question: 1
You need to interconnect 10 VPCs in different AWS accounts with minimal operational overhead. Which solution is the most scalable?
A. VPC Peering
B. AWS PrivateLink
C. AWS Transit Gateway
D. Direct Connect Gateway
correct answer: C
explanation: AWS Transit Gateway enables scalable, hub-and-spoke connectivity between thousands of VPCs and on-premises networks.

question: 2
Which protocol is used by AWS Direct Connect to exchange routing information?
A. OSPF
B. IS-IS
C. BGP
D. EIGRP
correct answer: C
explanation: AWS Direct Connect uses Border Gateway Protocol (BGP) for dynamic route exchange between networks.

question: 3
Which AWS service helps block traffic from known malicious IP addresses in real time?
A. AWS WAF
B. AWS Network Firewall
C. GuardDuty
D. AWS Shield
correct answer: B
explanation: AWS Network Firewall can ingest threat intelligence feeds and block IPs in real time.

question: 4
Which configuration enables IPv6 traffic in a VPC?
A. Associate a subnet with an IPv6 CIDR block
B. Enable DNS64
C. Configure NAT Gateway
D. Assign an Elastic IPv6 address
correct answer: A
explanation: To enable IPv6 in a VPC, you must associate subnets with an IPv6 CIDR block and configure routing accordingly.

question: 5
What is the main difference between VPC Peering and Transit Gateway?
A. VPC Peering is used for DNS routing
B. Transit Gateway supports transitive routing
C. Peering supports route propagation
D. Transit Gateway is only for hybrid connections
correct answer: B
explanation: Transit Gateway allows transitive routing, unlike VPC Peering which requires full mesh configuration.

question: 6
Which AWS service can terminate SSL connections at the edge for faster content delivery?
A. ALB
B. CloudFront
C. API Gateway
D. Route 53
correct answer: B
explanation: CloudFront can terminate SSL at the edge, reducing latency and offloading encryption from origin servers.

question: 7
A company wants to route traffic based on device type and geographic location. Which service should it use?
A. AWS Global Accelerator
B. Route 53 with geolocation routing
C. Network Load Balancer
D. VPC Flow Logs
correct answer: B
explanation: Route 53 supports geolocation-based routing policies, enabling responses based on user location.

question: 8
How does PrivateLink differ from VPC Peering?
A. PrivateLink allows transitive routing
B. PrivateLink enables access to services via endpoint interfaces
C. VPC Peering is more secure
D. PrivateLink requires Internet Gateway
correct answer: B
explanation: PrivateLink allows private access to services across VPCs via interface endpoints without routing.

question: 9
Which logs are essential for troubleshooting network security incidents?
A. CloudTrail logs
B. S3 access logs
C. VPC Flow Logs
D. CloudWatch metrics
correct answer: C
explanation: VPC Flow Logs capture IP traffic metadata, useful for diagnosing network access issues or intrusions.

question: 10
What feature must be enabled to allow outbound IPv6 traffic from a private subnet?
A. Internet Gateway
B. Egress-only Internet Gateway
C. NAT Gateway
D. IPv6 NAT Instance
correct answer: B
explanation: Egress-only Internet Gateway allows IPv6 outbound traffic while blocking unsolicited inbound requests.

question: 11
Which service provides static IP addresses and improves performance for global applications?
A. Route 53
B. CloudFront
C. AWS Global Accelerator
D. VPC Endpoints
correct answer: C
explanation: Global Accelerator uses Anycast IP addresses and routes traffic through optimal AWS edge locations.

question: 12
How do you ensure route propagation from VPN connections to attached VPCs?
A. Use static routes
B. Enable propagation on route tables
C. Create Transit Gateway peering
D. Use NAT Gateway
correct answer: B
explanation: Enabling propagation in the route table ensures dynamically learned routes (e.g., from VPN or DX) are used.

question: 13
What is a limitation of using VPC Peering?
A. Can’t span multiple regions
B. Doesn’t support transitive routing
C. No support for DNS
D. Doesn’t work with security groups
correct answer: B
explanation: VPC Peering does not support transitive routing, requiring a full mesh to connect multiple VPCs.

question: 14
Which AWS service simplifies security group management across many accounts?
A. AWS Firewall Manager
B. AWS Config
C. GuardDuty
D. Trusted Advisor
correct answer: A
explanation: AWS Firewall Manager helps manage security rules and compliance across multiple AWS accounts centrally.

question: 15
You need to allow users in VPC-A to access a service hosted in VPC-B without exposing VPC-B publicly. What should you use?
A. NAT Gateway
B. VPC Peering
C. PrivateLink
D. Internet Gateway
correct answer: C
explanation: AWS PrivateLink enables private access to services in another VPC without requiring public IPs.

question: 16
Which service allows you to analyze DNS queries made from your VPC?
A. Route 53 Logs
B. VPC Flow Logs
C. Route 53 Resolver Query Logging
D. CloudTrail
correct answer: C
explanation: Route 53 Resolver Query Logging captures DNS queries originating from VPC resources for analysis and troubleshooting.

question: 17
Which AWS component supports BGP route advertisements over AWS Direct Connect?
A. Route Table
B. Virtual Private Gateway
C. Customer Gateway
D. Direct Connect Gateway
correct answer: D
explanation: Direct Connect Gateway supports BGP route advertisements to allow scalable hybrid connectivity to multiple VPCs.

question: 18
Your company wants to use AWS as a failover site with minimal routing changes. What is the best strategy?
A. Static routing on-premises
B. Use of Direct Connect Gateway
C. Route 53 failover routing policy
D. Peering connections between regions
correct answer: C
explanation: Route 53 failover routing can direct traffic to a secondary AWS endpoint automatically during failure events.

question: 19
Which is NOT a feature of AWS Global Accelerator?
A. Health checks
B. Regional failover
C. SSL termination at edge
D. Static IP addresses
correct answer: C
explanation: AWS Global Accelerator does not perform SSL termination; that is a feature of CloudFront.

question: 20
To limit the scope of a DNS query to only a specific VPC, which solution is best?
A. Route 53 Resolver Rule
B. Private Hosted Zone with VPC association
C. Public Hosted Zone
D. Route 53 Failover Routing
correct answer: B
explanation: A private hosted zone can be associated with one or more VPCs to restrict DNS resolution.

question: 21
Which feature allows you to centrally inspect traffic between VPCs and AWS services?
A. AWS Traffic Mirroring
B. AWS WAF
C. Gateway Load Balancer
D. VPC Flow Logs
correct answer: C
explanation: Gateway Load Balancer enables transparent inspection and filtering of traffic using third-party virtual appliances.

question: 22
Which of the following supports stateful packet inspection?
A. Security Group
B. Network ACL
C. VPC Peering
D. NAT Gateway
correct answer: A
explanation: Security groups are stateful firewalls that allow return traffic automatically if it matches inbound rules.

question: 23
You need a solution to forward DNS queries from your VPC to your on-premises DNS servers. What do you configure?
A. Route 53 Resolver inbound endpoint
B. Route 53 Resolver outbound endpoint
C. Private hosted zone
D. Conditional forwarding rule
correct answer: B
explanation: An outbound endpoint allows DNS queries from VPC resources to be forwarded to external DNS servers.

question: 24
Which AWS service provides the easiest method for inspecting, logging, and filtering east-west VPC traffic?
A. CloudTrail
B. Gateway Load Balancer
C. AWS Network Firewall
D. NAT Gateway
correct answer: C
explanation: AWS Network Firewall offers deep packet inspection, logging, and rules for managing internal traffic flows.

question: 25
Which option enables highly available VPN connectivity with AWS?
A. Single VPN tunnel
B. AWS Direct Connect only
C. Two VPN tunnels via AWS Site-to-Site VPN
D. Internet Gateway
correct answer: C
explanation: AWS Site-to-Site VPN automatically creates two tunnels to improve availability and resilience.

question: 26
How can you ensure compliance by preventing users from launching instances without monitoring?
A. AWS Firewall Manager
B. VPC Endpoint Policies
C. IAM Policy Deny rules
D. Service Control Policies + AWS Config Rules
correct answer: D
explanation: Use Service Control Policies to enforce restrictions across accounts and AWS Config Rules for compliance checks.

question: 27
Which solution allows an organization to connect multiple on-premises networks to AWS with one private virtual interface?
A. VPC Peering
B. Transit Gateway
C. Direct Connect Gateway
D. VPN CloudHub
correct answer: C
explanation: Direct Connect Gateway allows multiple VPCs or accounts to share a single private virtual interface.

question: 28
What is the default behavior of a Network ACL?
A. Allows all inbound and outbound traffic
B. Denies all inbound and outbound traffic
C. Allows only HTTP/HTTPS traffic
D. Denies all inbound and allows all outbound traffic
correct answer: B
explanation: By default, a new NACL denies all traffic until rules are explicitly added.

question: 29
Which service supports using Suricata rules for deep packet inspection?
A. AWS WAF
B. AWS Network Firewall
C. AWS Inspector
D. Route 53 Resolver
correct answer: B
explanation: AWS Network Firewall supports Suricata-compatible rules for intrusion detection and packet inspection.

question: 30
You need to inspect traffic across hundreds of VPCs with minimal appliance deployment. What should you use?
A. NAT Gateway
B. Gateway Load Balancer
C. VPC Peering
D. Site-to-Site VPN
correct answer: B
explanation: Gateway Load Balancer allows centralized traffic inspection and scales automatically without manual appliance deployment.