Edge and Hybrid Networking

Edge and Hybrid Networking Quiz

Quiz

Question 1 of 36 (0 answered)

Question 1

In the DNS resolution flow, what role does Route 53 play?

Root DNS Server TLD DNS Server Authoritative DNS Server DNS Resolver

✓

Correct!

Route 53 acts as the Authoritative DNS Server that returns the final IP address for a domain. The DNS resolver (ISP), root servers, and TLD servers are all queried before reaching Route 53.

✗

Incorrect

Route 53 acts as the Authoritative DNS Server that returns the final IP address for a domain. The DNS resolver (ISP), root servers, and TLD servers are all queried before reaching Route 53.

Route 53 provides the final answer in the DNS query chain.

Question 2

Which Route 53 routing policies support health checks?

Simple Routing Failover Routing Weighted Routing Multivalue Answer Routing Latency-Based Routing

✓

Correct!

Failover, Multivalue Answer, and Weighted Routing (when configured) support health checks. Simple routing does not support health checks. Latency-based routing can use health checks but the question asks which inherently support them in their design.

✗

Incorrect

Think about which routing policies need to know if endpoints are healthy to make routing decisions.

Question 3

A Route 53 Alias record can be used at the zone apex (e.g., example.com) and there is no charge for Alias queries to AWS resources.

True False

✓

Correct!

This is true. Alias records are a Route 53-specific feature that can be used at the zone apex (unlike CNAME records) and queries to AWS resources via Alias records are free.

✗

Incorrect

This is true. Alias records are a Route 53-specific feature that can be used at the zone apex (unlike CNAME records) and queries to AWS resources via Alias records are free.

Alias records are specifically designed for AWS resource integration.

Question 4

Route 53 Private Hosted Zones contain records for routing traffic within ____ and responses are only visible within associated resources.

✓

Correct!

Private Hosted Zones route traffic within VPCs (Virtual Private Clouds). Unlike public hosted zones that are accessible from the internet, private hosted zones only work within specified VPCs.

✗

Incorrect

Private Hosted Zones route traffic within VPCs (Virtual Private Clouds). Unlike public hosted zones that are accessible from the internet, private hosted zones only work within specified VPCs.

Think about AWS’s private network isolation construct.

Question 5

A Route 53 weighted routing policy has two records: Record A (weight: 70) and Record B (weight: 30). If 1000 users make requests, approximately how many will be routed to Record B?

example.com → 203.0.113.5  (Weight: 70)
example.com → 203.0.113.10 (Weight: 30)

Total requests: 1000

What will this code output?

100 users 200 users 300 users 700 users

✓

Correct!

With a weight of 30 out of a total weight of 100 (70+30), Record B receives 30% of traffic, which equals 300 users out of 1000.

✗

Incorrect

With a weight of 30 out of a total weight of 100 (70+30), Record B receives 30% of traffic, which equals 300 users out of 1000.

Calculate the percentage: weight / total_weight × 100

Question 6

Arrange the DNS resolution steps in the correct order:

Drag to arrange from first to last step

⋮⋮ User types domain in browser

⋮⋮ Route 53

⋮⋮ DNS Resolver checks cache

⋮⋮ Query Root DNS Servers

⋮⋮ Query TLD DNS Servers

⋮⋮ User connects to IP address

✓

Correct!

The correct DNS resolution flow is: User request → Resolver cache check → Root servers → TLD servers → Authoritative DNS returns IP address (Route 53) → Connection to IP.

✗

Incorrect

The correct DNS resolution flow is: User request → Resolver cache check → Root servers → TLD servers → Authoritative DNS returns IP address (Route 53) → Connection to IP.

Question 7

What is the primary difference between CloudFront and Global Accelerator?

CloudFront caches content at edge locations; Global Accelerator does not cache CloudFront is for TCP/UDP traffic; Global Accelerator is for HTTP/HTTPS CloudFront provides static IPs; Global Accelerator does not CloudFront requires health checks; Global Accelerator does not

✓

Correct!

The key difference is that CloudFront is a CDN that caches content, while Global Accelerator provides network layer acceleration without caching. CloudFront is for HTTP/HTTPS, while Global Accelerator supports TCP/UDP and provides static anycast IPs.

✗

Incorrect

Think about whether content is stored at edge locations or just routed through them.

Question 8

Which are valid CloudFront origin types?

S3 Bucket Application Load Balancer Lambda Function EC2 Instance Custom HTTP Server

✓

Correct!

Valid CloudFront origins include S3 buckets, ALB/NLB, EC2 instances, and custom HTTP servers. While Lambda@Edge can run at CloudFront edge locations, Lambda functions themselves are not origins.

✗

Incorrect

Origins must be HTTP/HTTPS endpoints that serve content.

Question 9

Complete the AWS CLI command to invalidate all objects in a CloudFront distribution:

Fill in the missing parameter value

aws cloudfront create-invalidation \
  --distribution-id E1234567890 \
  --paths _____

Your answer:

✓

Correct!

To invalidate all objects, use --paths "/*". The wildcard /* matches all paths in the distribution. Note: The first 1,000 invalidations per month are free.

✗

Incorrect

To invalidate all objects, use --paths "/*". The wildcard /* matches all paths in the distribution. Note: The first 1,000 invalidations per month are free.

Question 10

What is Origin Access Control (OAC) in CloudFront?

Origin Access Control (OAC) is a CloudFront security feature that ensures only CloudFront can access S3 bucket origin.

Purpose: Prevents users from bypassing CloudFront and accessing S3 content directly.

Implementation: Configure OAC on CloudFront distribution and update S3 bucket policy to allow only CloudFront access.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 11

CloudFront Regional Edge Caches are smaller than edge locations but improve cache hit ratio by serving as an intermediate layer.

True False

✓

Correct!

This is false. Regional Edge Caches are larger than edge locations, not smaller. They serve as an intermediate caching layer between edge locations and the origin, improving cache hit ratio for less frequently accessed content.

✗

Incorrect

Think about the caching hierarchy from smallest to largest.

Question 12

Which Global Accelerator feature makes it ideal for gaming applications compared to CloudFront?

Content caching at edge locations Static anycast IP addresses Support for signed URLs Geo-restriction capabilities

✓

Correct!

Static anycast IP addresses are key for gaming applications. These IPs don’t change and are automatically routed to the nearest healthy endpoint, providing consistent, low-latency connections without DNS changes. CloudFront uses dynamic IPs and is designed for content delivery, not real-time applications.

✗

Incorrect

Gaming clients need stable connection endpoints that don’t require DNS lookups.

Question 13

What are the key components of an AWS Site-to-Site VPN architecture?

Customer Gateway (on-premises device) Customer Gateway (AWS resource) Virtual Private Gateway or Transit Gateway Direct Connect Gateway IPsec VPN Tunnels

✓

Correct!

Site-to-Site VPN requires: Customer Gateway device (physical on-premises), Customer Gateway (AWS resource representation), VGW or TGW (AWS VPN endpoint), and IPsec tunnels. Direct Connect Gateway is for Direct Connect, not VPN.

✗

Incorrect

Think about what’s needed to establish an encrypted tunnel between on-premises and AWS.

Question 14

A Site-to-Site VPN connection has two tunnels. What is the maximum throughput achievable?

VPN Connection:
├─ Tunnel 1: 1.25 Gbps max
├─ Tunnel 2: 1.25 Gbps max
└─ Protocol: IPsec

What will this code output?

1.25 Gbps (single tunnel limit) 2.5 Gbps (both tunnels combined) 5 Gbps (with optimization) 10 Gbps (with ECMP)

✓

Correct!

Each VPN tunnel supports up to 1.25 Gbps. While two tunnels exist for redundancy, they don’t aggregate bandwidth in standard configuration. The throughput is limited to 1.25 Gbps per tunnel, making this the practical maximum.

✗

Incorrect

VPN tunnels are for redundancy, not load balancing in standard setup.

Question 15

In a Site-to-Site VPN with dynamic routing, ____ is used to automatically exchange routes between AWS and on-premises networks.

✓

Correct!

BGP (Border Gateway Protocol) enables dynamic routing, automatically exchanging routes between AWS and on-premises. This eliminates manual route configuration and enables automatic failover.

✗

Incorrect

BGP (Border Gateway Protocol) enables dynamic routing, automatically exchanging routes between AWS and on-premises. This eliminates manual route configuration and enables automatic failover.

It’s a standard routing protocol with a three-letter acronym.

Question 16

What is the difference between Virtual Private Gateway (VGW) and Transit Gateway (TGW) for VPN connectivity?

Virtual Private Gateway (VGW):

VPN concentrator on AWS side
One VGW per VPC
Use for single VPC connectivity

Transit Gateway (TGW):

Centralized VPN hub
Connect VPN to multiple VPCs
Recommended for complex architectures
Simplifies network topology

Did you get it right?

✓

Correct!

✗

Incorrect

Question 17

AWS Client VPN is primarily used for:

Connecting two VPCs in different regions Connecting on-premises data center to AWS Providing remote user access to AWS and on-premises resources Connecting multiple AWS accounts

✓

Correct!

AWS Client VPN is a managed client-based VPN service for remote users (laptops, mobile devices) to securely access AWS resources and on-premises networks. Site-to-Site VPN is for network-to-network connections.

✗

Incorrect

Think about individual users vs. entire networks.

Question 18

Which authentication methods does AWS Client VPN support?

Active Directory SAML-based identity provider Certificate-based authentication IAM users API keys

✓

Correct!

Client VPN supports: Active Directory, SAML-based IdP (like Okta), and certificate-based authentication. It does not use IAM users or API keys for user authentication.

✗

Incorrect

Client VPN supports: Active Directory, SAML-based IdP (like Okta), and certificate-based authentication. It does not use IAM users or API keys for user authentication.

Think about enterprise authentication systems and PKI.

Question 19

AWS Direct Connect provides encrypted connectivity by default.

True False

✓

Correct!

This is false. Direct Connect provides a private connection but does not encrypt traffic by default. For encryption, you must run a VPN connection over Direct Connect (VPN over DX).

✗

Incorrect

This is false. Direct Connect provides a private connection but does not encrypt traffic by default. For encryption, you must run a VPN connection over Direct Connect (VPN over DX).

Private doesn’t mean encrypted.

Question 20

Arrange the Direct Connect architecture components from on-premises to AWS:

Order from customer side to AWS side

⋮⋮ Corporate Network

⋮⋮ Direct Connect Router (AWS equipment)

⋮⋮ Customer Router at DX Location

⋮⋮ VPC Resources

⋮⋮ Virtual Interface (VIF)

✓

Correct!

The connection path is: Corporate Network → Customer Router (at DX location) → AWS Direct Connect Router → Virtual Interface → VPC Resources.

✗

Incorrect

The connection path is: Corporate Network → Customer Router (at DX location) → AWS Direct Connect Router → Virtual Interface → VPC Resources.

Question 21

What is a Virtual Interface (VIF) in Direct Connect?

A physical network card in the customer router A logical connection running over the physical Direct Connect link A virtual machine that routes traffic A software-defined network overlay

✓

Correct!

A Virtual Interface (VIF) is a logical connection that runs over a physical Direct Connect connection. VIFs enable access to different types of AWS resources (private VPC, public services, or Transit Gateway) using VLAN tagging and BGP.

✗

Incorrect

Think about how one physical connection supports multiple logical paths.

Question 22

Which statements about Direct Connect Virtual Interfaces are correct?

Private VIF accesses VPC using private IPs Public VIF accesses AWS public services like S3 Transit VIF connects to Transit Gateway Public VIF requires an Internet Gateway in your VPC Multiple VIFs can run over a single physical connection

✓

Correct!

Private VIF uses private IPs for VPC access, Public VIF accesses public AWS services (S3, DynamoDB) without internet, Transit VIF connects to TGW, and multiple VIFs can share one physical connection. Public VIF does NOT require an IGW—it accesses AWS public endpoints directly.

✗

Incorrect

VIFs are logical constructs that multiplex over the physical connection.

Question 23

Complete the Direct Connect high availability strategy:

Fill in the recommended backup connectivity method

On-Premises ─┬─ Direct Connect (Primary) ──┬─ AWS
             └──────── (Backup) ────────────┘

Your answer:

✓

Correct!

The most cost-effective redundancy strategy is combining Direct Connect (primary) with Site-to-Site VPN (backup). This provides automatic failover while managing costs better than dual Direct Connect.

✗

Incorrect

Question 24

Direct Connect dedicated connections support speeds of 1 Gbps, 10 Gbps, and ____ Gbps.

✓

Correct!

Direct Connect dedicated connections are available in 1 Gbps, 10 Gbps, and 100 Gbps configurations. Hosted connections (through partners) support 50 Mbps to 10 Gbps.

✗

Incorrect

Direct Connect dedicated connections are available in 1 Gbps, 10 Gbps, and 100 Gbps configurations. Hosted connections (through partners) support 50 Mbps to 10 Gbps.

It’s the highest speed tier available.

Question 25

What are the benefits and limitations of AWS Direct Connect?

Benefits:

Consistent network performance (low latency, low jitter)
Higher bandwidth (up to 100 Gbps)
Reduced data transfer costs
Private connectivity (not over internet)
Supports hybrid cloud architectures

Limitations:

No encryption by default (need VPN over DX)
Longer setup time (weeks to months)
Higher cost (port hours + data transfer)
Requires presence at Direct Connect location or partner

Did you get it right?

✓

Correct!

✗

Incorrect

Question 26

For maximum Direct Connect resilience, which architecture is recommended?

Single Direct Connect connection Two Direct Connect connections in the same location Two Direct Connect connections in different locations One Direct Connect with CloudFront

✓

Correct!

Maximum resilience requires two Direct Connect connections in different geographic locations. This protects against both connection failures and location-level failures (power, natural disasters, etc.).

✗

Incorrect

Consider what happens if an entire data center facility goes down.

Question 27

Which are valid use cases for CloudFront?

Static website acceleration Video streaming Real-time gaming connections Software distribution API acceleration

✓

Correct!

CloudFront is ideal for static websites, video streaming, software distribution, and API acceleration (caching GET requests). Real-time gaming needs Global Accelerator due to requirements for static IPs and non-cacheable TCP/UDP traffic.

✗

Incorrect

CloudFront excels at delivering cacheable content over HTTP/HTTPS.

Question 28

Route 53 Geolocation Routing and Geoproximity Routing are the same feature with different names.

True False

✓

Correct!

This is false. They work differently:

Geolocation — rule-based. You explicitly map locations to endpoints. User in Germany → Frankfurt endpoint.
Geoproximity — distance-based. Routes to the nearest resource automatically. Use bias values (+/-) to shift traffic boundaries between regions.

✗

Incorrect

This is false. They work differently:

Geolocation — rule-based. You explicitly map locations to endpoints. User in Germany → Frankfurt endpoint.
Geoproximity — distance-based. Routes to the nearest resource automatically. Use bias values (+/-) to shift traffic boundaries between regions.

One allows you to manually adjust traffic distribution.

Question 29

What is the purpose of AWS Cloud WAN?

A VPN service for remote workers A managed service for building global networks connecting cloud and on-premises A replacement for CloudFront A monitoring tool for network traffic

✓

Correct!

AWS Cloud WAN is a managed wide-area networking service that simplifies building, managing, and monitoring global networks connecting AWS and on-premises environments with centralized policy management.

✗

Incorrect

Think about managing complex multi-region, multi-site networks from one place.

Question 30

Which of the following security features does AWS Network Firewall provide?

Stateful packet inspection Intrusion prevention (IPS) Web filtering DDoS mitigation at network edge Domain filtering

✓

Correct!

AWS Network Firewall provides stateful inspection, IPS, web filtering, and domain filtering. While it helps with security, DDoS mitigation at scale is handled by AWS Shield, not Network Firewall.

✗

Incorrect

Network Firewall works at the VPC level, not at the global edge.

Question 31

Given this Route 53 health check configuration, how long until an endpoint is marked unhealthy?

Health Check Configuration:
- Check interval: 30 seconds
- Failure threshold: 3 consecutive failures
- Protocol: HTTPS

What will this code output?

30 seconds 60 seconds 90 seconds 120 seconds

✓

Correct!

With a 30-second interval and 3 consecutive failures required, the endpoint will be marked unhealthy after 90 seconds (30s × 3 = 90s).

✗

Incorrect

With a 30-second interval and 3 consecutive failures required, the endpoint will be marked unhealthy after 90 seconds (30s × 3 = 90s).

Multiply the interval by the number of failures needed.

Question 32

What is the difference between Dedicated and Hosted Direct Connect connections?

Dedicated Connection:

Physical Ethernet port dedicated to single customer
Speeds: 1 Gbps, 10 Gbps, 100 Gbps
Direct connection between customer router and AWS
Customer manages entire connection

Hosted Connection:

Provided through AWS Direct Connect Partner
Speeds: 50 Mbps to 10 Gbps
Partner manages physical connection
More flexible, easier to provision

Did you get it right?

✓

Correct!

✗

Incorrect

Question 33

Which Route 53 routing policy would be best for implementing a blue-green deployment with gradual traffic shift?

Simple Routing Failover Routing Weighted Routing Geolocation Routing

✓

Correct!

Weighted Routing is ideal for blue-green deployments and gradual traffic shifts. You can start with 90% blue/10% green, then gradually adjust weights to shift more traffic to green, enabling controlled rollouts and easy rollback.

✗

Incorrect

Think about which policy lets you control the percentage of traffic to each environment.

Question 34

CloudFront can only serve static content from S3 buckets.

True False

✓

Correct!

This is false. CloudFront can serve both static and dynamic content from multiple origin types including S3, ALB, EC2, and custom HTTP servers. It can cache dynamic content with low TTLs or pass through uncached requests.

✗

Incorrect

CloudFront is more versatile than just an S3 CDN.

Question 35

Which factors can be included in a CloudFront cache key?

URL path Query strings Request headers Client IP address Cookies

✓

Correct!

CloudFront cache keys can include: URL path, query strings, headers (selected), and cookies (selected). Client IP address is not part of the cache key but can be passed to origin via headers.

✗

Incorrect

Cache keys are based on request attributes that vary content.

Question 36

The first ____ CloudFront invalidations per month are free.

✓

Correct!

AWS provides the first 1,000 invalidation paths free per month per distribution. After that, you pay per invalidation path.

✗

Incorrect

AWS provides the first 1,000 invalidation paths free per month per distribution. After that, you pay per invalidation path.

It’s a four-digit number commonly used as a free tier limit.

Quiz Results

Score

0/0

Accuracy

Right

Wrong

Skipped

Last updated on March 15, 2026

Networking Fundamentals Compute Services