CCNA Operations and Support Questions

43 of 193 questions · Page 3/3 · Operations and Support · Answers revealed

151
MCQmedium

A company has a hybrid cloud environment with an on-premises data center and Microsoft Azure. The on-premises infrastructure includes a VPN gateway connected to an Azure virtual network via site-to-site VPN. The network team reports that traffic from on-premises to Azure is experiencing high latency and packet loss. The VPN tunnel status shows as connected. The team has verified that the on-premises firewall is not dropping packets. The Azure administrator checks the virtual network gateway metrics and sees high inbound packet drops and a high number of VPN tunnel rekeys. What is the MOST likely cause of the issue?

A.The on-premises VPN device does not support the same encryption algorithms.
B.The Azure virtual network has overlapping address space with on-premises.
C.There is a misconfiguration in the local network gateway address space.
D.The VPN gateway SKU is too small for the traffic volume.
AnswerD

Under-provisioned gateways drop packets under load and trigger rekeys due to timeouts.

Why this answer

Option A is correct because a VPN gateway SKU that is too small for the traffic volume causes packet drops and frequent rekeys, leading to high latency and loss. Option B is wrong because a misconfigured local network gateway address space would cause connectivity failure, not just high latency. Option C is wrong because mismatched encryption algorithms would prevent the tunnel from establishing or cause constant renegotiation, not just increased rekeys.

Option D is wrong because overlapping address spaces would cause routing conflicts and connectivity issues, not specifically packet drops and rekeys.

152
Multi-Selecthard

A cloud administrator is troubleshooting a performance issue in a virtualized environment. Which TWO metrics should be monitored to identify CPU contention on the hypervisor?

Select 2 answers
A.Swap rate
B.CPU ready time
C.Memory ballooning
D.CPU utilization per core
E.CPU co-stopping time
AnswersB, E

CPU ready time is a direct indicator of CPU contention, as it measures the time a vCPU is waiting for physical CPU resources.

Why this answer

CPU ready time (B) measures the time a virtual machine is ready to execute but must wait for the hypervisor to schedule it on a physical core. High ready time directly indicates CPU contention, as the VM is being starved of CPU cycles. CPU co-stopping time (E) occurs when multiple vCPUs in a single VM must wait to be scheduled simultaneously, which also signals CPU overcommitment and contention on the hypervisor.

Exam trap

The trap here is that candidates confuse CPU utilization per core (which shows how busy the CPU is) with CPU ready time (which shows how long VMs are waiting), but high utilization alone does not prove contention—only ready and co-stop times directly measure scheduling delays.

153
Multi-Selectmedium

A company is migrating its on-premises database to a cloud-based managed database service. The database is currently 500 GB and is expected to grow by 10% monthly. Which TWO factors should the company consider when selecting the storage type?

Select 2 answers
A.Backup frequency and retention.
B.Physical location of the data center.
C.Encryption at rest requirements.
D.Operating system compatibility with the storage.
E.IOPS requirements for the database workload.
AnswersC, E

Some storage types may not support encryption or may have additional cost.

Why this answer

Encryption at rest is a critical consideration when selecting storage for a cloud-based managed database service, as it ensures data is encrypted when stored on disk. Many cloud providers offer transparent data encryption (TDE) or server-side encryption with customer-managed keys (CMKs), and the storage type must support these features to meet compliance requirements.

Exam trap

CompTIA often tests the distinction between operational policies (like backup frequency) and infrastructure decisions (like storage type), leading candidates to mistakenly select backup-related options when the question explicitly asks about storage type selection.

154
MCQmedium

A company uses an automated patching solution that reboots instances after applying patches. After a recent patching cycle, several web servers failed to rejoin the load balancer pool. The administrator checks the application logs and finds that the web service failed to start because a required dependency was removed during patching. Which of the following should the administrator implement to prevent this issue in the future?

A.Require manual approval before each patching operation.
B.Increase the patching frequency to reduce the number of patches per cycle.
C.Implement a rolling update strategy for the web servers.
D.Configure a pre-patch health check and verify critical dependencies.
AnswerD

Pre-patch checks can validate that required services and dependencies are present and functional.

Why this answer

Option D is correct because implementing a pre-patch health check that verifies critical dependencies ensures that the patching process does not remove or break required components. This proactive validation can detect missing dependencies before the reboot, allowing the administrator to remediate or halt the patching cycle, preventing the web service from failing to start.

Exam trap

The trap here is that candidates often confuse operational strategies like rolling updates (which maintain availability during updates) with dependency validation, failing to recognize that rolling updates do not prevent the underlying dependency removal issue that causes the service to fail after reboot.

How to eliminate wrong answers

Option A is wrong because requiring manual approval before each patching operation does not address the root cause of dependency removal; it only adds a manual gate without validating dependencies, which is inefficient and still allows the same issue to occur if the approval is granted. Option B is wrong because increasing patching frequency to reduce patches per cycle does not prevent dependency removal; it merely distributes patches over time, and a single patch could still remove a critical dependency, leading to the same failure. Option C is wrong because a rolling update strategy for the web servers manages the order of updates to maintain availability, but it does not validate dependencies before patching; if a dependency is removed during the update, the web service will still fail to start on the updated instances, causing them to drop out of the load balancer pool.

155
MCQhard

A cloud operations team uses a configuration management tool (e.g., Chef, Puppet) to manage a fleet of Linux servers in a public cloud. After a recent update, the team notices that some servers are failing to apply the new configuration. The logs on the failing servers show connection timeouts to the configuration management server. Other servers in the same subnet and security group apply configurations successfully. The configuration management server is reachable from the admin's workstation. Which of the following is the MOST likely cause of the issue?

A.The failing servers are missing the configuration management agent.
B.The configuration management server certificate has expired.
C.The failing servers have a firewall rule blocking outbound connections.
D.The failing servers have a misconfigured DNS resolver.
AnswerD

DNS misconfiguration prevents the server from resolving the configuration management server's hostname, causing timeouts.

Why this answer

Option A is correct because a misconfigured DNS resolver on the failing servers can cause hostname resolution failures, leading to connection timeouts to the configuration management server. Option B is wrong because all servers share the same security group, so firewall rules are identical. Option C is wrong because if the certificate had expired, all servers would be affected, not just a few.

Option D is wrong because if the agent were missing, the logs would show agent-related errors, not connection timeouts.

156
MCQmedium

A cloud engineer is tasked with automating the deployment of a three-tier application. The engineer wants to ensure that the database tier is not directly accessible from the internet but can be reached by the application tier. Which of the following should be implemented?

A.Use the same subnet for all tiers and allow traffic via security groups
B.Place the database tier in a public subnet with a restrictive security group
C.Connect the database tier to a site-to-site VPN and disable public access
D.Place the database tier in a private subnet and configure a security group to allow traffic only from the application tier
AnswerD

Private subnet has no internet gateway, and security group restricts access.

Why this answer

Option C is correct: placing the database tier in a private subnet with a network security group allowing only the app tier. Option A is wrong: public subnet would expose the database. Option B is wrong: a single subnet could still have NSGs but doesn't enforce isolation.

Option D is wrong: a VPN for database access is overkill and introduces latency.

157
MCQmedium

A company runs a web application on three virtual machines behind a load balancer. During a traffic spike, one VM becomes unresponsive. The load balancer continues sending traffic to it, causing errors. Which configuration change would prevent this issue in the future?

A.Set a longer connection timeout on the load balancer.
B.Configure health checks on the load balancer.
C.Increase the number of VMs to five.
D.Change the load balancing algorithm to round-robin.
AnswerB

Health checks automatically remove unhealthy VMs from the pool.

Why this answer

Health checks allow the load balancer to periodically probe the status of each backend VM (e.g., via HTTP GET or TCP SYN). If a VM fails a configurable number of consecutive checks, the load balancer automatically marks it as unhealthy and stops routing traffic to it, preventing errors during a spike. This is the standard mechanism in AWS ELB, Azure Load Balancer, and HAProxy to detect and isolate failed instances.

Exam trap

CompTIA often tests the misconception that simply adding more servers or changing the algorithm solves availability issues, when in fact without health checks the load balancer has no mechanism to detect and avoid failed instances.

How to eliminate wrong answers

Option A is wrong because a longer connection timeout would only delay the detection of an unresponsive VM, not prevent traffic from being sent to it; the load balancer would still forward new requests and wait longer for a response, increasing user-facing errors. Option C is wrong because simply increasing the number of VMs does not address the root cause—the load balancer will still blindly send traffic to an unresponsive VM, so errors persist regardless of pool size. Option D is wrong because changing the algorithm to round-robin does not include any failure detection; it merely distributes requests evenly, so an unresponsive VM will still receive its share of traffic and cause errors.

158
MCQhard

A cloud administrator notices that a scheduled backup job for a virtual machine has been failing with the error "insufficient storage space". The VM has 100 GB OS disk. The backup solution creates snapshots. What is the most likely cause?

A.The VM's data disk is full.
B.The backup software requires temporary local storage that is full.
C.The backup service is using local disks for staging.
D.The snapshot is being stored on the same disk as the OS.
AnswerB

Backup software often uses a temp directory on the local disk; if that disk is full, the backup fails.

Why this answer

The error 'insufficient storage space' during a snapshot-based backup typically occurs because the backup software requires temporary local storage to stage the snapshot data before transferring it to the backup target. When this staging area (often a local cache or temporary directory) runs out of space, the backup fails. Option B correctly identifies that the backup software's temporary local storage is full, which is a common cause of this error.

Exam trap

The trap here is that candidates confuse the VM's internal disk space (OS or data disk) with the backup software's temporary storage requirements, leading them to incorrectly select option A or D, when the actual cause is the staging area being full.

How to eliminate wrong answers

Option A is wrong because the VM's data disk being full does not directly cause a snapshot backup failure; snapshots are stored on the same datastore as the VM's OS disk, not on the data disk, and the error is about storage space for the backup process, not the VM's internal disk. Option C is wrong because while the backup service may use local disks for staging, this is essentially the same as option B but less specific; the core issue is that the temporary local storage (staging area) is full, not that local disks are being used in general. Option D is wrong because snapshots are stored on the same datastore as the OS disk, not on the OS disk itself; the error 'insufficient storage space' refers to the backup software's staging area, not the snapshot storage location.

159
MCQeasy

A systems administrator needs to apply a critical security patch to a set of application servers running in a cloud environment. The administrator wants to minimize downtime and ensure that if the patch causes issues, the servers can be rolled back quickly. Which of the following is the BEST approach?

A.Patch all servers at once during a maintenance window.
B.Take a snapshot of each server, apply the patch, and if issues occur, restore from snapshot.
C.Use an automated configuration management tool to apply the patch gradually.
D.Use a blue-green deployment, patch the green environment, then switch traffic.
AnswerD

Blue-green deployment provides zero-downtime updates and instant rollback by switching to the blue environment.

Why this answer

Option B is correct because blue-green deployment allows zero-downtime patching by switching traffic to the patched environment, and immediate rollback by switching back. Option A is wrong because patching all at once causes downtime and no quick rollback. Option C is wrong because snapshot restore takes time.

Option D is wrong because gradual patching with configuration management may not provide instant rollback.

160
Multi-Selecteasy

A cloud administrator is deploying a new application in a cloud environment. The application requires high availability and fault tolerance. Which two design principles should the administrator implement? (Select TWO).

Select 2 answers
A.Place a load balancer in front of the application.
B.Use an auto-scaling group across multiple availability zones.
C.Deploy all instances in a single availability zone.
D.Use a single instance to reduce costs.
E.Store all data on a single volume without replication.
AnswersA, B

Correct. Load balancer distributes traffic and detects unhealthy instances, improving availability.

Why this answer

Option A is correct because placing a load balancer in front of the application distributes incoming traffic across multiple healthy instances, ensuring that if one instance fails, traffic is redirected to others, which provides high availability and fault tolerance. Option B is correct because deploying an auto-scaling group across multiple Availability Zones (AZs) ensures that if an entire AZ fails, the application continues running in another AZ, and the auto-scaling group automatically replaces failed instances to maintain capacity.

Exam trap

The trap here is that candidates often think cost-saving strategies (single instance, single volume) are acceptable for high availability, but the exam requires understanding that fault tolerance demands redundancy at every layer—compute, storage, and network—across multiple failure domains.

161
MCQeasy

A storage administrator needs to ensure data durability for a critical database. Which approach provides the highest durability?

A.Store data on a single SSD volume.
B.Enable encryption at rest.
C.Use RAID 0 across multiple volumes.
D.Replicate data to a different geographic region.
AnswerD

Geo-replication provides the highest durability by storing copies in separate regions, protecting against region-wide disasters.

Why this answer

Replicating data to a different geographic region provides the highest durability by ensuring that even if an entire data center or region experiences a catastrophic failure (e.g., natural disaster, power outage), a complete copy of the database remains available in another region. This approach leverages asynchronous or synchronous replication to maintain data consistency across geographically separated sites, achieving a Recovery Point Objective (RPO) and Recovery Time Objective (RTO) that single-site solutions cannot match. In cloud environments, this is often implemented using services like AWS Cross-Region Replication or Azure Geo-Redundant Storage, which guarantee 99.9999999999% (12 nines) durability.

Exam trap

The trap here is that candidates confuse data protection mechanisms (like encryption or RAID) with durability, assuming that redundancy within a single site (RAID 0) or security features (encryption) can prevent data loss from a regional disaster, when only geographic replication addresses that risk.

How to eliminate wrong answers

Option A is wrong because storing data on a single SSD volume offers no redundancy; if the drive fails, all data is lost, resulting in zero durability against hardware failure. Option B is wrong because encryption at rest protects data confidentiality (e.g., against unauthorized access if the physical disk is stolen) but does not provide any durability or fault tolerance; it does not prevent data loss from drive failure or site outage. Option C is wrong because RAID 0 stripes data across multiple volumes to improve performance but provides no redundancy; if any one volume fails, the entire array is lost, making it the least durable option.

162
Drag & Dropmedium

Arrange the steps to deploy a new virtual machine in a public cloud environment (e.g., AWS, Azure, GCP) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VM deployment typically starts with specs, then OS, network, launch, and finally public access configuration.

163
Multi-Selecthard

A company uses a hybrid cloud model with an on-premises data center connected to a public cloud via a VPN. Users report intermittent connectivity issues to cloud applications. Which THREE components should the administrator check to isolate the problem? (Choose three.)

Select 3 answers
A.Rebooting the cloud instances
B.VPN tunnel status and configuration
C.Security group rules in the cloud VPC
D.Route tables in the cloud VPC and on-premises
E.DNS resolution configuration
AnswersB, C, D

VPN tunnel issues are a common cause of connectivity problems.

Why this answer

Security group rules control traffic at the cloud side, route tables determine network paths, and the VPN tunnel status indicates connectivity health. These three are essential for troubleshooting hybrid cloud connectivity.

164
Multi-Selectmedium

Which TWO of the following are key components of a disaster recovery plan in the cloud? (Select TWO.)

Select 2 answers
A.Network performance monitoring
B.Billing alerts
C.Recovery point objective (RPO)
D.Load balancing
E.Cross-region replication
AnswersC, E

RPO determines how much data loss is acceptable during a disaster.

Why this answer

Options B and D are correct. Option B is correct because recovery point objective (RPO) defines acceptable data loss. Option D is correct because replication to another region ensures geographic redundancy.

Option A is wrong because load balancing is for performance, not DR. Option C is wrong because monitoring is for performance, not DR. Option E is wrong because billing thresholds are financial controls.

165
MCQhard

A systems administrator is troubleshooting a network connectivity issue between two peered VPCs in different regions. The VPC peering connection is established and the route tables are configured. However, instances cannot communicate. What should be checked NEXT?

A.The route propagation of the peering connection
B.The network ACLs at the subnet level
C.The security group rules on the instances
D.The MTU settings on the instances
AnswerC

Security groups are stateful firewalls that can block inter-VPC traffic if not explicitly allowed.

Why this answer

Since the VPC peering connection is established and route tables are configured, the next likely cause is that security group rules on the instances are blocking traffic. Security groups act as virtual firewalls at the instance level, and by default they deny all inbound traffic; explicit rules must allow traffic from the peered VPC's CIDR or security group. This is a common oversight when peering VPCs across regions, as security groups do not automatically permit cross-peering traffic.

Exam trap

The trap here is that candidates often focus on network ACLs or route propagation first, forgetting that security groups are the most granular and commonly misconfigured firewall layer that can silently block traffic even when routes and ACLs are correct.

How to eliminate wrong answers

Option A is wrong because route propagation is not a feature of VPC peering connections; route propagation applies to VPN connections and Direct Connect virtual interfaces, not to VPC peering. Option B is wrong because network ACLs at the subnet level are stateless and must be checked, but the question states route tables are configured, and the more immediate next step is to verify instance-level security groups, which are stateful and often misconfigured. Option D is wrong because MTU settings on instances are unlikely to cause a complete lack of connectivity; MTU mismatches typically cause packet fragmentation issues or performance degradation, not a total failure to communicate.

166
MCQmedium

An organization uses a cloud-based backup service to back up its critical database every night. The backup job has been failing for the past three days with an error message indicating 'insufficient storage space in the backup repository.' The administrator checks the backup repository and finds that it is 80% full. The database is 2 TB in size, and the backup policy retains 7 daily backups. The administrator estimates that each full backup is approximately 500 GB after deduplication. The company's RPO requirement is 24 hours. What should the administrator do to resolve the backup failure without violating the RPO?

A.Delete the oldest full backup that is more than 7 days old.
B.Increase the backup retention period to 14 days to keep more backups.
C.Enable incremental backups instead of full backups to reduce size.
D.Reduce the deduplication ratio to lower storage usage.
AnswerA

This frees space while still keeping the required 7 days of backups, satisfying the RPO.

Why this answer

The backup repository is running out of space. Deleting older backups (beyond the current retention window) frees up space immediately, allowing the next backup to succeed and meet the 24-hour RPO. The retention policy is 7 days, so deleting backups older than 7 days or adjusting retention is appropriate.

167
MCQmedium

A cloud administrator is deploying a new application that requires low latency between two virtual machines. The VMs are in the same cloud region but in different availability zones. The administrator notices higher latency than expected. Which of the following is the most effective way to reduce latency?

A.Assign larger instance types to both VMs.
B.Move both VMs to the same availability zone.
C.Use a VPN connection between the VMs.
D.Place both VMs in the same placement group.
AnswerB

Same zone reduces physical distance and latency.

Why this answer

Moving both VMs to the same availability zone reduces the physical network distance and eliminates the latency introduced by inter-zone routing. In cloud providers, availability zones are distinct data centers with separate power and networking, so traffic between zones traverses additional switches and fiber, adding microseconds to milliseconds of latency. Placing VMs in the same zone keeps traffic within a single data center fabric, minimizing hop count and propagation delay.

Exam trap

CompTIA often tests the misconception that placement groups (like cluster placement groups) can reduce latency across availability zones, but in reality, placement groups only work within a single availability zone and do not override zone boundaries.

How to eliminate wrong answers

Option A is wrong because assigning larger instance types increases CPU, memory, or network bandwidth but does not reduce the physical distance or network hops between VMs in different availability zones; latency is a function of propagation delay, not compute capacity. Option C is wrong because a VPN connection adds encapsulation overhead (e.g., IPsec ESP headers) and often routes traffic through a VPN gateway or internet, increasing latency rather than reducing it. Option D is wrong because a placement group (e.g., cluster placement group) ensures VMs are in the same rack or cluster but does not override the zone boundary; if VMs are in different availability zones, a placement group cannot be applied across zones, and even if it could, it would not reduce inter-zone latency.

168
Multi-Selecteasy

Which TWO of the following are best practices for managing cloud storage in a multi-account environment? (Choose two.)

Select 2 answers
A.Implement bucket policies to restrict cross-account access.
B.Use separate encryption keys for each account.
C.Enable logging and monitoring of all storage operations.
D.Use a single storage bucket/container for all accounts to simplify management.
E.Allow full public access to ensure availability.
AnswersA, C

Bucket policies allow fine-grained access control between accounts.

Why this answer

Options B and C are correct. Implementing bucket policies to restrict cross-account access ensures security, and enabling logging and monitoring of storage operations provides audit trails. Option A is wrong because using a single bucket for all accounts compromises isolation.

Option D is wrong because public access is insecure. Option E is wrong because separate encryption keys per account is a good practice but not a top requirement for storage management specifically; the focus is on access control and monitoring.

169
MCQhard

A cloud administrator is troubleshooting a connectivity issue between two virtual networks in different cloud regions. The networks are connected via a VPN gateway. The administrator can ping resources in one network but not the other. Which of the following should the administrator check FIRST?

A.Confirm the local network gateways have the correct NIC IP addresses
B.Verify the VPN tunnel status on both gateways
C.Check network security groups for blocking ICMP
D.Review the route tables on both sides for the remote network prefix
AnswerD

Missing routes cause traffic to be dropped, leading to unidirectional connectivity.

Why this answer

Option D is correct: route tables must have entries for the remote network. Option A is wrong because ping is already working in one direction, so VPN tunnel is up. Option B is wrong: NSGs affect traffic but routes are more fundamental.

Option C is wrong: if both sides have local NICs configured, routing is the next step.

170
MCQhard

A cloud operations team is investigating a security breach where an unauthorized user accessed a storage bucket containing sensitive data. The logs show that the access occurred using valid access keys from an IP address outside the company's network. The administrator checks the IAM policies and finds that the keys belong to a service account that has read access to the bucket. Which of the following actions would be MOST effective in preventing a recurrence?

A.Remove the bucket and restore from backup to a new bucket.
B.Delete the service account and create a new one with the same permissions.
C.Change the bucket policy to deny access from outside the company's IP range.
D.Rotate the compromised keys and implement multi-factor authentication on the account.
AnswerD

Key rotation invalidates stolen keys, and MFA adds protection.

Why this answer

Option D is correct because rotating the compromised keys immediately invalidates the stolen credentials, while implementing multi-factor authentication (MFA) on the service account adds an additional layer of security. Even though service accounts typically don't support interactive MFA, using IAM conditions to require MFA for API calls or using workload identity federation can enforce MFA-like controls. This directly addresses the root cause—compromised static keys—and prevents reuse of the stolen access keys.

Exam trap

The trap here is that candidates often choose Option C (IP-based policy) because they think it blocks external access, but they overlook that service accounts are not bound to a specific IP and can be used from any location, making IP restrictions ineffective for key-based access.

How to eliminate wrong answers

Option A is wrong because removing the bucket and restoring from backup does not address the compromised keys; the attacker could still use the same keys to access the restored bucket. Option B is wrong because deleting the service account and creating a new one with the same permissions does not prevent recurrence—the new account would still have read access to the bucket, and the attacker could compromise the new keys in the same way. Option C is wrong because changing the bucket policy to deny access from outside the company's IP range is not effective for service accounts; service accounts are not tied to a specific IP address and can be used from anywhere, so this policy would not block the attacker if they use the same keys from a different external IP.

171
MCQhard

A financial services company has a disaster recovery (DR) plan for its cloud infrastructure that includes a secondary region 500 miles away. The plan uses synchronous replication for the primary database. During a scheduled DR test, the administrator triggers a failover to the secondary region. The application comes up, but the database is missing the last three minutes of transactions. The RPO requirement is 5 seconds. The administrator finds that the network latency between regions is 40 milliseconds. What is the most likely cause of the data loss, and what should the administrator do?

A.Switch to asynchronous replication and accept a longer RPO, or choose a DR region with lower network latency.
B.Reduce the RPO requirement to 30 seconds.
C.Enable compression on the replication link to reduce data transfer time.
D.Increase the instance size in the secondary region to handle more transactions.
AnswerA

Synchronous replication over long distances with high latency is prone to timeouts; asynchronous replication or a closer region is needed.

Why this answer

Synchronous replication with 40ms latency exceeds the typical threshold for zero data loss because the transaction commit must wait for acknowledgment from the replica, leading to timeouts and potential data loss. The correct action is to switch to asynchronous replication with a realistic RPO or move to a region with lower latency. Option B directly addresses the root cause.

172
MCQhard

A cloud administrator is migrating a legacy application to a public cloud IaaS environment. The application requires a static IP address for licensing. Which of the following should the administrator configure to meet this requirement?

A.NAT gateway
B.Virtual IP address
C.Reserved public IP
D.Elastic IP
AnswerC

Reserved public IP provides a static, persistent address for licensing.

Why this answer

A reserved public IP (also known as a static public IP) ensures the legacy application always has the same public IP address for licensing purposes. In IaaS environments like Azure, this is called a 'reserved IP' or 'static public IP', which persists even after the VM is stopped or deallocated, meeting the licensing requirement.

Exam trap

The trap here is that candidates may confuse 'Elastic IP' (an AWS-specific term) with a generic static IP, or think a NAT gateway or virtual IP can provide a persistent public IP for inbound licensing, when in fact only a reserved/static public IP meets the requirement.

How to eliminate wrong answers

Option A is wrong because a NAT gateway translates private IPs to a public IP for outbound traffic but does not provide a static public IP for inbound licensing checks. Option B is wrong because a virtual IP address is typically used for load balancing or high availability within a private network, not for providing a static public IP for external licensing. Option D is wrong because 'Elastic IP' is an AWS-specific term for a static public IP; while it meets the requirement, it is not a generic term used across all public clouds, and the question does not specify AWS, making 'Reserved public IP' the more universally correct answer.

173
MCQmedium

A company uses a hybrid cloud model and experiences intermittent connectivity issues between the on-premises network and the public cloud VPC. The administrator has verified that the VPN connection is established. Which of the following should the administrator check next?

A.Firewall rules for outbound traffic.
B.Public IP address of the VPN gateway.
C.Routing tables on both sides.
D.DNS resolution of cloud endpoints.
AnswerC

Incorrect routes can lead to intermittent packet loss or misrouting.

Why this answer

Since the VPN connection is established (tunnel is up), the issue is likely with traffic routing rather than basic connectivity. Routing tables on both the on-premises router and the cloud VPC must have correct routes pointing to the VPN gateway and the remote subnets; a missing or misconfigured route (e.g., a missing static route or incorrect VPC route table entry) will cause intermittent connectivity even when the VPN tunnel itself is active.

Exam trap

The trap here is that candidates assume an established VPN tunnel guarantees end-to-end connectivity, but CompTIA often tests that routing misconfigurations (e.g., missing static routes or incorrect VPC route propagation) are the most common cause of intermittent connectivity when the tunnel is up.

How to eliminate wrong answers

Option A is wrong because firewall rules for outbound traffic are typically checked after routing; if the VPN tunnel is up, outbound firewall rules are not the primary cause of intermittent connectivity between two specific networks. Option B is wrong because the public IP address of the VPN gateway is already verified as part of the established VPN connection; changing it would break the tunnel, not cause intermittent issues. Option D is wrong because DNS resolution of cloud endpoints affects name resolution, not the underlying network path; if the VPN is up and routes are correct, DNS issues would manifest as name resolution failures, not intermittent connectivity.

174
MCQeasy

A cloud administrator is tasked with ensuring that a cloud database is backed up daily. The backup must be stored off-site for disaster recovery. Which of the following is the most cost-effective solution?

A.Schedule a backup to an object storage bucket in a different region.
B.Perform a full backup to tape and store off-site.
C.Perform incremental backups to a local network share.
D.Use snapshot replication to a different region.
AnswerA

Object storage is cheap, durable, and off-site.

Why this answer

Option D is correct because object storage in a different region is cost-effective and provides off-site storage. Option A is expensive and slow. Option B is replication, not backup.

Option C is on-site, not off-site.

175
MCQmedium

A company uses a configuration management tool to enforce desired state on cloud servers. During an audit, it is discovered that some servers have deviated from the baseline configuration. The administrator runs a report and finds that the configuration management agent was not running on those servers. Which of the following is the BEST solution to ensure continuous compliance?

A.Reinstall the configuration management agent on all servers.
B.Remove the drifit servers from the environment and rebuild them.
C.Manually update the configuration on the deviated servers.
D.Implement a periodic compliance scan and auto-remediation job.
AnswerD

Automated scans and remediation enforce continuous compliance.

Why this answer

Option D is correct because a periodic compliance scan will detect and remediate drift. Option A is wrong because manual checks are not automated and scalable. Option B is wrong because re-running agent installation doesn't ensure it stays running.

Option C is wrong because removing drifit servers doesn't fix the root cause.

176
MCQeasy

A company deployed a web application on an EC2 instance in a public subnet. The instance passes status checks and has a public IP address. The security group allows HTTP (80) from 0.0.0.0/0. Users report that the website is not accessible. What should the administrator check next?

A.The network ACL inbound rules.
B.The route table for the subnet.
C.The instance's operating system firewall.
D.The instance's user data script.
AnswerA

Network ACLs are stateless and can block inbound traffic even if the security group allows it.

Why this answer

Option A is correct because network ACLs are stateless and can block traffic even if the security group allows it. Options B, C, and D are less likely or secondary steps.

177
MCQeasy

A company is migrating its on-premises data center to the cloud. The current backup solution uses a tape library. The company wants to implement a cloud-based backup strategy that ensures data durability and rapid restoration. Which of the following is the BEST option?

A.Use cloud virtual tape library (VTL).
B.Use cloud storage with versioning and lifecycle policies.
C.Use block storage snapshots.
D.Use a third-party backup software that backs up to cloud storage.
AnswerB

Versioning protects against accidental deletion/corruption and allows immediate restore; lifecycle policies automate tiering for cost.

Why this answer

Option A is correct because cloud storage with versioning and lifecycle policies provides high durability (redundant storage) and allows quick restore of previous versions. Option B is wrong because virtual tape libraries (VTL) may have slower restore times. Option C is wrong because third-party backup software may add complexity and does not inherently ensure rapid restoration.

Option D is wrong because block storage snapshots are designed for cloud instances, not on-premises data migration.

178
MCQmedium

A cloud administrator receives an alert that the CPU usage on a virtual machine has spiked to 100% for 10 minutes. The VM hosts a critical application. What is the best first step?

A.Check the VM's performance metrics for the last hour to identify the process causing the spike.
B.Immediately reboot the VM.
C.Move the VM to a different host.
D.Increase the VM's CPU limits.
AnswerA

Identifying the root cause through metrics is the best first step before any remediation.

Why this answer

Checking the VM's performance metrics for the last hour is the best first step because it allows the administrator to identify the specific process or application causing the CPU spike without disrupting service. This diagnostic approach aligns with the ITIL problem management framework, which emphasizes root cause analysis before taking corrective action. In a virtualized environment, tools like vCenter Performance Charts or Hyper-V Performance Monitor can pinpoint whether the spike is due to a runaway process, a memory leak, or a scheduled task, enabling a targeted resolution.

Exam trap

The trap here is that candidates often jump to immediate remediation actions like rebooting or migrating the VM, overlooking the fundamental troubleshooting principle of gathering diagnostic data first to avoid recurring issues and unnecessary downtime.

How to eliminate wrong answers

Option B is wrong because immediately rebooting the VM is a reactive measure that may temporarily clear the symptom but does not address the root cause, and it causes unnecessary downtime for a critical application. Option C is wrong because moving the VM to a different host (vMotion) only shifts the resource contention to another physical server without resolving the underlying process issue, and it may not help if the spike is application-specific. Option D is wrong because increasing the VM's CPU limits without first investigating the cause can mask the problem, potentially leading to resource starvation for other VMs and violating capacity planning best practices.

179
MCQeasy

A company experiences a cloud service outage that affects multiple customers. The cloud provider publishes a post-incident report identifying the root cause. As a cloud administrator, which of the following actions should be taken to prevent recurrence?

A.Request a service credit from the provider for the outage
B.Submit a formal complaint to the cloud provider's regulatory body
C.Design the application to be deployed across multiple availability zones or regions
D.Migrate all workloads to a different cloud provider immediately
AnswerC

Redundancy improves resilience to provider outages.

Why this answer

Option C is correct because designing the application for multi-AZ or multi-region deployment ensures high availability and fault tolerance, which directly mitigates the impact of a single cloud provider's infrastructure failure. This architectural pattern leverages redundancy to maintain service continuity even when one availability zone or region experiences an outage, preventing recurrence of customer-facing downtime.

Exam trap

The trap here is that candidates may confuse reactive measures (service credits, complaints) or drastic migrations with the proactive, architectural solution that actually prevents recurrence, which is the core focus of the question.

How to eliminate wrong answers

Option A is wrong because requesting a service credit addresses financial compensation for the outage, not the technical prevention of future occurrences. Option B is wrong because submitting a formal complaint to a regulatory body may address contractual or compliance issues but does not implement any technical changes to prevent recurrence. Option D is wrong because migrating all workloads to a different cloud provider immediately is an extreme, costly, and time-consuming reaction that does not guarantee prevention of similar outages with the new provider; it also ignores the root cause analysis and the possibility of architectural improvements within the current provider.

180
MCQmedium

A cloud administrator notices that a cloud-based web application is experiencing intermittent latency during peak hours. The application runs on an auto-scaling group of virtual machines behind a load balancer. Which of the following should the administrator investigate FIRST to resolve the issue?

A.Review the auto-scaling group's scaling policies and thresholds
B.Enable SSL offloading on the load balancer
C.Verify the load balancer's health check interval
D.Check DNS resolution times for the application domain
AnswerA

Incorrect scaling policies can lead to insufficient capacity during peak times, causing latency.

Why this answer

The intermittent latency during peak hours is most likely caused by the auto-scaling group's scaling policies not reacting quickly enough or being set with thresholds that are too high, leading to insufficient capacity under load. Investigating the scaling policies and thresholds first directly addresses the root cause—whether the group is adding instances too slowly or at too high a utilization trigger—rather than symptoms like health checks or DNS. This aligns with the operational best practice of verifying capacity management before tuning network or load-balancer settings.

Exam trap

The trap here is that candidates confuse load balancer tuning (SSL offloading, health checks) with capacity issues, overlooking that auto-scaling policies directly control the number of instances available to handle peak load.

How to eliminate wrong answers

Option B is wrong because enabling SSL offloading on the load balancer reduces CPU overhead on backend VMs but does not address insufficient capacity during peak hours; it is a performance optimization, not a scaling fix. Option C is wrong because verifying the load balancer's health check interval checks instance health status, not scaling responsiveness; a misconfigured health check might cause traffic misrouting but not intermittent latency from under-provisioning. Option D is wrong because checking DNS resolution times addresses client-side name resolution delays, which are unrelated to backend capacity or auto-scaling behavior; DNS caching typically masks such issues and does not cause intermittent peak-hour latency.

181
MCQmedium

A cloud administrator launches a new EC2 instance with a userdata script that installs a web server. The instance launches but the web server is not running. The administrator checks the cloud-init logs and sees the warning shown in the exhibit. What is the most likely cause?

A.The userdata script contains a syntax error.
B.The instance type does not have enough memory.
C.The instance does not have an IAM role assigned.
D.The security group does not allow HTTP traffic.
AnswerA

Syntax errors cause cloud-init modules to fail.

Why this answer

The warning in cloud-init logs indicates that the userdata script failed to execute, which most commonly occurs due to a syntax error in the script. Cloud-init processes userdata as a shell script by default, and any syntax error (e.g., missing quotes, incorrect commands) will cause the script to exit prematurely, preventing the web server from starting. The administrator confirmed the instance launched successfully, so the issue is isolated to the script execution, not infrastructure or permissions.

Exam trap

CompTIA often tests the misconception that security groups or IAM roles are the cause of application startup failures, but the trap here is that cloud-init warnings specifically point to script execution issues, not network or permission problems.

How to eliminate wrong answers

Option B is wrong because insufficient memory would cause the instance to fail to launch or the web server to crash after starting, not prevent the script from executing entirely; cloud-init logs would show OOM errors, not syntax warnings. Option C is wrong because an IAM role is not required to run userdata scripts or install software; it is only needed if the script calls AWS APIs (e.g., fetching files from S3), which is not indicated. Option D is wrong because security group rules control network access, not the execution of userdata scripts; the web server not running means it never started, so HTTP traffic rules are irrelevant.

182
MCQmedium

A cloud administrator notices that a virtual machine running a critical application is using 95% CPU consistently. The application is single-threaded and performance is degraded. Which action should the administrator take to resolve the issue?

A.Deploy additional VMs and load balance the application.
B.Increase the RAM allocation to the VM.
C.Migrate the VM to a host with a higher CPU clock speed.
D.Increase the number of vCPUs assigned to the VM.
AnswerC

Higher clock speed improves single-threaded performance.

Why this answer

The application is single-threaded, meaning it can only utilize one CPU core at a time. Increasing the CPU clock speed directly improves the processing speed of that single thread, which resolves the performance degradation. Option C is correct because migrating to a host with a higher CPU clock speed provides a faster core for the single-threaded workload.

Exam trap

CompTIA often tests the misconception that adding more vCPUs always improves performance, but for single-threaded workloads, higher clock speed is the correct solution, not vCPU count.

How to eliminate wrong answers

Option A is wrong because deploying additional VMs and load balancing would distribute requests across multiple instances, but a single-threaded application cannot parallelize its work across VMs; this adds complexity without addressing the core bottleneck. Option B is wrong because increasing RAM allocation does not affect CPU utilization or single-threaded performance; the issue is CPU-bound, not memory-bound. Option D is wrong because increasing the number of vCPUs does not help a single-threaded application; the application can only use one vCPU at a time, and additional vCPUs may even cause scheduling overhead or NUMA issues.

183
Multi-Selecthard

A cloud operations team needs to implement a monitoring solution for a microservices architecture. The solution must provide centralized logging, metrics, and alerting, and must be able to correlate data from multiple services. Which THREE of the following components should the team include?

Select 3 answers
A.A security information and event management (SIEM) system.
B.A centralized logging system (e.g., ELK stack).
C.A correlation engine and alerting system (e.g., event correlation).
D.A metrics collection agent and dashboard (e.g., Prometheus+Grafana).
E.An application performance monitoring (APM) tool.
AnswersB, C, D

Centralized logging aggregates logs from all services.

Why this answer

Option B is correct because a centralized logging system like the ELK stack (Elasticsearch, Logstash, Kibana) aggregates logs from all microservices into a single searchable repository. This enables the team to correlate events across services by timestamp and metadata, which is essential for debugging distributed transactions and identifying root causes of failures.

Exam trap

CompTIA often tests the distinction between specialized tools (SIEM, APM) and the core triad of centralized logging, metrics, and correlation/alerting, leading candidates to over-select security or tracing tools that do not fulfill the requirement for correlating data from multiple services at the log and metric level.

184
MCQmedium

An organization uses a cloud-based load balancer to distribute traffic to a web application across multiple availability zones. Users report that the application is intermittently unavailable. The cloud administrator finds that the load balancer health checks are failing on instances in one availability zone. What is the most likely cause?

A.The availability zone is experiencing a partial outage.
B.A single instance in the failing AZ has a misconfigured web server.
C.The DNS settings for the application domain are misconfigured.
D.The load balancer's listener configuration is incorrect.
AnswerA

AZ outage would cause all instances to fail health checks.

Why this answer

When health checks fail for all instances in a single availability zone (AZ) while other AZs remain healthy, the most likely cause is a partial outage or degradation within that AZ. Cloud providers like AWS, Azure, or GCP isolate AZs to prevent single points of failure, but an AZ can experience issues such as network connectivity loss, power disruption, or hardware failures that affect all instances in that zone. The load balancer's health checks are designed to detect such zone-level failures by probing each instance; if an entire AZ is impaired, all its instances will fail the health check simultaneously.

Exam trap

CompTIA often tests the distinction between instance-level failures and zone-level failures; the trap here is that candidates may assume a single misconfigured instance (Option B) is the cause, but the key clue is that all instances in one AZ are failing health checks, which points to an AZ-wide issue rather than a per-instance configuration problem.

How to eliminate wrong answers

Option B is wrong because a misconfigured web server on a single instance would cause only that instance to fail health checks, not all instances in the AZ; the scenario describes all instances in the AZ failing. Option C is wrong because DNS misconfiguration would affect client resolution to the load balancer's DNS name, not the load balancer's ability to perform health checks on backend instances; health checks operate at the network layer between the load balancer and instances, independent of DNS. Option D is wrong because an incorrect listener configuration (e.g., wrong port or protocol) would cause health checks to fail for all instances across all AZs, not just one AZ; the issue is isolated to a single AZ, pointing to a zone-level problem.

185
Multi-Selectmedium

Which THREE of the following are recommended practices for securing cloud API access? (Choose three.)

Select 3 answers
A.Use role-based access control to limit permissions for each API user
B.Embed API keys directly in application source code for convenience
C.Enable detailed logging of all API calls to a centralized service
D.Expose API endpoints publicly for easy access by all clients
E.Rotate API keys and tokens on a regular schedule
AnswersA, C, E

Least privilege reduces attack surface.

Why this answer

Options A, C, and D are correct. API keys should be rotated regularly (A), access should be logged and monitored (C), and principle of least privilege should be applied (D). Option B is wrong: hardcoding keys is insecure.

Option E is wrong: public exposure increases risk.

186
Multi-Selecthard

A cloud architect is designing a disaster recovery plan for a critical application. The application runs on virtual machines in a public cloud. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. Which three strategies should the architect implement? (Select THREE).

Select 3 answers
A.Implement active-passive failover with automated DNS.
B.Use synchronous replication to a secondary region.
C.Take daily snapshots of the VMs.
D.Use asynchronous replication with a 10-minute lag.
E.Maintain a warm standby in another region.
AnswersA, B, E

Correct. Automated DNS failover speeds up recovery, helping achieve the RTO.

Why this answer

Synchronous replication provides low RPO; warm standby ensures quick failover within RTO; active-passive with automated DNS reduces transition time.

187
MCQhard

A cloud administrator is troubleshooting a performance issue where an application running on a VM in a private cloud is experiencing high latency. The VM is connected to a virtual switch that uses SR-IOV. The administrator suspects network bottlenecks. Which of the following is the MOST likely cause of the latency?

A.The physical network interface card (NIC) is saturated.
B.The virtual switch is dropping packets due to buffer exhaustion.
C.The VM's virtual NIC is not using the correct driver.
D.The hypervisor's CPU is overloaded due to SR-IOV emulation.
AnswerA

Saturation of the physical NIC is a common cause of latency with SR-IOV.

Why this answer

SR-IOV allows a physical NIC to present multiple virtual functions (VFs) directly to VMs, bypassing the virtual switch for data plane traffic. When the physical NIC reaches its bandwidth capacity, all VFs sharing that NIC experience increased latency and packet drops, making NIC saturation the most likely cause of the high latency.

Exam trap

The trap here is that candidates assume SR-IOV eliminates all bottlenecks, but the physical NIC remains a shared resource that can become saturated, causing latency for all VMs using its VFs.

How to eliminate wrong answers

Option B is wrong because SR-IOV bypasses the virtual switch for data plane traffic, so buffer exhaustion on the virtual switch does not affect SR-IOV passthrough traffic. Option C is wrong because SR-IOV requires a specific driver (e.g., ixgbevf or mlx5_core) on the VM; an incorrect driver would prevent the VF from being recognized or cause connectivity failure, not just high latency. Option D is wrong because SR-IOV offloads network processing to the NIC hardware, so the hypervisor's CPU is not involved in emulating the NIC for SR-IOV VFs; CPU overload would affect other components but is not a direct consequence of SR-IOV.

188
MCQhard

A company uses a multi-cloud strategy with both AWS and Azure. The cloud operations team needs to centrally monitor all cloud resources and receive alerts when resource usage exceeds predefined thresholds. Which of the following solutions should the team implement?

A.Azure Monitor with Log Analytics
B.AWS CloudWatch with cross-account monitoring
C.A third-party monitoring tool that supports both AWS and Azure
D.Custom scripts that log to a central syslog server
AnswerC

Third-party tools like Datadog can aggregate metrics from multiple clouds into a single dashboard.

Why this answer

Option D is correct because a third-party monitoring tool like Datadog or Dynatrace can provide a unified view across clouds. Option A is wrong because AWS CloudWatch is limited to AWS only. Option B is wrong because Azure Monitor is limited to Azure only.

Option C is wrong because custom scripts are less scalable and maintainable.

189
Matchingmedium

Match each security control to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manage user identities and access

Require multiple authentication factors

Protect stored data from unauthorized access

Protect data during transmission

Firewall rules for cloud resources

Why these pairings

Essential security mechanisms in cloud environments.

190
MCQeasy

A cloud engineer is tasked with automating the deployment of a new web application. Which of the following tools is BEST suited for managing infrastructure as code in a hybrid cloud environment?

A.AWS CloudFormation
B.Ansible
C.Terraform
D.Docker
AnswerC

Terraform is a cloud-agnostic infrastructure as code tool that supports hybrid environments.

Why this answer

Option A is correct because Terraform is cloud-agnostic and supports multiple providers, including on-premises and public cloud. Option B is wrong because AWS CloudFormation is AWS-specific. Option C is wrong because Ansible is configuration management, not IaC.

Option D is wrong because Docker is containerization, not IaC.

191
MCQmedium

A cloud administrator is configuring a new virtual private cloud (VPC) for a three-tier application. The web tier must be accessible from the internet, the application tier should only be accessible from the web tier, and the database tier should only be accessible from the application tier. Which network architecture should be used?

A.Use one subnet with network ACLs to restrict traffic between tiers.
B.Place all tiers in the same subnet and use host-based firewalls.
C.Place each tier in a separate subnet with appropriate security group rules controlling traffic.
D.Deploy each tier in a different VPC and peer them.
AnswerC

Correct. Separate subnets with security groups allow granular control and align with security best practices.

Why this answer

Option C is correct because placing each tier in a separate subnet and using security group rules provides stateful, instance-level traffic control. Security groups act as virtual firewalls at the hypervisor layer, allowing you to specify inbound rules that restrict the application tier to only accept traffic from the web tier's security group, and the database tier to only accept traffic from the application tier's security group. This aligns with the principle of least privilege and ensures that each tier is isolated within the VPC while maintaining necessary connectivity.

Exam trap

The trap here is that candidates often confuse network ACLs (stateless, subnet-level) with security groups (stateful, instance-level) and assume a single subnet with ACLs can achieve the same isolation, but ACLs cannot filter based on source security group IDs and require manual IP management, making them unsuitable for this multi-tier access control requirement.

How to eliminate wrong answers

Option A is wrong because using a single subnet with network ACLs (stateless) would require complex, bidirectional rule management for each tier, and network ACLs cannot filter traffic based on source security group IDs, making it impossible to restrict traffic to only the web tier or application tier without exposing other resources. Option B is wrong because placing all tiers in the same subnet with host-based firewalls violates the security best practice of network segmentation; host-based firewalls are not managed centrally and can be bypassed if the host is compromised, plus they do not provide the same level of isolation as separate subnets with security groups. Option D is wrong because deploying each tier in a different VPC and peering them introduces unnecessary complexity, latency, and cost; VPC peering does not support transitive routing, so you would need additional routing configurations or a transit gateway, and it violates the typical three-tier architecture pattern where all tiers reside within the same VPC for low-latency communication.

192
MCQeasy

A company wants to automate the deployment of cloud resources using code. Which tool is BEST suited for this purpose?

A.SSH
B.An IP address management tool
C.Infrastructure as Code (IaC) templates
D.A configuration management database
AnswerC

IaC tools like Terraform or CloudFormation automate resource deployment from code.

Why this answer

Infrastructure as Code (IaC) templates (Option C) are the best tool for automating cloud resource deployment because they allow you to define, version, and provision infrastructure through machine-readable definition files. Tools like Terraform, AWS CloudFormation, or Azure Resource Manager templates enable repeatable, consistent deployments without manual intervention, directly aligning with the goal of automating cloud resource deployment using code.

Exam trap

The trap here is that candidates may confuse SSH (a remote access tool) with automation scripts (like Ansible playbooks) or think that a CMDB can automate deployments, but the question specifically asks for a tool that uses code to deploy resources, which is the core definition of IaC.

How to eliminate wrong answers

Option A is wrong because SSH (Secure Shell) is a network protocol for secure remote access to systems, not a tool for automating the deployment of cloud resources; it lacks the declarative or imperative infrastructure definition capabilities needed for IaC. Option B is wrong because an IP address management (IPAM) tool is used for planning, tracking, and managing IP address spaces, not for provisioning or orchestrating cloud resources via code. Option D is wrong because a configuration management database (CMDB) is a repository that stores information about IT assets and their relationships; it does not automate deployment but rather serves as a reference for configuration items.

193
Multi-Selecteasy

A developer is using a cloud provider's CLI to manage resources. Which TWO commands are commonly used to troubleshoot instance connectivity?

Select 2 answers
A.reboot
B.ssh
C.create-tags
D.traceroute
E.ping
AnswersD, E

Traceroute identifies the path and can pinpoint where connectivity fails.

Why this answer

D is correct because the `traceroute` command is a standard network diagnostic tool that identifies the path packets take from the source to a destination, revealing each hop's latency and any points of failure. It uses ICMP (or UDP on Linux) with incrementing TTL values to map the route, making it essential for troubleshooting connectivity issues between cloud instances and external endpoints.

Exam trap

The trap here is that candidates confuse `ssh` (a connectivity-dependent tool) with a diagnostic command, or assume `reboot` can resolve network issues, when the exam specifically tests the ability to select commands that *diagnose* rather than *fix* connectivity problems.

← PreviousPage 3 of 3 · 193 questions total

Ready to test yourself?

Try a timed practice session using only Operations and Support questions.