
E.Implement identity and access management (IAM)
AnswersC, D, E

Encryption protects data from unauthorized access.

Why this answer

Encrypting data in transit (using TLS 1.2/1.3) and at rest (using AES-256) is a fundamental security best practice for cloud migrations. It ensures that sensitive data remains protected from interception or unauthorized access during the transfer and while stored in cloud services like S3 or EBS, directly supporting compliance with regulations such as GDPR, HIPAA, or PCI DSS.

Exam trap

CompTIA often tests the misconception that simplifying the migration by using a single provider or reducing logging is a valid security strategy, when in fact these actions undermine compliance and visibility.

38
MCQeasy

A company recently migrated its on-premises e-commerce application to a public cloud using lift-and-shift. After the migration, users report that the application is slower than before. The application consists of a web server, an application server, and a database server, all deployed on separate virtual machines. The cloud architecture uses the same instance sizes as the on-premises servers. The cloud administrator notices that the database server's disk I/O latency is higher than expected. What is the most likely cause of the performance degradation?

A.The database server is using standard HDD storage instead of SSD.
B.The cloud provider's network has high latency.
C.The application server is not load-balanced.
D.The web server has too many vCPUs allocated.
AnswerA

HDD has higher latency, impacting database performance.

Why this answer

The database server's disk I/O latency is higher than expected because the lift-and-shift migration likely retained the same storage type as on-premises, but the cloud environment's standard HDD (hard disk drive) storage has significantly lower IOPS and higher latency compared to SSD (solid-state drive) storage. In a public cloud, standard HDD is optimized for sequential workloads and infrequent access, not for the random I/O patterns typical of a database server, causing performance degradation. The administrator should have provisioned SSD-backed storage (e.g., AWS gp3 or Azure Premium SSD) for the database VM to match or exceed on-premises performance.

Exam trap

CompTIA often tests the misconception that 'cloud performance is always better' or that network latency is the default culprit, but the trap here is that disk storage tiering (HDD vs. SSD) is a common oversight in lift-and-shift migrations, and candidates may incorrectly blame network or compute resources instead of the storage layer.

How to eliminate wrong answers

Option B is wrong because high network latency would affect all tiers (web, app, database) and manifest as general slowness, not specifically as high disk I/O latency on the database server; the question isolates the database's disk I/O as the symptom. Option C is wrong because the absence of load balancing on the application server would cause uneven traffic distribution and potential overload, not directly increase disk I/O latency on the database server. Option D is wrong because allocating too many vCPUs to the web server would not cause higher disk I/O latency on a separate database server; it might waste resources or cause CPU contention, but disk I/O is a storage-layer issue independent of web server vCPU count.

39
MCQhard

A company is deploying a containerized microservices architecture on Azure Kubernetes Service (AKS). The security team requires that all container images are scanned for vulnerabilities before deployment. Which deployment approach should the DevOps team implement to ensure only approved images are used?

A.Store all images in a private registry without any scanning.
B.Use Docker Content Trust to sign images and verify signatures during deployment.
C.Enable Azure Container Registry tasks for automatic vulnerability scanning and enforce with Azure Policy.
D.Deploy an admission controller that checks image signatures only.
AnswerC

ACR tasks scan images and Azure Policy can deny non-compliant deployments.

Why this answer

Option C is correct because Azure Container Registry (ACR) Tasks can automatically scan images for vulnerabilities using Microsoft Defender for Cloud, and Azure Policy can enforce that only images from approved registries or with passing scan results are deployed to AKS. This ensures that all container images are scanned before deployment and that only compliant images are used, meeting the security team's requirement.

Exam trap

The trap here is that candidates often confuse image signing (e.g., Docker Content Trust or Notary) with vulnerability scanning, assuming that signing alone ensures security, but signing only verifies image origin and integrity, not the presence of vulnerabilities.

How to eliminate wrong answers

Option A is wrong because storing images in a private registry without scanning does not enforce vulnerability scanning or approval, leaving the system exposed to known vulnerabilities. Option B is wrong because Docker Content Trust only signs images and verifies signatures during deployment, but it does not perform vulnerability scanning; it ensures image integrity and provenance, not security compliance. Option D is wrong because an admission controller that checks image signatures only verifies cryptographic signatures, not vulnerability scan results, so it does not ensure images are free of vulnerabilities.

40
MCQeasy

An organization is deploying a new application using Infrastructure as Code (IaC) with Terraform. The development team needs to ensure that the same configuration is applied consistently across development, staging, and production environments. What is the best practice for managing these Terraform configurations?

A.Hardcode environment-specific values within the main configuration file.
B.Manually update the configuration for each environment before deployment.
C.Use a single Terraform configuration with different variable files for each environment.
D.Maintain separate Terraform workspaces or directories for each environment.
AnswerD

Best practice for isolation and consistency.

Why this answer

Option D is correct because using separate Terraform workspaces or directories for each environment enforces isolation of state files and configuration, preventing accidental cross-environment changes. This approach aligns with Infrastructure as Code best practices by allowing environment-specific variables and resources while maintaining a single source of truth for the core configuration.

Exam trap

The trap here is that candidates confuse using variable files (Option C) with proper environment isolation, not realizing that Terraform workspaces or separate directories are required to manage distinct state files and prevent cross-environment interference.

How to eliminate wrong answers

Option A is wrong because hardcoding environment-specific values within the main configuration file violates the principle of configuration drift and makes the code non-reusable across environments. Option B is wrong because manually updating the configuration for each environment before deployment introduces human error and defeats the purpose of IaC automation. Option C is wrong because using a single Terraform configuration with different variable files for each environment still shares the same state file, risking state corruption and making it impossible to manage environments independently.

41
MCQhard

A company is migrating its on-premises application to a public cloud. The application requires low-latency access to a legacy database that cannot be moved to the cloud. The cloud deployment must use a hybrid architecture. Which network connectivity solution should the cloud architect recommend to minimize latency and provide secure, reliable communication?

A.Use a dedicated private connection via a cloud provider's direct connect service.
B.Route traffic through the public internet with encryption.
C.Deploy a CloudFront distribution to cache database queries.
D.Establish a site-to-site VPN over the internet.
AnswerA

Dedicated connections offer consistent performance and security.

Why this answer

A dedicated private connection via a cloud provider's direct connect service (e.g., AWS Direct Connect, Azure ExpressRoute, or Google Cloud Interconnect) establishes a private, physical link between the on-premises data center and the cloud VPC. This bypasses the public internet entirely, providing consistent low-latency performance, higher bandwidth, and a more reliable connection for hybrid architectures where the legacy database remains on-premises.

Exam trap

CompTIA often tests the misconception that a site-to-site VPN is sufficient for low-latency hybrid connectivity, but the trap here is that VPNs over the internet cannot guarantee consistent latency or bandwidth, whereas a dedicated private connection provides a Service Level Agreement (SLA) for performance and reliability.

How to eliminate wrong answers

Option B is wrong because routing traffic through the public internet with encryption (e.g., HTTPS or IPsec) introduces variable latency, potential packet loss, and security risks from exposure to internet-based threats, making it unsuitable for low-latency requirements. Option C is wrong because CloudFront (or any CDN) is a content delivery service for caching static or dynamic web content at edge locations; it cannot cache database queries or provide a network path to an on-premises database, and it adds unnecessary complexity without addressing the hybrid connectivity need. Option D is wrong because a site-to-site VPN over the internet, while encrypted and secure, relies on the public internet's best-effort routing, which introduces jitter and higher latency compared to a dedicated private connection, failing the low-latency requirement.

42
Drag & Dropmedium

Arrange the steps to configure a VPN connection between an on-premises network and a cloud VPC.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with cloud-side gateway, on-premises gateway representation, configure on-prem device, create connection, then routing.

43
MCQhard

An e-commerce company is deploying a disaster recovery solution across two cloud regions. The primary region runs the production workload. The recovery region should have a fully provisioned environment that can take over immediately in case of a failure. Which deployment strategy BEST meets this requirement while minimizing costs?

A.Backup and restore to the recovery region upon failure
B.Multi-site active-active with load balancers
C.Pilot light with minimal resources running in recovery
D.Warm standby in the recovery region
AnswerD

Warm standby has a fully provisioned but potentially smaller environment that can be scaled up quickly for failover.

Why this answer

Warm standby is the correct strategy because it maintains a fully provisioned, scaled-down copy of the production environment in the recovery region that can be activated immediately upon failover. This meets the requirement for immediate takeover while minimizing costs by running only the essential resources (e.g., a minimal number of compute instances, a standby database) instead of a full active-active deployment.

Exam trap

The trap here is confusing 'pilot light' with 'warm standby'—pilot light has minimal core services running but requires manual scaling and provisioning of the full stack, whereas warm standby has a fully provisioned (though scaled-down) environment ready to take over instantly.

How to eliminate wrong answers

Option A is wrong because backup and restore requires time to provision and boot resources from backups, which cannot achieve immediate takeover. Option B is wrong because multi-site active-active runs full production capacity in both regions simultaneously, which maximizes costs and is not minimal. Option C is wrong because pilot light runs only core services (e.g., database replicas) and requires manual provisioning of the full application stack upon failover, delaying recovery.

44
MCQmedium

A financial services company is deploying a PCI-DSS compliant workload in a public cloud. The deployment must include a web application (port 443) and a database (port 3306). The security requirements mandate that the web application is internet-facing, but the database must be in a private subnet with no direct internet access. The cloud administrator creates two VPCs: one for the web tier and one for the database tier. The web tier is deployed in VPC-A with a public subnet and an internet gateway. The database tier is deployed in VPC-B with a private subnet and a NAT gateway for outbound updates. The administrator configures VPC peering between VPC-A and VPC-B, and updates route tables accordingly. The web application can connect to the database, but the database cannot initiate outbound connections to the internet for updates. What is the most likely issue?

A.The database security group does not allow outbound traffic to the internet
B.The route table in VPC-B does not have a default route to the NAT gateway
C.The VPC peering connection does not support DNS resolution between VPCs
D.The NAT gateway in VPC-B cannot be used for internet access through a VPC peering connection
AnswerD

NAT gateways do not support traffic through VPC peering; each VPC needs its own NAT gateway.

Why this answer

The NAT gateway in VPC-B cannot be used for internet access through a VPC peering connection because VPC peering does not support transitive routing. When the database in VPC-B tries to reach the internet via the NAT gateway, traffic must go through the VPC peering connection to VPC-A and then to the internet gateway, but VPC peering does not allow a route that forwards traffic from one VPC to another VPC's internet gateway. The database's outbound traffic to the internet is effectively blocked because the NAT gateway's default route (0.0.0.0/0) points to the internet gateway in VPC-B, but the database's traffic must first traverse the peering connection, which is not a valid path for internet-bound traffic in this architecture.

Exam trap

The trap here is that candidates assume a NAT gateway in the same VPC as the database can provide internet access through a VPC peering connection, but they overlook the non-transitive nature of VPC peering, which prevents routing traffic from a peered VPC to an internet gateway or NAT gateway in the other VPC.

How to eliminate wrong answers

Option A is wrong because the database security group's outbound rules are not the issue; security groups are stateful, so if the database initiates outbound traffic, the return traffic is automatically allowed, but the problem is that the database cannot reach the internet at all due to routing limitations. Option B is wrong because the route table in VPC-B likely does have a default route to the NAT gateway (as stated in the scenario), but even with that route, the database cannot use the NAT gateway for internet access because the NAT gateway resides in VPC-B and cannot route traffic through a VPC peering connection to another VPC's internet gateway. Option C is wrong because DNS resolution between VPCs is not relevant to the database's inability to initiate outbound internet connections; the issue is about network routing and internet access, not DNS.

45
Multi-Selecthard

Which THREE of the following are best practices when deploying a cloud application using Infrastructure as Code (IaC)? (Choose three.)

Select 3 answers
A.Store IaC templates in a version control system.
B.Break down complex deployments into reusable modules.
C.Embed credentials directly in the IaC templates.
D.Manually modify resources after deployment to tune performance.
E.Use immutable infrastructure patterns where possible.
AnswersA, B, E

Version control enables collaboration and rollback.

Why this answer

Storing IaC templates in a version control system (e.g., Git) is a best practice because it enables change tracking, rollback, collaboration, and auditability. This aligns with GitOps principles, where the version control repository serves as the single source of truth for infrastructure state, ensuring all changes are reviewed and recorded.

Exam trap

CompTIA often tests the distinction between mutable and immutable infrastructure, and the trap here is that candidates may think manual tuning (Option D) is acceptable for performance optimization, but it violates the core IaC principle of idempotent, automated deployments.

46
MCQhard

An organization is adopting Infrastructure as Code (IaC) for their cloud deployments. They need to ensure that the configuration files are version-controlled and changes are audited. Which combination of tools should they use?

A.Puppet and Jenkins
B.Terraform and Ansible
C.Terraform and Git
D.CloudFormation and Chef
AnswerC

Terraform for IaC, Git for version control and audit.

Why this answer

Option C is correct because Git provides version control and audit trails for Infrastructure as Code (IaC) configuration files, while Terraform is the IaC tool that manages cloud resources declaratively. Together, they satisfy the requirement for version-controlled, auditable configuration files, as Git tracks every change with commit history and Terraform's state files can be stored in Git for change tracking.

Exam trap

CompTIA often tests the distinction between Infrastructure as Code tools (like Terraform) and configuration management tools (like Ansible, Puppet, Chef), and the trap here is that candidates confuse configuration management with version control, assuming tools like Ansible or Puppet provide audit trails when they do not.

How to eliminate wrong answers

Option A is wrong because Puppet is a configuration management tool, not a version control system, and Jenkins is a CI/CD automation server; neither directly provides version control or audit trails for IaC configuration files. Option B is wrong because while Terraform is an IaC tool, Ansible is a configuration management tool that does not inherently provide version control; the combination lacks a dedicated version control system like Git. Option D is wrong because CloudFormation is an IaC tool for AWS, but Chef is a configuration management tool, not a version control system; this pair does not include a tool for version control or auditing.

47
MCQhard

A company is using AWS CloudFormation to deploy a multi-tier application. The stack includes an Auto Scaling group and an Application Load Balancer. The operations team reports that deployments are failing because the new instances are not passing health checks. Which CloudFormation template attribute should be modified to ensure that the stack update rolls back automatically if the health check fails?

A.Add an UpdatePolicy attribute to the Auto Scaling group.
B.Use a CreationPolicy attribute on the Auto Scaling group with a timeout and signal count.
C.Modify the DeletionPolicy attribute of the instances.
D.Set the DependsOn attribute to ensure the load balancer is created first.
AnswerB

CreationPolicy ensures instances are healthy before marking resource as created.

Why this answer

Option B is correct because the CreationPolicy attribute on an Auto Scaling group, when combined with a timeout and a signal count, instructs CloudFormation to wait for a specified number of success signals from the new instances before considering the resource creation complete. If the signals are not received within the timeout (e.g., because the instances fail health checks and never report as healthy), CloudFormation treats the creation as failed and automatically rolls back the stack update. This directly addresses the requirement to roll back on health check failure.

Exam trap

CompTIA often tests the distinction between CreationPolicy (which waits for signals before marking resource creation as complete) and UpdatePolicy (which manages rolling updates but does not inherently enforce health check-based rollbacks), leading candidates to incorrectly choose UpdatePolicy when the question specifically asks for rollback on health check failure.

How to eliminate wrong answers

Option A is wrong because the UpdatePolicy attribute on an Auto Scaling group controls rolling update behavior (e.g., batch size, pause time) but does not inherently trigger a rollback based on health check failures; it relies on the CreationPolicy or a separate health check configuration. Option C is wrong because the DeletionPolicy attribute determines what happens to resources when a stack is deleted (e.g., retain, snapshot), not how creation or update failures are handled. Option D is wrong because the DependsOn attribute only ensures resource creation order (e.g., load balancer before Auto Scaling group) but does not affect rollback behavior on health check failures.

48
Multi-Selecthard

Which THREE of the following are valid considerations when selecting a cloud deployment model (public, private, hybrid)? (Choose three.)

Select 3 answers
A.Regulatory compliance requirements.
B.Budget and total cost of ownership.
C.Developers' preferred programming languages.
D.Latency sensitivity of the application.
E.Cloud provider's marketing claims.
AnswersA, B, D

Some data must remain on-premises.

Why this answer

Regulatory compliance requirements (A) are a primary consideration because certain industries (e.g., healthcare, finance) mandate data residency and privacy controls that may only be satisfied by a private or dedicated public cloud infrastructure. Budget and total cost of ownership (B) directly influence the choice between capital-intensive private cloud deployments and operational-expense-based public cloud services. Latency sensitivity (D) dictates whether an application requires on-premises private cloud resources to avoid network jitter and meet strict SLAs, or can tolerate the higher latency of a public cloud.

Exam trap

CompTIA often tests that candidates confuse operational preferences (like programming languages) with architectural constraints, leading them to select C as a valid consideration when it is irrelevant to the deployment model decision.

49
MCQhard

A financial services company is migrating a critical application to a hybrid cloud environment. The application must maintain sub-millisecond latency between the front-end and back-end components. The on-premises data center is located in New York, and the cloud region chosen is AWS us-east-1. The network team has established a dedicated AWS Direct Connect connection. After deploying the application, latency tests show 2 ms on average, which is acceptable. However, during peak hours, latency spikes to 10 ms. The cloud administrator suspects that the spike is due to increased traffic going over the VPN backup link instead of Direct Connect. What should the administrator do to resolve the issue?

A.Move the application to a different AWS region closer to the on-premises data center.
B.Configure the cloud resources to use only the Direct Connect connection and disable the VPN.
C.Increase the bandwidth of the VPN backup link.
D.Implement traffic shaping to prioritize application traffic over the Direct Connect link.
AnswerB

Ensures all traffic uses the low-latency Direct Connect.

Why this answer

Option B is correct because the latency spike during peak hours is caused by traffic failing over to the VPN backup link, which introduces higher latency and potential congestion. By configuring cloud resources to use only the Direct Connect connection and disabling the VPN, the administrator ensures all traffic stays on the low-latency, dedicated path. This eliminates the possibility of traffic being routed over the VPN, which is typically slower and less reliable than Direct Connect.

Exam trap

The trap here is that candidates may assume increasing bandwidth or traffic shaping will fix the latency issue, but the real problem is that traffic is incorrectly routed over the VPN backup link, not that the Direct Connect link is saturated.

How to eliminate wrong answers

Option A is wrong because moving the application to a different AWS region would not resolve the issue of traffic using the VPN backup link; the latency spike is due to routing misconfiguration, not geographic distance. Option C is wrong because increasing the bandwidth of the VPN backup link does not address the root cause—traffic should not be using the VPN at all during peak hours; the VPN link itself introduces higher latency regardless of bandwidth. Option D is wrong because traffic shaping prioritizes traffic on the Direct Connect link but does not prevent traffic from failing over to the VPN; the issue is that traffic is being routed over the VPN, not that the Direct Connect link is congested.

50
MCQhard

A multinational corporation is deploying a new application across multiple cloud regions for disaster recovery. The application requires consistent low latency for users globally. The architect decides to use a content delivery network (CDN) for static assets and a global load balancer for API traffic. After deployment, some users in Asia report occasional timeouts when accessing the API. The API servers are deployed in the US East and Europe regions. The load balancer is configured with latency-based routing. What is the most likely cause of the timeouts?

A.The latency-based routing is directing traffic to the farthest region due to routing table issues.
B.The API servers in Europe have insufficient capacity.
C.The CDN is misconfigured for the API endpoints.
D.The DNS TTL is set too high, causing cached resolution to a failed server.
AnswerD

High TTL means clients cache DNS results; if a server fails, they still try that IP until cache expires, causing timeouts.

Why this answer

Option D is correct because a high DNS TTL causes clients to cache the IP address of a failed or unhealthy API server for an extended period. When that server becomes unavailable, clients continue to send requests to the cached IP instead of querying DNS for a healthy endpoint, resulting in timeouts. This is a common issue with latency-based routing, where DNS resolution is critical for directing traffic to the optimal region.

Exam trap

The trap here is that candidates often overlook DNS caching behavior and instead focus on load balancer configuration or server capacity, failing to recognize that high DNS TTL can cause stale routing decisions in latency-based architectures.

How to eliminate wrong answers

Option A is wrong because latency-based routing directs traffic to the region with the lowest measured latency, not the farthest; routing table issues would affect reachability, not cause timeouts due to distance. Option B is wrong because insufficient capacity would cause errors like 503 Service Unavailable or increased latency, not intermittent timeouts specific to Asia users when servers exist in both US East and Europe. Option C is wrong because a CDN is used for static assets, not API endpoints; misconfiguring the CDN for API traffic would not cause timeouts since the API traffic is handled by the global load balancer, not the CDN.

51
MCQmedium

A containerized application deployment fails with an 'ImagePullBackOff' error. What should the administrator verify?

A.The CPU utilization on the node
B.The cluster's DNS configuration
C.The firewall rules between nodes and registry
D.The container registry credentials and image tag
AnswerD

ImagePullBackOff commonly occurs when the image is not found or access is denied.

Why this answer

Option B is correct because the error indicates the container runtime cannot pull the image, often due to wrong tag or registry credentials. Option A is wrong while DNS could be involved, it typically gives a different error. Option C is wrong firewall issues cause timeouts, not pull errors.

Option D is wrong CPU utilization does not cause image pull errors.

52
MCQeasy

A startup is deploying its web application in the cloud using an auto-scaling group. The application experiences variable traffic, with spikes during business hours. The team has configured the auto-scaling group to scale out when CPU utilization exceeds 70% and scale in when it drops below 30%. However, during a sudden spike, the new instances take over 5 minutes to become healthy, causing slow response times. What should the team do to improve responsiveness?

A.Use a larger instance type for the auto-scaling group.
B.Implement a predictive scaling policy based on historical patterns.
C.Reduce the threshold for scale-out to 50% CPU.
D.Increase the cooldown period for the scaling policy.
AnswerB

Predictive scaling provisions instances ahead of anticipated spikes.

Why this answer

Predictive scaling uses historical traffic patterns to proactively launch instances before CPU utilization spikes, eliminating the 5-minute lag from reactive scaling. This approach anticipates the business-hour surge and ensures capacity is ready when demand increases, directly addressing the slow response time issue.

Exam trap

The trap here is that candidates often focus on tuning thresholds or instance sizes to fix a latency problem, missing that the core issue is the reactive scaling delay, which only a proactive approach like predictive scaling can resolve.

How to eliminate wrong answers

Option A is wrong because using a larger instance type does not reduce the time for new instances to become healthy; it only increases per-instance capacity, which may still suffer from the same 5-minute startup delay during spikes. Option C is wrong because reducing the scale-out threshold to 50% CPU would trigger scaling earlier but still relies on reactive scaling, meaning instances would still take over 5 minutes to become healthy after the threshold is breached, failing to prevent slow responses. Option D is wrong because increasing the cooldown period would delay further scaling actions, making the auto-scaling group less responsive during rapid traffic spikes, worsening the problem.

53
MCQeasy

A small business plans to migrate its on-premises infrastructure to the cloud to reduce capital expenditure. They have a limited IT team and want to minimize management overhead. Which cloud deployment model should they choose?

A.Private cloud
B.Community cloud
C.Hybrid cloud
D.Public cloud
AnswerD

Public cloud is cost-effective and requires minimal management overhead.

Why this answer

The public cloud deployment model is the correct choice because it allows the small business to offload all infrastructure management to the cloud provider, eliminating the need for on-premises hardware and reducing capital expenditure. With a limited IT team, the public cloud's shared responsibility model minimizes management overhead by handling physical security, hardware maintenance, and hypervisor updates, while the business only manages its applications and data.

Exam trap

CompTIA often tests the misconception that 'public cloud means zero management overhead,' but the shared responsibility model still requires the customer to manage the guest OS, applications, and data, which is a key trap in this question.

How to eliminate wrong answers

Option A is wrong because a private cloud requires the business to own or lease dedicated hardware, which increases capital expenditure and management overhead, contradicting the goal of reducing both. Option B is wrong because a community cloud is shared among several organizations with common concerns, still requiring significant coordination and often dedicated infrastructure, which does not minimize management overhead for a small business. Option C is wrong because a hybrid cloud combines public and private clouds, introducing complexity in networking, orchestration, and data synchronization, which increases management overhead and does not fully eliminate capital expenditure.

54
MCQmedium

A cloud architect is designing a deployment strategy for a web application that must handle unpredictable traffic spikes. The application runs in containers on a Kubernetes cluster. The architect wants to minimize costs while ensuring that the cluster can scale out rapidly during spikes. Which deployment strategy best meets these requirements?

A.Pre-provision a fixed number of pods to handle peak load at all times.
B.Manually scale the deployment when monitoring alerts indicate high traffic.
C.Implement horizontal pod autoscaling based on CPU utilization.
D.Use vertical pod autoscaling to increase resource limits on existing pods.
AnswerC

HPA automatically adds/removes pods to match demand.

Why this answer

Horizontal Pod Autoscaling (HPA) automatically adjusts the number of pod replicas based on observed CPU utilization (or custom metrics), enabling rapid scale-out during traffic spikes without manual intervention. This minimizes costs by running only the necessary pods during low traffic while ensuring the cluster can react quickly to increased demand, which aligns with the requirement for unpredictable spikes.

Exam trap

CompTIA often tests the distinction between horizontal and vertical scaling in the context of cost and rapid elasticity; the trap here is that candidates may choose vertical autoscaling (Option D) thinking it is cheaper, but it cannot scale out quickly enough for unpredictable spikes and is limited by node resources.

How to eliminate wrong answers

Option A is wrong because pre-provisioning a fixed number of pods to handle peak load at all times results in over-provisioning and higher costs, as resources are wasted during low-traffic periods. Option B is wrong because manually scaling the deployment when monitoring alerts indicate high traffic introduces latency and cannot react quickly enough to unpredictable spikes, risking performance degradation. Option D is wrong because vertical pod autoscaling increases resource limits on existing pods, which does not provide rapid scale-out; it is limited by node capacity and cannot handle sudden traffic surges as effectively as adding more pod replicas.

55
MCQhard

A company has a hybrid cloud environment with on-premises servers and AWS. They deploy a new application using AWS Elastic Beanstalk with a load balancer and auto scaling group. The application is a Node.js API that connects to an RDS MySQL database. After deployment, users report that the API returns a '500 Internal Server Error' intermittently. The application logs show 'ETIMEDOUT' errors when connecting to the database. The database is deployed in a private subnet with a security group that allows inbound traffic from the Elastic Beanstalk environment's security group. The database connection string uses the RDS endpoint. The same application works perfectly when deployed on-premises. What is the most likely cause?

A.The database connection string uses the wrong port number
B.The Elastic Beanstalk environment is in a different VPC or subnet that cannot reach the RDS instance
C.The security group attached to the RDS instance does not allow traffic from the Elastic Beanstalk environment
D.The RDS instance is in a failed state and needs to be rebooted
AnswerB

Network connectivity between VPCs or subnets is likely misconfigured, causing timeouts.

Why this answer

The intermittent 'ETIMEDOUT' errors indicate a network connectivity issue between the Elastic Beanstalk environment and the RDS database. Since the application works on-premises, the problem is specific to the AWS networking configuration. The most likely cause is that the Elastic Beanstalk environment is deployed in a different VPC or subnet that lacks routing or a VPC peering connection to reach the RDS instance's private subnet, causing timeouts when the load balancer or auto scaling group instances attempt to connect.

Exam trap

The trap here is that candidates often assume security group misconfiguration is the cause, but Cisco tests the understanding that 'ETIMEDOUT' specifically indicates a network layer reachability problem (routing or VPC isolation) rather than a firewall or authentication issue.

How to eliminate wrong answers

Option A is wrong because the database connection string uses the RDS endpoint, which includes the correct port (default 3306 for MySQL); a wrong port would cause a 'Connection refused' error, not 'ETIMEDOUT'. Option C is wrong because the security group is already configured to allow inbound traffic from the Elastic Beanstalk environment's security group, so if that were the issue, the error would be consistent, not intermittent, and would likely be 'Connection refused' or 'Access denied'. Option D is wrong because an RDS instance in a failed state would produce persistent errors or a 'Can't connect to MySQL server' message, not intermittent 'ETIMEDOUT' errors, and rebooting would not resolve a network connectivity problem.

56
MCQeasy

A company is migrating its on-premises e-commerce application to a public cloud provider. The application consists of a web tier, an application tier, and a database tier. The cloud architect has designed a three-tier architecture using virtual machines (VMs) in a virtual private cloud (VPC). During the deployment, the web servers are placed in a public subnet, the application servers in a private subnet, and the database servers in a separate private subnet. All security groups and network ACLs have been configured to allow the required traffic. After deploying the application, the operations team reports that the web servers cannot communicate with the application servers. The web servers are able to reach the internet, and the application servers can be reached from the operations team's management bastion host. Which of the following is the MOST likely cause of the issue?

A.The route table associated with the web servers' subnet is missing a route to the application servers' subnet.
B.The web servers do not have a route to the internet gateway.
C.The network ACL on the application servers' subnet is blocking inbound traffic from the web servers.
D.The security group on the web servers is blocking outbound traffic to the application servers.
AnswerA

Correct: Without a route to the private subnet, traffic is dropped.

Why this answer

The web servers are in a public subnet with a route table that typically includes a default route (0.0.0.0/0) pointing to an internet gateway, enabling internet access. However, for the web servers to reach the application servers in a private subnet, the route table associated with the web servers' subnet must also contain a route to the destination CIDR block of the application servers' subnet, pointing to a local route or a virtual private cloud (VPC) peering connection. Without this explicit route, traffic from the web servers to the application servers is dropped because the route table does not know how to forward packets to that subnet, even though security groups and network ACLs are correctly configured.

Exam trap

CompTIA often tests the misconception that security groups or network ACLs are the primary cause of connectivity issues between subnets, when in reality the missing route in the subnet's route table is the root cause, especially when internet access works but inter-subnet communication fails.

How to eliminate wrong answers

Option B is wrong because the web servers can already reach the internet, which means they have a valid route to the internet gateway (0.0.0.0/0 via IGW), so the issue is not a missing internet gateway route. Option C is wrong because the network ACL on the application servers' subnet is stateless and must allow both inbound and outbound traffic; if it were blocking inbound traffic from the web servers, the operations team's management bastion host (which is in a different subnet) would also likely be blocked, but the bastion host can reach the application servers, indicating the network ACL is not the issue. Option D is wrong because the security group on the web servers controls inbound traffic to the web servers, not outbound traffic; outbound traffic from the web servers is controlled by the security group on the web servers' outbound rules, but the problem states all security groups have been configured to allow required traffic, and the web servers can reach the internet (which requires outbound rules), so outbound rules are not blocking traffic to the application servers.

57
Multi-Selectmedium

Which TWO factors should be considered when choosing a cloud deployment model (public, private, hybrid)? (Select TWO.)

Select 2 answers
A.Number of monitors connected to the server
B.Data sensitivity and classification
C.Compliance requirements (e.g., GDPR, HIPAA)
D.Brand of physical servers used
E.Color of server racks in the data center
AnswersB, C

Sensitive data may require private cloud for tighter control.

Why this answer

Data sensitivity and classification (B) are critical because public cloud providers operate a shared responsibility model where the customer retains control over data classification and access policies, while the provider manages the infrastructure. Highly sensitive data (e.g., PII, trade secrets) often mandates a private or hybrid model to maintain strict network isolation and encryption at rest/in transit. Compliance requirements (C) such as GDPR or HIPAA impose legal obligations on data residency, audit logging, and breach notification, which may restrict the use of certain public cloud regions or require dedicated hardware, directly influencing the deployment model choice.

Exam trap

CompTIA often tests the misconception that physical hardware attributes (brand, color, monitor count) influence cloud deployment decisions, when in fact the choice is driven solely by data governance, compliance, and operational requirements.

58
Matchingmedium

Match each high-availability concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Distribute traffic across multiple servers

Isolated location within a region

One node active, one standby

All nodes serve traffic simultaneously

Why these pairings

Architectures and components for high availability.

59
MCQmedium

A DevOps team sets up a CI/CD pipeline for a containerized application on Kubernetes. They want to test a new version with a small subset of users before full rollout. Which deployment method should they use?

A.Canary
B.Recreate
C.Rolling update
D.Blue/green
AnswerA

Canary sends a small percentage of traffic to the new version for testing.

Why this answer

A canary deployment releases the new version to a small subset of users (e.g., 5-10% of traffic) while the rest continue using the stable version. This allows the team to monitor performance, errors, and user feedback before gradually increasing the rollout. Kubernetes supports canary deployments natively through techniques like multiple Deployments with shared labels and service mesh traffic splitting (e.g., Istio or Linkerd).

Exam trap

CompTIA often tests the distinction between canary and rolling update by implying that rolling updates can also target a subset of users, but rolling updates replace pods gradually across the entire cluster without user-based traffic splitting.

How to eliminate wrong answers

Option B (Recreate) is wrong because it terminates all existing pods before creating new ones, causing full downtime and no ability to test with a subset of users. Option C (Rolling update) is wrong because it gradually replaces pods but does not allow fine-grained traffic splitting to a specific user subset; all users eventually receive the new version during the update. Option D (Blue/green) is wrong because it runs two full environments and switches all traffic at once, which does not provide a gradual, user-subset testing phase.

60
Multi-Selecteasy

Which TWO are advantages of using containers over virtual machines? (Select TWO.)

Select 2 answers
A.Better hardware isolation
B.Less overhead because they share the host OS kernel
C.Requires a hypervisor to run
D.Larger resource consumption
E.Faster startup time
AnswersB, E

Shared kernel reduces memory and CPU overhead.

Why this answer

Option B is correct because containers share the host operating system kernel, eliminating the need for a separate guest OS per instance. This reduces overhead significantly compared to virtual machines, which each require their own full OS, leading to more efficient use of system resources.

Exam trap

CompTIA often tests the misconception that containers provide stronger isolation than VMs, when in fact VMs offer better security boundaries due to hardware-level virtualization.

61
MCQmedium

A company is deploying a stateful application that requires persistent storage. They are using Kubernetes. Which resource should they create to ensure data persists across pod restarts?

A.Deployment
B.Secret
C.PersistentVolumeClaim
D.ConfigMap
AnswerC

PVC provides persistent storage that survives pod restarts.

Why this answer

A PersistentVolumeClaim (PVC) is the correct resource because it abstracts the underlying storage details and allows a pod to request persistent storage that survives pod restarts. When a pod is recreated, the PVC ensures the same volume is reattached, preserving application state. This is essential for stateful applications in Kubernetes, as pods are ephemeral by default.

Exam trap

The trap here is that candidates confuse a Deployment's ability to manage replicas with data persistence, overlooking that a Deployment alone does not guarantee storage survival across pod restarts without an explicit PVC.

How to eliminate wrong answers

Option A is wrong because a Deployment manages stateless replicas and does not inherently provide persistent storage; it can use PVCs but is not a storage resource itself. Option B is wrong because a Secret is used to store sensitive data like passwords or tokens, not for persistent application data. Option D is wrong because a ConfigMap is designed for non-sensitive configuration data (e.g., environment variables or config files) and does not persist across pod restarts as a volume.

62
Multi-Selectmedium

Which TWO of the following are valid considerations when deploying a virtual machine in a cloud environment? (Choose two.)

Select 2 answers
A.The log retention policy
B.The password complexity requirements
C.The instance size and family
D.The number of virtual CPUs assigned to the hypervisor
E.The type of storage (SSD or HDD)
AnswersC, E

Instance size determines vCPU, memory, and cost.

Why this answer

Option C is correct because the instance size and family directly determine the virtual machine's compute capacity, including vCPUs, memory, and network performance. Selecting the appropriate size and family ensures the workload has sufficient resources without over-provisioning, which is a fundamental deployment consideration in cloud environments like AWS EC2 or Azure VMs.

Exam trap

CompTIA often tests the distinction between VM-level deployment decisions (instance size, storage type) and post-deployment or hypervisor-level configurations (log retention, password policies, hypervisor vCPU assignment) to catch candidates who confuse operational settings with provisioning choices.

63
Multi-Selecthard

A DevOps team is implementing an automated deployment pipeline for a cloud application. Which THREE steps are essential components of a continuous delivery pipeline? (Select THREE.)

Select 3 answers
A.Deploying to a staging environment for integration tests
B.Deploying to production automatically without approval
C.Monitoring and rollback capability
D.Source code compilation
E.Running unit tests
AnswersA, D, E

Staging allows integration testing in an environment similar to production before final deployment.

Why this answer

Option A is correct because deploying to a staging environment for integration tests is a core step in a continuous delivery pipeline. It validates that the application works correctly in an environment that mirrors production before any release decision is made, ensuring that integration and end-to-end tests can run safely without impacting live users.

Exam trap

CompTIA often tests the distinction between continuous delivery and continuous deployment, where candidates mistakenly select automatic production deployment as an essential step, but the question explicitly asks for continuous delivery, which requires a manual approval before production.

64
MCQhard

A cloud administrator is deploying a critical application that requires the lowest possible latency between compute instances. The instances will be running in a private subnet and must communicate with each other using their private IP addresses. Which of the following deployment configurations would best meet these requirements?

A.Deploy instances in different Availability Zones within the same region.
B.Deploy instances in the same subnet behind a NAT gateway.
C.Deploy instances in different regions and use inter-region peering.
D.Deploy instances in a placement group within the same Availability Zone.
AnswerD

Placement groups ensure low latency and high throughput.

Why this answer

Deploying instances in a placement group within the same Availability Zone ensures they are physically close together, often in the same rack or cluster, which minimizes network hops and achieves the lowest possible latency. This configuration is ideal for latency-sensitive applications because it leverages non-blocking, high-bandwidth inter-instance communication without traversing additional network infrastructure.

Exam trap

The trap here is that candidates often assume distributing instances across Availability Zones improves performance due to high availability, but for latency-sensitive workloads, the physical proximity of a placement group within a single AZ is the correct choice, not fault tolerance.

How to eliminate wrong answers

Option A is wrong because deploying instances in different Availability Zones introduces additional network latency due to the physical separation and the need to traverse Availability Zone boundaries, even within the same region. Option B is wrong because placing instances behind a NAT gateway adds a network hop and processing overhead, which increases latency and is unnecessary for private subnet communication using private IPs. Option C is wrong because deploying instances in different regions and using inter-region peering incurs significant latency due to long-distance data transfer and is not suitable for low-latency requirements.

65
MCQmedium

A cloud administrator is deploying a virtual machine (VM) in a public cloud and must ensure that the VM can be recovered quickly in case of failure. The administrator configures the VM to use a managed disk. What additional deployment step should be taken to meet the recovery objective with minimal cost?

A.Set the VM's boot diagnostics to store logs in a storage account.
B.Configure automated snapshots of the managed disk on a schedule.
C.Deploy a second VM in a different region as a pilot light.
D.Attach the VM to multiple managed disks in an availability set.
AnswerB

Snapshots are cheap and allow quick restoration.

Why this answer

Option B is correct because configuring automated snapshots of the managed disk provides a cost-effective, incremental backup mechanism that enables rapid recovery of the VM in case of failure. Snapshots capture point-in-time copies of the disk and can be used to create a new managed disk or restore the VM quickly, meeting the recovery objective without the expense of maintaining a separate, always-on replica.

Exam trap

The trap here is that candidates often confuse high availability (e.g., availability sets or pilot light deployments) with backup and recovery, assuming that redundancy alone satisfies the recovery objective, when in fact snapshots provide a lower-cost, backup-focused solution for quick recovery after failure.

How to eliminate wrong answers

Option A is wrong because boot diagnostics store logs for troubleshooting boot failures, not for recovering the VM itself; they do not provide a recoverable copy of the VM's disk. Option C is wrong because deploying a second VM in a different region as a pilot light incurs ongoing compute and storage costs for a standby instance, which is more expensive than using snapshots for recovery. Option D is wrong because attaching multiple managed disks in an availability set provides high availability within a single region but does not create recoverable backups; it protects against hardware failure but not against data corruption or accidental deletion, and it increases cost without meeting the recovery objective.

66
Multi-Selecteasy

A company is planning to migrate a legacy application to the cloud. They want to leverage cloud-native features while minimizing code changes. Which TWO migration strategies should they consider?

Select 2 answers
A.Replatform
B.Rehost
C.Rebuild
D.Replace
E.Refactor
AnswersA, D

Replatform offers cloud-native benefits with minimal changes.

Why this answer

Replatform (A) is correct because it involves migrating the application to a cloud-managed platform (e.g., moving from a self-managed database to Amazon RDS or Azure SQL Database) with minimal code changes, allowing the company to leverage cloud-native features like automated backups and scaling. Replace (D) is correct because it means adopting a SaaS alternative (e.g., replacing a custom CRM with Salesforce) that provides cloud-native capabilities without modifying existing code, aligning with the goal of minimizing code changes.

Exam trap

CompTIA often tests the distinction between 'Replatform' and 'Refactor,' where candidates mistakenly choose Refactor thinking it allows minimal changes, but Refactor actually requires significant code rework to adopt cloud-native patterns like containerization or serverless.

67
MCQeasy

After deploying a new cloud application, users report that they cannot connect to the application. The cloud administrator checks the security group rules and finds that the inbound rule for HTTP traffic is missing. What is the best practice to prevent this issue in future deployments?

A.Create a checklist for manual review before each deployment.
B.Use an Infrastructure as Code (IaC) template to define security group rules.
C.Clone a security group that already has the correct rules.
D.Configure the security group to allow all traffic by default.
AnswerB

IaC forces explicit, reviewable configuration.

Why this answer

Option A is correct because using Infrastructure as Code (IaC) templates ensures that security groups are defined consistently and can be reviewed before deployment. Option B (manual checks) are error-prone. Option C (default rules) may be too permissive.

Option D (cloning) does not address the root cause.

68
Multi-Selectmedium

A cloud administrator is deploying a web application that must be highly available across two availability zones. The deployment includes an application load balancer and multiple EC2 instances. Which TWO configurations are required to meet the high availability requirement?

Select 2 answers
A.Launch EC2 instances in at least two availability zones
B.Use a single EC2 instance with an auto-recovery policy
C.Set up health checks to automatically replace unhealthy instances
D.Configure the load balancer to route traffic to both availability zones
E.Enable cross-zone load balancing on the ALB
AnswersA, D

Distributes instances across zones to withstand zone failure.

Why this answer

Option A is correct because launching EC2 instances in at least two availability zones ensures that if one AZ fails, the application continues to serve traffic from the other AZ. This is a fundamental requirement for achieving high availability across AZs, as it distributes the compute capacity across physically separate data centers.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing (which optimizes traffic distribution) with the fundamental requirement of deploying resources across multiple AZs, leading them to select Option E instead of recognizing that multi-AZ instance placement is the non-negotiable prerequisite for high availability.

69
MCQeasy

A company wants to move its on-premises web application to the cloud with minimal code changes to reduce risk. Which deployment strategy is most appropriate?

A.Refactor
B.Rehost
C.Replatform
D.Rebuild
AnswerB

Rehost moves the application as-is, minimizing code changes.

Why this answer

The Rehost (lift-and-shift) strategy is most appropriate because it moves the on-premises web application to the cloud with minimal code changes, directly reducing risk. By migrating the existing virtual machines or physical servers to cloud instances (e.g., AWS EC2 or Azure VMs) without modifying the application architecture, the company preserves the current codebase and operational behavior. This approach avoids the complexity and potential errors associated with rewriting or refactoring code, making it the safest choice for a risk-averse migration.

Exam trap

The trap here is that candidates often confuse 'Replatform' with 'Rehost' because both involve moving to the cloud, but Replatform requires code changes to leverage managed services (e.g., replacing a self-managed database with Amazon RDS), which increases risk and violates the 'minimal code changes' constraint.

How to eliminate wrong answers

Option A (Refactor) is wrong because it involves modifying the application code to optimize it for cloud-native features (e.g., using serverless functions or microservices), which contradicts the requirement for minimal code changes and increases risk. Option C (Replatform) is wrong because it requires some code changes to adapt the application to a managed cloud service (e.g., moving from a self-hosted database to Amazon RDS), which still introduces risk beyond a pure lift-and-shift. Option D (Rebuild) is wrong because it entails completely rewriting the application from scratch using cloud-native architectures (e.g., containers or serverless), which maximizes code changes and risk, directly opposing the stated goal.

70
MCQmedium

A company wants to migrate its existing on-premises web application to the cloud to reduce operational overhead. The application runs on a custom Linux distribution with specific kernel modules. Which cloud deployment model would best minimize the need to refactor the application while still reducing maintenance of the underlying infrastructure?

A.Container as a Service (CaaS)
B.Platform as a Service (PaaS)
C.Software as a Service (SaaS)
D.Infrastructure as a Service (IaaS)
AnswerD

IaaS offers virtual machines with full OS control, allowing the custom Linux distribution and kernel modules to run without modification.

Why this answer

IaaS (Infrastructure as a Service) provides virtualized compute resources where you retain full control over the operating system, including custom Linux distributions and kernel modules. This allows you to migrate the application as-is without refactoring, while the cloud provider handles the underlying physical infrastructure maintenance, such as hardware failures and network cabling.

Exam trap

The trap here is that candidates often choose PaaS or CaaS thinking they reduce operational overhead more, but they overlook the critical requirement for custom kernel modules, which only IaaS can support without refactoring.

How to eliminate wrong answers

Option A is wrong because CaaS (e.g., Kubernetes, Docker Swarm) requires the application to be containerized, which would necessitate refactoring to package the custom kernel modules into the container image or use host-level kernel sharing, potentially breaking compatibility. Option B is wrong because PaaS abstracts the OS layer entirely, preventing you from installing custom kernel modules or using a non-standard Linux distribution, forcing significant refactoring. Option C is wrong because SaaS delivers a fully managed application with no control over the underlying OS or runtime, making it impossible to migrate a custom web application without complete redevelopment.

71
MCQmedium

A company is deploying a web application across multiple cloud regions for high availability. The application must maintain session state. Which deployment strategy should be used?

A.Active-passive failover
B.Geo-routing with DNS
C.Sticky sessions with a load balancer
D.Round-robin load balancing
AnswerC

Sticky sessions route a client to the same server, preserving session state.

Why this answer

Sticky sessions (also known as session persistence) ensure that all requests from a client during a session are directed to the same backend server. This is critical for a multi-region deployment where the application must maintain session state, as it prevents session data loss when a load balancer distributes traffic. By using a load balancer with sticky sessions, the application can maintain stateful interactions even across multiple cloud regions, assuming the load balancer is configured for cross-region routing.

Exam trap

The trap here is that candidates often confuse high availability with stateless architectures, assuming that any load balancing strategy (like round-robin or geo-routing) will automatically preserve session state, when in fact only sticky sessions explicitly bind a client to a specific backend server.

How to eliminate wrong answers

Option A is wrong because active-passive failover provides redundancy but does not inherently maintain session state; if the active region fails, sessions are lost unless state is replicated externally. Option B is wrong because geo-routing with DNS directs users to the nearest region based on geographic location, but it does not ensure session persistence; subsequent requests from the same user could be routed to different servers, breaking session state. Option D is wrong because round-robin load balancing distributes requests evenly across servers without any session awareness, causing session state to be lost as each request may go to a different backend instance.

72
MCQhard

A company is deploying a multi-tier application in a cloud environment. The application must comply with PCI DSS, which requires encryption of data at rest and in transit. The database tier must be isolated from direct internet access, while the web tier must be accessible from the internet. Which of the following deployment architectures best meets these requirements?

A.Place all tiers in the same subnet and use security groups to restrict traffic.
B.Use a single instance for web and database, and place it behind a load balancer.
C.Use a VPN connection from the web tier to the database tier and disable encryption.
D.Deploy web tier in a public subnet, database tier in a private subnet, and use SSL/TLS for encryption.
AnswerD

Public subnet for web, private for database, and encryption satisfies PCI DSS.

Why this answer

Option D is correct because it separates the web tier into a public subnet for internet accessibility and the database tier into a private subnet for isolation, meeting PCI DSS requirements. SSL/TLS encryption ensures data in transit is protected, and encryption at rest can be applied to the database storage. This architecture aligns with cloud best practices for multi-tier applications requiring compliance.

Exam trap

CompTIA often tests the misconception that security groups alone provide sufficient isolation, but network segmentation via separate subnets is required for PCI DSS compliance, and encryption must be explicitly enabled for both data at rest and in transit.

How to eliminate wrong answers

Option A is wrong because placing all tiers in the same subnet with only security groups does not provide network-level isolation for the database tier, violating PCI DSS requirements for data at rest and in transit encryption and exposing the database to potential direct internet access if misconfigured. Option B is wrong because using a single instance for both web and database tiers eliminates isolation, creating a single point of failure and violating PCI DSS segmentation requirements; it also fails to encrypt data in transit between tiers. Option C is wrong because a VPN connection from the web tier to the database tier does not inherently provide encryption for data in transit unless SSL/TLS or IPsec is explicitly configured, and disabling encryption violates PCI DSS; additionally, the web tier in a public subnet still requires encryption for all data in transit.

73
MCQhard

A company is migrating a legacy database that relies on a specific hardware security module (HSM) that cannot be moved to the cloud. The application must continue to function with minimal redevelopment. Which migration strategy is most appropriate?

A.Refactor
B.Replace
C.Rehost
D.Rebuild
AnswerB

Replace uses a cloud-native database service, eliminating the HSM dependency.

Why this answer

The correct answer is B (Replace) because the legacy database depends on a specific hardware security module (HSM) that cannot be migrated to the cloud. Replacing the database with a cloud-native equivalent (e.g., Amazon RDS or Azure SQL Database) that supports a cloud-based HSM (like AWS CloudHSM or Azure Key Vault Managed HSM) allows the application to continue functioning with minimal redevelopment, as the replacement typically maintains SQL compatibility and standard interfaces.

Exam trap

The trap here is that candidates often confuse 'Replace' with 'Rebuild' or 'Refactor,' assuming that any change to the database engine requires significant code changes, but the exam tests the understanding that a cloud-native database replacement can be a drop-in substitute with minimal application impact when the HSM dependency is offloaded to a cloud service.

How to eliminate wrong answers

Option A (Refactor) is wrong because refactoring involves modifying the application code to adapt to cloud-native services, which contradicts the requirement for minimal redevelopment and still requires addressing the HSM dependency. Option C (Rehost) is wrong because rehosting (lift-and-shift) would move the legacy database and its HSM dependency to the cloud as-is, but the HSM cannot be moved, making this strategy infeasible. Option D (Rebuild) is wrong because rebuilding the application from scratch involves significant redevelopment effort and cost, which violates the 'minimal redevelopment' constraint.

74
Multi-Selecthard

A cloud architect is designing a deployment for a multi-tier application that must meet compliance requirements for data residency. The application consists of a web tier, application tier, and database tier. Which TWO deployment strategies should the architect consider to ensure data remains in a specific geographic region while maintaining high availability?

Select 2 answers
A.Set up a VPN to a neighboring region
B.Deploy across multiple availability zones in the same region
C.Deploy in a single availability zone
D.Use regional load balancers
E.Deploy across multiple regions
AnswersB, D

Keeps data in region and provides HA.

Why this answer

Deploying across multiple Availability Zones (AZs) within the same region ensures that application components remain within the geographic boundary required for data residency, while providing high availability through fault isolation. If one AZ fails, traffic is automatically routed to healthy instances in other AZs, maintaining uptime without leaving the region.

Exam trap

CompTIA often tests the distinction between 'high availability' and 'disaster recovery' — candidates mistakenly choose multi-region deployment for high availability, but that violates data residency, while the correct answer uses multiple AZs within a single region to satisfy both constraints.

75
MCQmedium

A cloud engineer is deploying a serverless application using AWS Lambda. The application processes files uploaded to an S3 bucket. To minimize cold start latency, which deployment configuration should the engineer use?

A.Set the function timeout to the minimum value.
B.Increase the memory allocation and enable provisioned concurrency.
C.Place the Lambda function in a VPC without any NAT gateway.
D.Configure the function to run in a specific Availability Zone.
AnswerB

More memory means faster initialization; provisioned concurrency eliminates cold starts.

Why this answer

Provisioned concurrency pre-warms a specified number of Lambda execution environments, eliminating cold starts for those instances. Increasing memory allocation also proportionally increases CPU and network throughput, which can reduce initialization time. Together, these configurations directly address cold start latency for a serverless application processing S3 uploads.

Exam trap

CompTIA often tests the misconception that reducing timeout or placing Lambda in a VPC improves performance, when in fact these actions either have no effect or increase latency due to network overhead.

How to eliminate wrong answers

Option A is wrong because setting the function timeout to the minimum value (e.g., 1 second) does not reduce cold start latency; it only limits execution duration, potentially causing timeouts for file processing. Option C is wrong because placing the Lambda function in a VPC without a NAT gateway prevents internet access but does not reduce cold start latency; in fact, VPC-enabled Lambda functions often experience increased cold start times due to ENI (Elastic Network Interface) creation overhead. Option D is wrong because Lambda functions are inherently stateless and run across multiple Availability Zones automatically; specifying a single Availability Zone is not a supported configuration and does not affect cold start latency.

Page 1 of 2 · 81 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Deployment questions.