Security Groups act as a virtual firewall for your instance to control inbound and outbound traffic at the network interface level.
Incorrect! Try again.
4Which of the following statements regarding Network Access Control Lists (NACLs) is TRUE?
A.They support allow rules only.
B.They are stateful.
C.They operate at the instance level.
D.They represent a stateless firewall at the subnet level.
Correct Answer: They represent a stateless firewall at the subnet level.
Explanation:
NACLs are stateless, meaning return traffic must be explicitly allowed by rules, and they are applied at the subnet boundary.
Incorrect! Try again.
5You have a private subnet that needs to download software patches from the internet but should not accept incoming connection requests. Which component should you use?
A.Internet Gateway
B.Direct Connect
C.NAT Gateway
D.Egress-Only Internet Gateway
Correct Answer: NAT Gateway
Explanation:
A NAT Gateway allows instances in a private subnet to connect to the internet (e.g., for updates) but prevents the internet from initiating connections with those instances. (Egress-Only is specifically for IPv6).
Incorrect! Try again.
6What is the primary constraint regarding VPC Peering and transitive routing?
A.Transitive routing is supported by default.
B.Transitive routing works only if both VPCs are in the same region.
C.Transitive routing is not supported.
D.Transitive routing works only with IPv6.
Correct Answer: Transitive routing is not supported.
Explanation:
If VPC A peers with VPC B, and VPC B peers with VPC C, VPC A cannot route traffic to VPC C through VPC B.
Incorrect! Try again.
7Which AWS service allows you to connect multiple VPCs and on-premises networks through a central hub, simplifying network topology?
A.AWS Transit Gateway
B.AWS VPN CloudHub
C.AWS Direct Connect
D.VPC Peering
Correct Answer: AWS Transit Gateway
Explanation:
AWS Transit Gateway connects VPCs and on-premises networks through a central hub, acting as a cloud router and solving the complexity of mesh peering.
Incorrect! Try again.
8Which type of VPC Endpoint uses AWS PrivateLink to connect securely to services like Amazon EC2 API, Kinesis, or ELB?
A.VPN Endpoint
B.Gateway Endpoint
C.Routing Endpoint
D.Interface Endpoint
Correct Answer: Interface Endpoint
Explanation:
Interface Endpoints use AWS PrivateLink to allow you to privately access services by using private IP addresses within your VPC.
Incorrect! Try again.
9Gateway Endpoints currently support which two specific AWS services?
A.Amazon RDS and Amazon DynamoDB
B.Amazon EC2 and Amazon S3
C.Amazon S3 and Amazon DynamoDB
D.Amazon SNS and Amazon SQS
Correct Answer: Amazon S3 and Amazon DynamoDB
Explanation:
Gateway Endpoints are specifically designed for routing traffic to Amazon S3 and Amazon DynamoDB via a route table entry, without using PrivateLink.
Incorrect! Try again.
10What is the relationship between a Subnet and an Availability Zone (AZ)?
A.A subnet can span multiple AZs.
B.An AZ can only contain one subnet.
C.Subnets are region-wide resources.
D.A subnet must reside entirely within one AZ.
Correct Answer: A subnet must reside entirely within one AZ.
Explanation:
A subnet is mapped to a specific Availability Zone and cannot span multiple zones.
Incorrect! Try again.
11When configuring a Site-to-Site VPN, which component is deployed on the AWS side of the connection?
A.Customer Gateway
B.Virtual Private Gateway (VGW)
C.Internet Gateway
D.NAT Instance
Correct Answer: Virtual Private Gateway (VGW)
Explanation:
The Virtual Private Gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
Incorrect! Try again.
12What is a primary benefit of using AWS Direct Connect over a Site-to-Site VPN?
A.Direct Connect does not require any physical infrastructure.
B.Direct Connect is always cheaper for low data volumes.
C.Direct Connect uses the public internet for transmission.
D.Direct Connect provides consistent network performance and low latency via a dedicated private connection.
Correct Answer: Direct Connect provides consistent network performance and low latency via a dedicated private connection.
Explanation:
Direct Connect bypasses the public internet, offering more predictable performance, lower latency, and higher bandwidth capabilities.
Incorrect! Try again.
13Which tool would you use to capture information about the IP traffic going to and from network interfaces in your VPC?
A.AWS CloudTrail
B.Amazon CloudWatch Metrics
C.VPC Flow Logs
D.AWS Config
Correct Answer: VPC Flow Logs
Explanation:
VPC Flow Logs is the feature specifically designed to capture information regarding IP traffic going to/from network interfaces.
Incorrect! Try again.
14You need to prevent a specific IP address from accessing your subnet. Which security layer should you use?
A.Route Table
B.Network Access Control List (NACL)
C.Security Group
D.Internet Gateway
Correct Answer: Network Access Control List (NACL)
Explanation:
NACLs support 'Deny' rules, allowing you to explicitly block specific IP addresses. Security Groups only support 'Allow' rules.
Incorrect! Try again.
15If a Security Group has no outbound rules defined, what is the default behavior?
A.All outbound traffic is allowed.
B.Only SSH outbound traffic is allowed.
C.All outbound traffic is denied.
D.Only HTTP outbound traffic is allowed.
Correct Answer: All outbound traffic is denied.
Explanation:
When you create a custom Security Group, it has no inbound rules (deny all) and, by default, an outbound rule allowing all traffic. However, if you remove or have no outbound rules, all outbound traffic is denied.
Incorrect! Try again.
16How does AWS ensure high availability for a NAT Gateway?
A.It must be manually configured in a cluster.
B.It automatically spans multiple AZs.
C.It uses a floating IP across regions.
D.It is created in a specific AZ; for high availability, you must create a NAT Gateway in each AZ.
Correct Answer: It is created in a specific AZ; for high availability, you must create a NAT Gateway in each AZ.
Explanation:
A NAT Gateway is zonal. To ensure HA, you should deploy a NAT Gateway in every Availability Zone that contains instances requiring internet access.
Incorrect! Try again.
17Which VPC feature allows you to copy network traffic from an elastic network interface to a target for deep packet inspection?
A.VPC Flow Logs
B.Traffic Mirroring
C.AWS Inspector
D.VPC Peering
Correct Answer: Traffic Mirroring
Explanation:
Traffic Mirroring copies actual network packets (payload and header) to a target (like a security appliance) for inspection, unlike Flow Logs which only capture metadata.
Incorrect! Try again.
18What happens if you attempt to peer two VPCs that have overlapping CIDR blocks?
A.One VPC effectively overwrites the other.
B.Only the non-overlapping subnets can communicate.
C.The peering connection creation fails.
D.The peering connection automatically resolves the overlap using NAT.
Correct Answer: The peering connection creation fails.
Explanation:
VPC Peering does not support overlapping CIDR blocks. The request will fail or cannot be initiated.
Incorrect! Try again.
19Which component represents the customer side of a Site-to-Site VPN connection in AWS configuration?
A.Transit Gateway
B.Internet Gateway
C.Customer Gateway
D.Virtual Private Gateway
Correct Answer: Customer Gateway
Explanation:
The Customer Gateway resource in AWS represents the physical device or software application on the customer's side of the VPN connection.
Incorrect! Try again.
20In a default NACL, what is the default rule behavior?
A.Allow all inbound and outbound traffic.
B.Allow inbound, deny outbound.
C.Deny inbound, allow outbound.
D.Deny all inbound and outbound traffic.
Correct Answer: Allow all inbound and outbound traffic.
Explanation:
The default NACL created with a VPC allows all inbound and outbound IPv4 traffic by default.
Incorrect! Try again.
21How are rules evaluated in a Network ACL?
A.All rules are evaluated simultaneously.
B.By rule number, from highest to lowest.
C.Alphabetically by rule description.
D.By rule number, from lowest to highest, stopping at the first match.
Correct Answer: By rule number, from lowest to highest, stopping at the first match.
Explanation:
NACLs process rules in numerical order. As soon as a rule matches traffic, it is applied, and no further rules are evaluated.
Incorrect! Try again.
22What is required to allow instances in a private subnet to access S3 without traffic traversing the public internet?
A.NAT Gateway
B.Internet Gateway
C.VPC Endpoint (Gateway or Interface)
D.VPN Connection
Correct Answer: VPC Endpoint (Gateway or Interface)
Explanation:
VPC Endpoints allow private connections to AWS services like S3 without requiring an Internet Gateway or NAT device, keeping traffic within the AWS network.
Incorrect! Try again.
23Which of the following is a valid destination in a Route Table?
A.S3 Bucket Name
B.Specific Security Group ID
C.Peering Connection ID (pcx-xxxxx)
D.IAM Role ARN
Correct Answer: Peering Connection ID (pcx-xxxxx)
Explanation:
Route tables direct traffic based on CIDR blocks to targets like Internet Gateways, NAT Gateways, or Peering Connections (pcx-id).
Incorrect! Try again.
24When using AWS Direct Connect, what logical component allows you to access VPCs in multiple regions from a single Direct Connect connection?
A.Direct Connect Gateway
B.Virtual Private Gateway
C.Public VIF
D.Private VIF
Correct Answer: Direct Connect Gateway
Explanation:
A Direct Connect Gateway is a global resource that allows you to connect a Direct Connect connection to one or more VPCs in different regions.
Incorrect! Try again.
25Which Well-Architected Framework pillar emphasizes the use of multiple Availability Zones to withstand failures?
A.Reliability
B.Security
C.Performance Efficiency
D.Cost Optimization
Correct Answer: Reliability
Explanation:
The Reliability pillar focuses on the ability of a workload to perform its intended function correctly and consistently, which includes recovering from infrastructure or service disruptions (e.g., via Multi-AZ).
Incorrect! Try again.
26How many IP addresses does AWS reserve in every subnet for internal networking purposes?
A.5
B.3
C.1
D.2
Correct Answer: 5
Explanation:
AWS reserves 5 IP addresses in each subnet: The network address, the router, the DNS server, a future use address, and the broadcast address.
Incorrect! Try again.
27You have a stateful firewall requirement for your EC2 instances. Which feature provides this?
A.Security Groups
B.Flow Logs
C.Network ACLs
D.Route Tables
Correct Answer: Security Groups
Explanation:
Security Groups are stateful; if an inbound request is allowed, the outbound response is automatically allowed regardless of outbound rules.
Incorrect! Try again.
28Can a single VPC Peering connection connect three VPCs (A, B, and C) simultaneously?
A.Yes, peering is a multi-party protocol.
B.Yes, if they are in the same region.
C.No, peering is a one-to-one connection between two specific VPCs.
D.Yes, if Transit Gateway is used.
Correct Answer: No, peering is a one-to-one connection between two specific VPCs.
Explanation:
VPC Peering is strictly a one-to-one relationship. Connecting three VPCs requires creating separate peering connections between the pairs (A-B, B-C, A-C).
Incorrect! Try again.
29Which networking feature enables IPv6 traffic from a private subnet to the internet but prevents internet initiation of connections?
A.Private Link
B.Internet Gateway
C.NAT Gateway
D.Egress-Only Internet Gateway
Correct Answer: Egress-Only Internet Gateway
Explanation:
Egress-Only Internet Gateways are specifically used for IPv6 traffic to allow outbound communication while blocking inbound connection initiation.
Incorrect! Try again.
30What is the primary function of a Route Table?
A.It assigns IP addresses to instances.
B.It contains a set of rules, called routes, that determine where network traffic is directed.
C.It acts as a firewall.
D.It encrypts traffic between subnets.
Correct Answer: It contains a set of rules, called routes, that determine where network traffic is directed.
Explanation:
Route Tables control the flow of traffic out of the subnets by matching destination CIDRs to specific targets.
Incorrect! Try again.
31If you need to connect 100 VPCs in a full mesh topology, which solution offers the easiest management?
A.VPN CloudHub
B.Public Internet Routing
C.VPC Peering
D.AWS Transit Gateway
Correct Answer: AWS Transit Gateway
Explanation:
Managing a mesh of peering connections for 100 VPCs is complex (N*(N-1)/2 connections). Transit Gateway acts as a central hub, significantly simplifying management.
Incorrect! Try again.
32What is the default limit for the number of Security Groups per VPC?
A.100
B.50
C.Unlimited
D.500
Correct Answer: 500
Explanation:
The default soft limit for Security Groups per VPC is 500, though this can be increased by request.
Incorrect! Try again.
33When configuring a security group rule, what can be specified as the source?
A.DNS Name
B.MAC Address
C.AMI ID
D.CIDR block or another Security Group ID
Correct Answer: CIDR block or another Security Group ID
Explanation:
Security Group rules accept CIDR blocks (IP ranges) or the ID of another Security Group (allowing traffic from instances associated with that group).
Incorrect! Try again.
34Which VPN option allows for a redundant connection using the BGP protocol for dynamic routing?
A.Dynamic Site-to-Site VPN
B.Static Site-to-Site VPN
C.AWS Client VPN
D.SSL VPN
Correct Answer: Dynamic Site-to-Site VPN
Explanation:
Dynamic routing in Site-to-Site VPN utilizes BGP (Border Gateway Protocol) to exchange routing information between AWS and the on-premises network.
Incorrect! Try again.
35To use a NAT Gateway, in which type of subnet must it be deployed?
A.Public Subnet
B.Private Subnet
C.Isolated Subnet
D.VPN Subnet
Correct Answer: Public Subnet
Explanation:
A NAT Gateway must be placed in a public subnet (one with a route to an IGW) so it can send traffic to the internet on behalf of private instances.
Incorrect! Try again.
36What happens to the Elastic IP (EIP) associated with a NAT Gateway if the gateway is deleted?
A.The EIP is blocked for 24 hours.
B.The EIP is deleted automatically.
C.The EIP remains allocated to your account but disassociated.
D.The EIP is transferred to the default VPC.
Correct Answer: The EIP remains allocated to your account but disassociated.
Explanation:
Deleting a NAT Gateway disassociates the Elastic IP, but the IP remains allocated to your account (and you are billed for it) until you release it.
Incorrect! Try again.
37Which Direct Connect component is a logical interface used to access public AWS services (like S3) without using the internet?
A.Private Virtual Interface (VIF)
B.Transit Virtual Interface (VIF)
C.Cross Connect
D.Public Virtual Interface (VIF)
Correct Answer: Public Virtual Interface (VIF)
Explanation:
A Public VIF allows a Direct Connect connection to access public AWS services (like S3 or DynamoDB) using public IP addresses over the dedicated link.
Incorrect! Try again.
38Which of the following creates a VPN connection between remote users (laptops/phones) and an AWS VPC?
A.AWS Direct Connect
B.AWS Client VPN
C.AWS Site-to-Site VPN
D.AWS Transit Gateway
Correct Answer: AWS Client VPN
Explanation:
AWS Client VPN is a managed client-based VPN service that enables remote users to securely access AWS resources using OpenVPN-based clients.
Incorrect! Try again.
39In a VPC, does a custom Route Table come with any routes by default?
A.Yes, a local route for communication within the VPC.
B.Yes, a route to the Internet Gateway.
C.Yes, a route to the NAT Gateway.
D.No, it is empty.
Correct Answer: Yes, a local route for communication within the VPC.
Explanation:
Every route table contains a local route for communication within the VPC CIDR by default. This route cannot be deleted.
Incorrect! Try again.
40Which tool in the AWS Network Manager helps you identify unintended network access to your resources?
A.VPC Reachability Analyzer
B.Traffic Mirroring
C.Route Analyzer
D.Network Access Analyzer
Correct Answer: Network Access Analyzer
Explanation:
Network Access Analyzer helps you identify unintended network access to your resources on AWS by analyzing network configurations.
Incorrect! Try again.
41If you need to increase bandwidth for Direct Connect, what feature allows you to bundle multiple connections?
A.Transit Gateway
B.Elastic Network Adapter (ENA)
C.VPC Peering
D.Link Aggregation Group (LAG)
Correct Answer: Link Aggregation Group (LAG)
Explanation:
A Link Aggregation Group (LAG) allows you to aggregate multiple Direct Connect connections at a single AWS Direct Connect endpoint to increase bandwidth.
Incorrect! Try again.
42What is the 'Implicit Deny' rule in Security Groups?
A.If there is no rule explicitly allowing traffic, it is denied.
B.It blocks traffic from the root account.
C.It blocks all internal VPC traffic.
D.It explicitly lists blocked IPs.
Correct Answer: If there is no rule explicitly allowing traffic, it is denied.
Explanation:
Security Groups operate on a whitelist basis. If traffic is not explicitly allowed by a rule, it is implicitly denied.
Incorrect! Try again.
43Which DNS setting must be enabled in the VPC for Interface Endpoints to work via private DNS names?
A.DHCP Options Set
B.ClassicLink DNS
C.Route Propagation
D.DNS Resolution and DNS Hostnames
Correct Answer: DNS Resolution and DNS Hostnames
Explanation:
To use the private DNS feature of Interface Endpoints (accessing the service via its default DNS name but resolving to a private IP), both DNS Resolution and DNS Hostnames must be enabled in the VPC.
Incorrect! Try again.
44Can a subnet function as both Public and Private simultaneously?
A.No, but it can be in two Availability Zones.
B.Yes, if it has two route tables.
C.Yes, if it uses IPv6.
D.No, routing is determined by the single route table associated with the subnet.
Correct Answer: No, routing is determined by the single route table associated with the subnet.
Explanation:
A subnet is associated with exactly one route table at a time. That route table determines if it routes to an IGW (Public) or not (Private).
Incorrect! Try again.
45Which architecture pattern involves a central VPC containing shared services (logging, security tools) that other VPCs peer with?
A.Full Mesh
B.Daisy Chain
C.Hub and Spoke
D.Isolated Model
Correct Answer: Hub and Spoke
Explanation:
In a Hub and Spoke model (often implemented via Transit Gateway or Peering), a central VPC (Hub) provides shared services to connected VPCs (Spokes).
Incorrect! Try again.
46When troubleshooting connectivity using VPC Flow Logs, what does a status of 'SKIPDATA' indicate?
A.Some flow log records were skipped during the capture window.
B.Traffic was allowed.
C.Traffic was denied.
D.The log format is invalid.
Correct Answer: Some flow log records were skipped during the capture window.
Explanation:
SKIPDATA indicates that some flow log records were skipped during the capture window, usually due to internal capacity constraints or errors.
Incorrect! Try again.
47What is the maximum transmission unit (MTU) supported by Jumbo Frames within a VPC?
A.4096 bytes
B.65535 bytes
C.9001 bytes
D.1500 bytes
Correct Answer: 9001 bytes
Explanation:
AWS VPCs support an MTU of 1500 by default, but support Jumbo Frames up to 9001 bytes for traffic within the VPC (and peering).
Incorrect! Try again.
48Which feature enables you to route traffic between your VPC and your on-premises network over a Direct Connect connection using private IP addresses?
A.Public VIF
B.Internet Gateway
C.Private VIF
D.NAT Gateway
Correct Answer: Private VIF
Explanation:
A Private Virtual Interface (VIF) is used to connect a Direct Connect link to a VPC using private IP addresses.
Incorrect! Try again.
49For a Well-Architected network, how should you handle administrative access to EC2 instances?
A.Use a Bastion Host or AWS Systems Manager Session Manager.
B.Open port 22/3389 to 0.0.0.0/0.
C.Use unencrypted Telnet.
D.Connect via the physical console.
Correct Answer: Use a Bastion Host or AWS Systems Manager Session Manager.
Explanation:
Directly exposing ports to the internet is insecure. Using a Bastion Host (Jump Box) or, preferably, Systems Manager Session Manager (which requires no open inbound ports) is best practice.
Incorrect! Try again.
50What allows a VPC to connect to services hosted by another AWS account (SaaS) securely within the AWS network?
A.VPN Peering
B.ClassicLink
C.Internet Gateway
D.AWS PrivateLink
Correct Answer: AWS PrivateLink
Explanation:
AWS PrivateLink allows you to expose a service in one VPC (Service Provider) to other VPCs (Consumers) securely without traversing the public internet.