Practice Questions

Question 1

A company has two AWS Direct Connect links to its on-premises data center. One Direct Connect link terminates in the us-east-1 Region, and the other Direct Connect link terminates in the af-south-1 Region. The company is using BGP to exchange routes with AWS. The company's on-premises environment needs to be configured to use the us-east-1 link as the primary path to AWS and the af-south-1 link as the secondary (backup) path. A network engineer must configure BGP on the on-premises router to ensure that the us-east-1 link is preferred for all traffic to AWS, and the af-south-1 link is used only if the primary link fails. The solution must use standard BGP attributes and AWS BGP community tags. How should a network engineer configure BGP to ensure that af-south-1 is used as a secondary link to AWS?

Question Analysis

Core concept: This question tests how to build deterministic primary/backup routing over two AWS Direct Connect connections by combining customer-side BGP best-path selection with AWS Direct Connect BGP communities. The on-premises router should prefer the us-east-1 session for traffic destined to AWS by assigning it a higher local preference, while the af-south-1 session should be treated as backup with a lower local preference. On the AWS side, the customer should tag routes advertised over the backup DX with the AWS low-local-preference community so AWS prefers the primary DX for return traffic when both paths are available. Why correct: The correct design is to set a higher local preference on the us-east-1 BGP peer and a lower local preference on the af-south-1 BGP peer so the enterprise network always chooses us-east-1 first for outbound traffic to AWS. In addition, the af-south-1 link should be tagged with AWS community 7224:7300, which tells AWS to assign a lower local preference to routes learned on that connection. This makes af-south-1 the less-preferred path from AWS back to on premises, so it functions as the backup unless the primary path fails. Key features: - Local Preference is a standard BGP attribute used inside the customer AS; higher values are preferred. - AWS Direct Connect supports BGP communities such as 7224:7300 to influence AWS local preference for inbound traffic toward customer prefixes. - Using both controls together provides symmetric primary/backup intent: customer-side preference for outbound traffic and AWS-side preference for return traffic. Common misconceptions: - Many candidates confuse AWS DX communities with customer local preference. AWS communities influence AWS's handling of routes you advertise, not your router's best-path decision. - Another common mistake is assuming 7224:7100 means 'primary' and 7224:7300 means 'secondary' in a generic sense. In practice, 7224:7300 is the explicit low-preference community used to de-prefer a backup path. - It is also easy to reverse local preference values, which would make the backup link active instead of standby. Exam tips: - For customer-to-AWS path preference, look first at local preference on the customer router: higher on the primary, lower on the backup. - For AWS-to-customer return path preference, look for the AWS DX community that lowers AWS local preference on the backup path, typically 7224:7300. - If an option gets local preference right but applies the low-preference AWS community to the primary link, it is not the best answer.

Question 2

A company recently implemented a security policy that prohibits developers from launching VPC network infrastructure. The policy states that any time a NAT gateway is launched in a VPC, the company's network security team must immediately receive an alert to terminate the NAT gateway. The network security team needs to implement a solution that can be deployed across AWS accounts with the least possible administrative overhead. The solution also must provide the network security team with a simple way to view compliance history. The solution must be able to detect the creation of a NAT Gateway in any VPC, alert the security team, automatically terminate the resource, and provide a historical record of compliance. The solution must also be easily deployable across multiple AWS accounts with minimal manual effort. Which solution will meet these requirements?

Question 3

A company is migrating applications from an on-premises data center to AWS, requiring data exchange with an on-premises mainframe. The solution must achieve 4 Gbps transfer speeds for peak traffic and ensure high availability and resiliency against circuit or router failures. Design a highly available, resilient networking solution that supports 4 Gbps and withstands circuit or router failures. Which solution will meet these requirements?

Question 4

A fintech company has multiple development environments across different AWS accounts, all operating in the us-east-1 Region. These environments host backend services on Amazon EC2 instances within private subnets, which are accessed via a Network Load Balancer (NLB) in a public subnet. For compliance reasons, API access to these services is restricted to a small number of approved third-party vendors. The NLB's security group is configured to only allow inbound TCP traffic on port 443 from a specific set of vendor IP address ranges. The company has a strict policy that whenever a new vendor is onboarded, their IP address range must be added to the NLB's security group in every account. A network engineer must find the most operationally efficient way to centrally manage these vendor IP address ranges across all accounts. The network engineer needs to implement a solution that allows for a single, centralized update of a new vendor's IP address range. This change must then be automatically reflected in the security groups of all relevant accounts without manual intervention in each account. The solution must be highly efficient and scalable. Which solution will meet these requirements in the MOST operationally efficient manner?

Question 5

(Select 3)

A company uses AWS Client VPN to allow remote users to access resources in multiple peered VPCs and an on-premises data center. The Client VPN endpoint route table has a single 0.0.0.0/0 entry, and its security group has no inbound rules and an outbound rule allowing all traffic to 0.0.0.0/0. Remote users report incorrect geographic location information in web search results. Resolve incorrect geographic location issues for Client VPN users with minimal service interruption. Which combination of steps should a network engineer take to resolve this issue with the LEAST amount of service interruption? (Choose three.)

Want to practice all questions on the go?

Download Cloud Pass for free — includes practice tests, progress tracking & more.

Question 6

An application team for a startup company is deploying a new multi-tier application into the AWS Cloud. The application will be hosted on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind a publicly accessible Network Load Balancer (NLB). The application requires the clients to work with UDP traffic and TCP traffic. In the near term, the application will serve only users within the same geographic location. The application team plans to extend the application to a global audience and will move the deployment to multiple AWS Regions around the world to bring the application closer to the end users. The application team wants to use the new Regions to deploy new versions of the application and wants to be able to control the amount of traffic that each Region receives during these rollouts. In addition, the application team must minimize first-byte latency and jitter (randomized delay) for the end users. The application team must design a network architecture that can handle both TCP and UDP traffic, support phased global rollouts by controlling traffic distribution to multiple AWS Regions, and reduce latency and jitter for end users. How should the application team design the network architecture for the application to meet these requirements?

Question 7

(Select 2)

An IoT company collects data from thousands of sensors that are deployed in the United States and South Asia. The sensors use a proprietary communication protocol that is built on UDP to send the data to a fleet of Amazon EC2 instances. The instances are in an Auto Scaling group and run behind a Network Load Balancer (NLB). The instances, Auto Scaling group, and NLB are deployed in the us-west-2 Region. The company's data shows that data from the sensors in South Asia occasionally gets lost in transit over the public internet and does not reach the EC2 instances. The company needs a solution to resolve the issue of data loss from the South Asian sensors. The solution must provide a reliable and low-latency path for the UDP traffic from the sensors to the application, leveraging AWS services to optimize the network performance over long distances. Which solutions will resolve this issue? (Choose two.)

Question 8

(Select 2)

A company runs a stateless web app (ASG) and a stateful admin/management app (separate ASG) behind the same Application Load Balancer (ALB) in private subnets. The company wants to access the management app at the same URL as the web app with the path prefix /management. Protocol, hostname, and port must be identical for both apps. Access to /management must be limited to on‑premises source IP ranges. The ALB uses an ACM certificate. Implement ALB listener rules to path‑route /management to the admin targets and restrict it to on‑premises CIDRs while keeping all traffic over the same HTTPS listener. Which combination of steps should the network engineer take? (Choose two.)

Question 9

A marketing company is using a hybrid infrastructure to connect its branch offices to AWS over AWS Direct Connect and a software-defined wide area network (SD-WAN) overlay. The company currently connects its multiple VPCs to a third-party SD-WAN appliance, which resides in a transit VPC within the same account, using AWS Site-to-Site VPNs. The company is planning to expand its AWS footprint by connecting more VPCs to the SD-WAN appliance transit VPC. However, the existing architecture is experiencing challenges with scalability, route table limitations, and higher costs due to the numerous VPN connections. A network engineer must design a new solution to address these issues and reduce the overall operational overhead. The network engineer needs to design a solution that provides scalable connectivity between all VPCs and the SD-WAN appliance while resolving the route table limitations and reducing costs. The solution must be implemented with the least amount of operational overhead. Which solution will meet these requirements with the LEAST amount of operational overhead?

Question 10

A logistics company has deployed a multi-VPC environment in the AWS Cloud, interconnected by a Transit Gateway. The company has experienced service disruptions after a network operator made changes to security groups, network ACLs, or route tables. To prevent future outages, the company wants to implement an automated system that proactively verifies network connectivity between critical application resources within a single VPC immediately after any network configuration change is made. The network engineer needs to design a solution that automatically detects network configuration changes within a VPC and then triggers a connectivity check between specific resources to ensure that no connectivity loss has occurred. The solution must be fully automated to reduce manual operational overhead. Which solution will meet these requirements?

Question Analysis

Core Concept: This question tests automated network validation after configuration changes inside a VPC. The key services are AWS CloudTrail (to record API-level network changes), Amazon EventBridge (to detect those changes and trigger automation), AWS Lambda (to orchestrate actions), and VPC Reachability Analyzer (to programmatically verify L3/L4 reachability between two endpoints considering route tables, security groups, NACLs, IGW/NAT/TGW attachments, etc.). Why the Answer is Correct: Option B is correct because CloudTrail is the authoritative source for detecting configuration changes to security groups, network ACLs, and route tables (e.g., AuthorizeSecurityGroupIngress/Egress, CreateNetworkAclEntry, ReplaceRoute, AssociateRouteTable). EventBridge can match CloudTrail events in near real time and invoke a Lambda function. Lambda can then call the Reachability Analyzer APIs (e.g., CreatePath/StartNetworkInsightsAnalysis or StartNetworkInsightsAccessScopeAnalysis depending on design) to run connectivity checks for predefined critical paths within the VPC immediately after a change. This provides proactive, automated verification and reduces manual operational overhead. Key AWS Features / Best Practices: - CloudTrail management events capture control-plane API calls for EC2/VPC networking resources. - EventBridge supports event patterns for CloudTrail events (source: aws.ec2, detail-type: AWS API Call via CloudTrail) and fine-grained filtering by eventName and resources. - Reachability Analyzer provides deterministic reachability analysis (not packet probing) and can be automated via SDK/CLI from Lambda. - Store the “critical paths” (source/destination ENIs, instances, subnets) as code/config (e.g., SSM Parameter Store/DynamoDB) to keep the solution maintainable. Common Misconceptions: A common trap is assuming CloudWatch is where configuration changes are “logged.” CloudWatch Logs can store CloudTrail logs, but the native event source for detecting API changes is CloudTrail, and EventBridge integrates directly with CloudTrail events. Another misconception is using Transit Gateway Network Manager Route Analyzer for intra-VPC reachability; Route Analyzer focuses on TGW route analysis across attachments, not full VPC dataplane evaluation including SG/NACL. Exam Tips: When the question says “after any network configuration change,” think CloudTrail + EventBridge. When it says “verify connectivity between resources in a VPC,” think VPC Reachability Analyzer (not TGW Route Analyzer). Also watch for wording like SG/NACL/route table changes—those are EC2/VPC API calls captured as CloudTrail management events.

Practice Test #1

Triple AI-Verified Answers & Explanations

Practice Questions

Success Stories(9)

Start Practicing Now