Edge and Hybrid Networking Quiz
Quiz
Question 1 of 45
(0 answered)
Question 1
In the DNS resolution flow, what role does Route 53 play?
✓
Correct!
Route 53 acts as the Authoritative DNS Server that returns the final IP address for a domain. The DNS resolver (ISP), root servers, and TLD servers are all queried before reaching Route 53.
✗
Incorrect
Route 53 acts as the Authoritative DNS Server that returns the final IP address for a domain. The DNS resolver (ISP), root servers, and TLD servers are all queried before reaching Route 53.
Route 53 provides the final answer in the DNS query chain.
Question 2
Which Route 53 routing policy does NOT support health checks?
✓
Correct!
Simple Routing does not support health checks — it returns a single configured value regardless of endpoint health. All other major policies support health checks: Failover Routing requires them (it needs to know when to switch to the backup), Latency-Based Routing uses them to avoid sending traffic to unhealthy endpoints, and Multivalue Answer Routing only returns healthy IPs.
✗
Incorrect
Simple Routing does not support health checks — it returns a single configured value regardless of endpoint health. All other major policies support health checks: Failover Routing requires them (it needs to know when to switch to the backup), Latency-Based Routing uses them to avoid sending traffic to unhealthy endpoints, and Multivalue Answer Routing only returns healthy IPs.
One policy has no mechanism to react to endpoint failures at all.
Question 3
A Route 53 Alias record can be used at the zone apex (e.g., example.com) and there is no charge for Alias queries to AWS resources.
✓
Correct!
This is true. Alias records are a Route 53-specific feature that can be used at the zone apex (unlike CNAME records) and queries to AWS resources via Alias records are free.
✗
Incorrect
This is true. Alias records are a Route 53-specific feature that can be used at the zone apex (unlike CNAME records) and queries to AWS resources via Alias records are free.
Alias records are specifically designed for AWS resource integration.
Question 4
Route 53 Private Hosted Zones contain records for routing traffic within ____ and responses are only visible within associated resources.
✓
Correct!
Private Hosted Zones route traffic within VPCs (Virtual Private Clouds). Unlike public hosted zones that are accessible from the internet, private hosted zones only work within specified VPCs.
✗
Incorrect
Private Hosted Zones route traffic within VPCs (Virtual Private Clouds). Unlike public hosted zones that are accessible from the internet, private hosted zones only work within specified VPCs.
Think about AWS’s private network isolation construct.
Question 5
A Route 53 weighted routing policy has two records: Record A (203.0.113.5, weight 70) and Record B (203.0.113.10, weight 30). Out of 1000 total requests, approximately how many go to Record B?
✓
Correct!
Record B has weight 30 out of a total weight of 100 (70 + 30), so it receives 30% of traffic: 30% × 1000 = 300 requests. Record A receives the remaining 700. A common mistake is selecting 700 — that is what Record A gets.
✗
Incorrect
Record B has weight 30 out of a total weight of 100 (70 + 30), so it receives 30% of traffic: 30% × 1000 = 300 requests. Record A receives the remaining 700. A common mistake is selecting 700 — that is what Record A gets.
Calculate the percentage: Record B weight / total weight × total requests.
Question 6
Arrange the DNS resolution steps in the correct order:
Drag to arrange from first to last step
⋮⋮
User types domain in browser
⋮⋮
Route 53
⋮⋮
DNS Resolver checks cache
⋮⋮
Query Root DNS Servers
⋮⋮
Query TLD DNS Servers
⋮⋮
User connects to IP address
✓
Correct!
The correct DNS resolution flow is: User request → Resolver cache check → Root servers → TLD servers → Authoritative DNS returns IP address (Route 53) → Connection to IP.
✗
Incorrect
The correct DNS resolution flow is: User request → Resolver cache check → Root servers → TLD servers → Authoritative DNS returns IP address (Route 53) → Connection to IP.
Question 7
What is the primary difference between CloudFront and Global Accelerator?
✓
Correct!
The key difference is that CloudFront is a CDN that caches content, while Global Accelerator provides network layer acceleration without caching. CloudFront is for HTTP/HTTPS, while Global Accelerator supports TCP/UDP and provides static anycast IPs.
✗
Incorrect
The key difference is that CloudFront is a CDN that caches content, while Global Accelerator provides network layer acceleration without caching. CloudFront is for HTTP/HTTPS, while Global Accelerator supports TCP/UDP and provides static anycast IPs.
Think about whether content is stored at edge locations or just routed through them.
Question 8
Which are valid CloudFront origin types?
✓
Correct!
Valid CloudFront origins include S3 buckets, ALB/NLB, EC2 instances, and custom HTTP servers. Lambda functions are not origins — Lambda@Edge runs code at CloudFront edge locations but is not an origin server. RDS databases cannot be origins; they require an application layer (EC2, Lambda) in front of them to serve HTTP responses.
✗
Incorrect
Valid CloudFront origins include S3 buckets, ALB/NLB, EC2 instances, and custom HTTP servers. Lambda functions are not origins — Lambda@Edge runs code at CloudFront edge locations but is not an origin server. RDS databases cannot be origins; they require an application layer (EC2, Lambda) in front of them to serve HTTP responses.
Origins must be HTTP/HTTPS endpoints that serve content.
Question 9
Complete the AWS CLI command to invalidate all objects in a CloudFront distribution:
Fill in the missing parameter value
aws cloudfront create-invalidation \
--distribution-id E1234567890 \
--paths _____✓
Correct!
To invalidate all objects, use
--paths "/*". The wildcard /* matches all paths in the distribution. Note: The first 1,000 invalidations per month are free.✗
Incorrect
To invalidate all objects, use
--paths "/*". The wildcard /* matches all paths in the distribution. Note: The first 1,000 invalidations per month are free.Question 10
What is Origin Access Control (OAC) in CloudFront?
What is Origin Access Control (OAC) in CloudFront?
Origin Access Control (OAC) is a CloudFront security feature that ensures only CloudFront can access an S3 bucket by using SigV4 signed requests, preventing users from bypassing CloudFront and accessing S3 directly.
It replaces the older OAI model (CloudFront-specific identity) and uses IAM-based policies for more secure and flexible access control.
User → CloudFront → (signed request) → S3
❌ direct user blockedDid you get it right?
✓
Correct!
✗
Incorrect
Question 11
CloudFront Regional Edge Caches are smaller than edge locations but improve cache hit ratio by serving as an intermediate layer.
✓
Correct!
This is false. Regional Edge Caches are larger than edge locations, not smaller. They serve as an intermediate caching layer between edge locations and the origin, improving cache hit ratio for less frequently accessed content.
✗
Incorrect
This is false. Regional Edge Caches are larger than edge locations, not smaller. They serve as an intermediate caching layer between edge locations and the origin, improving cache hit ratio for less frequently accessed content.
Think about the caching hierarchy from smallest to largest.
Question 12
Which Global Accelerator feature makes it ideal for gaming applications compared to CloudFront?
✓
Correct!
Static anycast IP addresses are key for gaming applications. These IPs don’t change and are automatically routed to the nearest healthy endpoint, providing consistent, low-latency connections without DNS changes. CloudFront uses dynamic IPs and is designed for content delivery, not real-time applications.
✗
Incorrect
Static anycast IP addresses are key for gaming applications. These IPs don’t change and are automatically routed to the nearest healthy endpoint, providing consistent, low-latency connections without DNS changes. CloudFront uses dynamic IPs and is designed for content delivery, not real-time applications.
Gaming clients need stable connection endpoints that don’t require DNS lookups.
Question 13
What are the key components of an AWS Site-to-Site VPN architecture?
✓
Correct!
Site-to-Site VPN requires: Customer Gateway device (physical on-premises router/firewall), Customer Gateway (AWS resource representing that device), VGW or TGW (AWS VPN endpoint), and IPsec tunnels (encrypted connections). Direct Connect Gateway is used with Direct Connect, not VPN. A dedicated fiber connection is how Direct Connect works — VPN runs over the regular internet using IPsec encryption.
✗
Incorrect
Site-to-Site VPN requires: Customer Gateway device (physical on-premises router/firewall), Customer Gateway (AWS resource representing that device), VGW or TGW (AWS VPN endpoint), and IPsec tunnels (encrypted connections). Direct Connect Gateway is used with Direct Connect, not VPN. A dedicated fiber connection is how Direct Connect works — VPN runs over the regular internet using IPsec encryption.
Think about what’s needed to establish an encrypted tunnel between on-premises and AWS over the internet.
Question 14
A Site-to-Site VPN connection has two tunnels. What is the maximum throughput achievable?
VPN Connection:
├─ Tunnel 1: 1.25 Gbps max
├─ Tunnel 2: 1.25 Gbps max
└─ Protocol: IPsecWhat will this code output?
✓
Correct!
Each VPN tunnel supports up to 1.25 Gbps. While two tunnels exist for redundancy, they don’t aggregate bandwidth in standard configuration. The throughput is limited to 1.25 Gbps per tunnel, making this the practical maximum.
✗
Incorrect
Each VPN tunnel supports up to 1.25 Gbps. While two tunnels exist for redundancy, they don’t aggregate bandwidth in standard configuration. The throughput is limited to 1.25 Gbps per tunnel, making this the practical maximum.
VPN tunnels are for redundancy, not load balancing in standard setup.
Question 15
In a Site-to-Site VPN with dynamic routing, ____ is used to automatically exchange routes between AWS and on-premises networks.
✓
Correct!
BGP (Border Gateway Protocol) enables dynamic routing, automatically exchanging routes between AWS and on-premises. This eliminates manual route configuration and enables automatic failover.
✗
Incorrect
BGP (Border Gateway Protocol) enables dynamic routing, automatically exchanging routes between AWS and on-premises. This eliminates manual route configuration and enables automatic failover.
It’s a standard routing protocol with a three-letter acronym.
Question 16
What is the difference between Virtual Private Gateway (VGW) and Transit Gateway (TGW) for VPN connectivity?
What is the difference between Virtual Private Gateway (VGW) and Transit Gateway (TGW) for VPN connectivity?
Virtual Private Gateway (VGW):
- VPN concentrator on AWS side
- One VGW per VPC
- Use for single VPC connectivity
Transit Gateway (TGW):
- Centralized VPN hub
- Connect VPN to multiple VPCs
- Recommended for complex architectures
- Simplifies network topology
Did you get it right?
✓
Correct!
✗
Incorrect
Question 17
A developer works remotely and needs secure access to EC2 instances in a private VPC subnet from their home laptop. Which AWS service should they use?
✓
Correct!
AWS Client VPN is a managed client-based VPN for individual remote users (laptops, mobile devices) to securely access AWS and on-premises resources. Site-to-Site VPN connects entire networks (e.g., an office to AWS), not individual users. Direct Connect requires dedicated physical infrastructure provisioned weeks in advance. VPC Peering connects VPCs to each other — home networks are not VPCs.
✗
Incorrect
AWS Client VPN is a managed client-based VPN for individual remote users (laptops, mobile devices) to securely access AWS and on-premises resources. Site-to-Site VPN connects entire networks (e.g., an office to AWS), not individual users. Direct Connect requires dedicated physical infrastructure provisioned weeks in advance. VPC Peering connects VPCs to each other — home networks are not VPCs.
Think about individual users vs. entire networks connecting.
Question 18
Which authentication methods does AWS Client VPN support?
✓
Correct!
Client VPN supports: Active Directory, SAML-based IdP (like Okta), and certificate-based authentication. It does not use IAM users for VPN authentication. Basic username/password authentication is not a supported method — Client VPN requires one of the three enterprise-grade mechanisms above.
✗
Incorrect
Client VPN supports: Active Directory, SAML-based IdP (like Okta), and certificate-based authentication. It does not use IAM users for VPN authentication. Basic username/password authentication is not a supported method — Client VPN requires one of the three enterprise-grade mechanisms above.
Think about enterprise authentication systems and PKI.
Question 19
AWS Direct Connect provides encrypted connectivity by default.
✓
Correct!
This is false. Direct Connect provides a private connection but does not encrypt traffic by default. For encryption, you must run a VPN connection over Direct Connect (VPN over DX).
✗
Incorrect
This is false. Direct Connect provides a private connection but does not encrypt traffic by default. For encryption, you must run a VPN connection over Direct Connect (VPN over DX).
Private doesn’t mean encrypted.
Question 20
Arrange the Direct Connect architecture components from on-premises to AWS:
Order from customer side to AWS side
⋮⋮
Corporate Network
⋮⋮
Direct Connect Router (AWS equipment)
⋮⋮
Customer Router at DX Location
⋮⋮
VPC Resources
⋮⋮
Virtual Interface (VIF)
✓
Correct!
The connection path is: Corporate Network → Customer Router (at DX location) → AWS Direct Connect Router → Virtual Interface → VPC Resources.
✗
Incorrect
The connection path is: Corporate Network → Customer Router (at DX location) → AWS Direct Connect Router → Virtual Interface → VPC Resources.
Question 21
A company has one Direct Connect physical connection. They need to access both private EC2 instances in a VPC and public AWS services like S3 over the same link. What enables this?
✓
Correct!
Virtual Interfaces (VIFs) are logical connections running over a single physical Direct Connect link, using VLAN tagging to separate traffic. A Private VIF accesses VPC resources via private IPs; a Public VIF accesses AWS public services (S3, DynamoDB) without going through the internet. Multiple VIFs can share one physical connection. A second physical connection is not required. Transit Gateway routes between VPCs, not between VPC and public AWS services. VPC Gateway Endpoints work at the VPC network level independently of Direct Connect.
✗
Incorrect
Virtual Interfaces (VIFs) are logical connections running over a single physical Direct Connect link, using VLAN tagging to separate traffic. A Private VIF accesses VPC resources via private IPs; a Public VIF accesses AWS public services (S3, DynamoDB) without going through the internet. Multiple VIFs can share one physical connection. A second physical connection is not required. Transit Gateway routes between VPCs, not between VPC and public AWS services. VPC Gateway Endpoints work at the VPC network level independently of Direct Connect.
One physical connection can carry logically separate traffic streams.
Question 22
Which statements about Direct Connect Virtual Interfaces are correct?
✓
Correct!
Private VIF uses private IPs for VPC access, Public VIF accesses public AWS services (S3, DynamoDB) without internet, Transit VIF connects to TGW, and multiple VIFs can share one physical connection. Public VIF does NOT require an IGW — it accesses AWS public endpoints directly over the Direct Connect link. Private VIF cannot access public AWS services directly — that requires a Public VIF.
✗
Incorrect
Private VIF uses private IPs for VPC access, Public VIF accesses public AWS services (S3, DynamoDB) without internet, Transit VIF connects to TGW, and multiple VIFs can share one physical connection. Public VIF does NOT require an IGW — it accesses AWS public endpoints directly over the Direct Connect link. Private VIF cannot access public AWS services directly — that requires a Public VIF.
VIFs are logical constructs that multiplex over the physical connection, each with a specific purpose.
Question 23
Complete the Direct Connect high availability strategy:
Fill in the recommended backup connectivity method
On-Premises ─┬─ Direct Connect (Primary) ──┬─ AWS
└──────── (Backup) ────────────┘✓
Correct!
The most cost-effective redundancy strategy is combining Direct Connect (primary) with Site-to-Site VPN (backup). This provides automatic failover while managing costs better than dual Direct Connect.
✗
Incorrect
The most cost-effective redundancy strategy is combining Direct Connect (primary) with Site-to-Site VPN (backup). This provides automatic failover while managing costs better than dual Direct Connect.
Question 24
Direct Connect dedicated connections support speeds of 1 Gbps, 10 Gbps, and ____ Gbps.
✓
Correct!
Direct Connect dedicated connections are available in 1 Gbps, 10 Gbps, and 100 Gbps configurations. Hosted connections (through partners) support 50 Mbps to 10 Gbps.
✗
Incorrect
Direct Connect dedicated connections are available in 1 Gbps, 10 Gbps, and 100 Gbps configurations. Hosted connections (through partners) support 50 Mbps to 10 Gbps.
It’s the highest speed tier available.
Question 25
What are the benefits and limitations of AWS Direct Connect?
What are the benefits and limitations of AWS Direct Connect?
Benefits:
- Consistent network performance (low latency, low jitter)
- Higher bandwidth (up to 100 Gbps)
- Reduced data transfer costs
- Private connectivity (not over internet)
- Supports hybrid cloud architectures
Limitations:
- No encryption by default (need VPN over DX)
- Longer setup time (weeks to months)
- Higher cost (port hours + data transfer)
- Requires presence at Direct Connect location or partner
Did you get it right?
✓
Correct!
✗
Incorrect
Question 26
For maximum Direct Connect resilience, which architecture is recommended?
✓
Correct!
Maximum resilience requires two Direct Connect connections in different geographic locations. Using the same location — even with different providers — still exposes you to a single point of failure: a power outage, fire, or physical access issue at that facility affects both connections. CloudFront is a CDN, not a Direct Connect failover mechanism.
✗
Incorrect
Maximum resilience requires two Direct Connect connections in different geographic locations. Using the same location — even with different providers — still exposes you to a single point of failure: a power outage, fire, or physical access issue at that facility affects both connections. CloudFront is a CDN, not a Direct Connect failover mechanism.
Consider what happens if an entire data center facility goes down, regardless of how many providers are in it.
Question 27
Which are valid use cases for CloudFront?
✓
Correct!
CloudFront is ideal for static websites, video streaming, software distribution, and API acceleration (caching GET requests). Real-time gaming needs Global Accelerator due to requirements for static IPs and non-cacheable TCP/UDP traffic. VoIP and real-time audio/video also require Global Accelerator — CloudFront’s HTTP/HTTPS caching layer adds latency and doesn’t support the UDP protocols these applications depend on.
✗
Incorrect
CloudFront is ideal for static websites, video streaming, software distribution, and API acceleration (caching GET requests). Real-time gaming needs Global Accelerator due to requirements for static IPs and non-cacheable TCP/UDP traffic. VoIP and real-time audio/video also require Global Accelerator — CloudFront’s HTTP/HTTPS caching layer adds latency and doesn’t support the UDP protocols these applications depend on.
CloudFront excels at delivering cacheable content over HTTP/HTTPS.
Question 28
Route 53 Geolocation Routing and Geoproximity Routing are the same feature with different names.
✓
Correct!
This is false. They work differently:
- Geolocation — rule-based. You explicitly map locations to endpoints. User in Germany → Frankfurt endpoint.
- Geoproximity — distance-based. Routes to the nearest resource automatically. Use bias values (+/-) to shift traffic boundaries between regions.
✗
Incorrect
This is false. They work differently:
- Geolocation — rule-based. You explicitly map locations to endpoints. User in Germany → Frankfurt endpoint.
- Geoproximity — distance-based. Routes to the nearest resource automatically. Use bias values (+/-) to shift traffic boundaries between regions.
One allows you to manually adjust traffic distribution.
Question 29
A multinational company operates VPCs in 6 AWS regions, 4 on-premises data centers, and 3 partner SD-WAN networks. They want centralized, policy-based management of all connectivity from a single dashboard. Which service is designed for this?
✓
Correct!
AWS Cloud WAN is a managed wide-area networking service for building, managing, and monitoring global networks with centralized policy across multiple AWS regions, on-premises, and SD-WAN. Per-region Transit Gateways require manual peering and lack a unified policy framework. Direct Connect and Site-to-Site VPN are point-to-point connectivity options — they don’t provide global topology management.
✗
Incorrect
AWS Cloud WAN is a managed wide-area networking service for building, managing, and monitoring global networks with centralized policy across multiple AWS regions, on-premises, and SD-WAN. Per-region Transit Gateways require manual peering and lack a unified policy framework. Direct Connect and Site-to-Site VPN are point-to-point connectivity options — they don’t provide global topology management.
Think about managing complex multi-region, multi-site networks from one place.
Question 30
Which of the following security features does AWS Network Firewall provide?
✓
Correct!
AWS Network Firewall provides stateful inspection, IPS, web filtering, and domain filtering. DDoS mitigation at scale is handled by AWS Shield, not Network Firewall — Network Firewall operates at the VPC level and is not designed for volumetric DDoS absorption. TLS/SSL certificate management is handled by AWS Certificate Manager (ACM), not Network Firewall.
✗
Incorrect
AWS Network Firewall provides stateful inspection, IPS, web filtering, and domain filtering. DDoS mitigation at scale is handled by AWS Shield, not Network Firewall — Network Firewall operates at the VPC level and is not designed for volumetric DDoS absorption. TLS/SSL certificate management is handled by AWS Certificate Manager (ACM), not Network Firewall.
Network Firewall works at the VPC level on traffic content and patterns — not at the global edge or certificate layer.
Question 31
A Route 53 health check is configured with a 30-second check interval and a failure threshold of 3 consecutive failures. An endpoint goes down. How long until Route 53 marks it unhealthy and begins routing traffic away?
✓
Correct!
With a 30-second interval and 3 consecutive failures required, the endpoint is marked unhealthy after 90 seconds (30s × 3 = 90s). This lag matters for SLA planning — DNS-based failover is not instantaneous. Reducing to a 10-second fast health check with 3 failures cuts this to 30 seconds, but at higher cost.
✗
Incorrect
With a 30-second interval and 3 consecutive failures required, the endpoint is marked unhealthy after 90 seconds (30s × 3 = 90s). This lag matters for SLA planning — DNS-based failover is not instantaneous. Reducing to a 10-second fast health check with 3 failures cuts this to 30 seconds, but at higher cost.
Multiply the check interval by the number of consecutive failures needed.
Question 32
What is the difference between Dedicated and Hosted Direct Connect connections?
What is the difference between Dedicated and Hosted Direct Connect connections?
Dedicated Connection:
- Physical Ethernet port dedicated to single customer
- Speeds: 1 Gbps, 10 Gbps, 100 Gbps
- Direct connection between customer router and AWS
- Customer manages entire connection
Hosted Connection:
- Provided through AWS Direct Connect Partner
- Speeds: 50 Mbps to 10 Gbps
- Partner manages physical connection
- More flexible, easier to provision
Did you get it right?
✓
Correct!
✗
Incorrect
Question 33
Which Route 53 routing policy would be best for implementing a blue-green deployment with gradual traffic shift?
✓
Correct!
Weighted Routing is ideal for blue-green deployments. Start with 90% blue / 10% green, then gradually adjust the weights to shift more traffic as confidence grows, enabling controlled rollouts and easy rollback. Latency-Based Routing optimizes for the fastest endpoint but cannot control traffic percentages — it doesn’t let you say “send exactly 10% to green.” Failover Routing switches all traffic when the primary fails — not a gradual shift. Geolocation Routing locks users to endpoints by geography.
✗
Incorrect
Weighted Routing is ideal for blue-green deployments. Start with 90% blue / 10% green, then gradually adjust the weights to shift more traffic as confidence grows, enabling controlled rollouts and easy rollback. Latency-Based Routing optimizes for the fastest endpoint but cannot control traffic percentages — it doesn’t let you say “send exactly 10% to green.” Failover Routing switches all traffic when the primary fails — not a gradual shift. Geolocation Routing locks users to endpoints by geography.
Think about which policy lets you precisely control the percentage of traffic to each environment.
Question 34
CloudFront can only serve static content from S3 buckets.
✓
Correct!
This is false. CloudFront can serve both static and dynamic content from multiple origin types including S3, ALB, EC2, and custom HTTP servers. It can cache dynamic content with low TTLs or pass through uncached requests.
✗
Incorrect
This is false. CloudFront can serve both static and dynamic content from multiple origin types including S3, ALB, EC2, and custom HTTP servers. It can cache dynamic content with low TTLs or pass through uncached requests.
CloudFront is more versatile than just an S3 CDN.
Question 35
Which factors can be included in a CloudFront cache key?
✓
Correct!
CloudFront cache keys can include: URL path, query strings, headers (selected), and cookies (selected). Client IP address is not part of the cache key — it can be forwarded to the origin via headers, but using it as a cache key would prevent sharing cached responses between users. Request body (POST) is not cacheable in CloudFront — POST requests bypass the cache entirely.
✗
Incorrect
CloudFront cache keys can include: URL path, query strings, headers (selected), and cookies (selected). Client IP address is not part of the cache key — it can be forwarded to the origin via headers, but using it as a cache key would prevent sharing cached responses between users. Request body (POST) is not cacheable in CloudFront — POST requests bypass the cache entirely.
Cache keys are based on request attributes that determine what a unique cacheable object looks like.
Question 36
The first ____ CloudFront invalidations per month are free.
✓
Correct!
AWS provides the first 1,000 invalidation paths free per month per distribution. After that, you pay per invalidation path.
✗
Incorrect
AWS provides the first 1,000 invalidation paths free per month per distribution. After that, you pay per invalidation path.
It’s a four-digit number commonly used as a free tier limit.
Question 37
A startup must connect their on-premises office to a VPC within 48 hours. They need encrypted connectivity and can tolerate up to 1 Gbps throughput. Which hybrid connectivity solution fits best?
✓
Correct!
AWS Site-to-Site VPN provisions in hours, encrypts traffic with IPsec by default, and supports up to 1.25 Gbps per tunnel — all requirements met. Direct Connect takes weeks to months to provision a dedicated physical circuit; impossible in 48 hours. Client VPN connects individual remote users, not entire office networks. Transit Gateway is a network routing hub — it works with VPN or Direct Connect but does not itself establish connectivity between on-premises and AWS.
✗
Incorrect
AWS Site-to-Site VPN provisions in hours, encrypts traffic with IPsec by default, and supports up to 1.25 Gbps per tunnel — all requirements met. Direct Connect takes weeks to months to provision a dedicated physical circuit; impossible in 48 hours. Client VPN connects individual remote users, not entire office networks. Transit Gateway is a network routing hub — it works with VPN or Direct Connect but does not itself establish connectivity between on-premises and AWS.
Think about which option can be provisioned in hours vs. weeks.
Question 38
A CNAME record can be created at the zone apex (e.g., example.com) to point to another domain name.
✓
Correct!
This is false. The DNS specification prohibits CNAME records at the zone apex because the apex must also have SOA and NS records, and a CNAME cannot coexist with any other record type on the same name. A common mistake is trying to create
example.com → CNAME → my-alb.elb.amazonaws.com. The fix is to use a Route 53 Alias record, which behaves like a CNAME, works at the zone apex, and is free for queries to AWS resources. CNAMEs work fine on subdomains like www.example.com.✗
Incorrect
This is false. The DNS specification prohibits CNAME records at the zone apex because the apex must also have SOA and NS records, and a CNAME cannot coexist with any other record type on the same name. A common mistake is trying to create
example.com → CNAME → my-alb.elb.amazonaws.com. The fix is to use a Route 53 Alias record, which behaves like a CNAME, works at the zone apex, and is free for queries to AWS resources. CNAMEs work fine on subdomains like www.example.com.CNAME has a DNS spec restriction at the apex — Route 53 offers a proprietary alternative.
Question 39
A company monitors three separate Route 53 health checks — one each for their web tier, app tier, and database tier. They want Route 53 to mark the application as healthy only when ALL three checks pass. Which Route 53 health check type enables this?
✓
Correct!
Calculated health checks combine multiple existing Route 53 health checks using AND, OR, or NOT logic. AND logic requires all child checks to pass before the parent is healthy. Endpoint health checks each monitor a single endpoint — they have no mechanism to aggregate other checks. CloudWatch Alarm health checks monitor the state of a CloudWatch alarm metric, not a collection of Route 53 checks. Failover health check is not a Route 53 health check type — Failover Routing Policy uses health checks to switch endpoints but does not combine multiple checks into one.
✗
Incorrect
Calculated health checks combine multiple existing Route 53 health checks using AND, OR, or NOT logic. AND logic requires all child checks to pass before the parent is healthy. Endpoint health checks each monitor a single endpoint — they have no mechanism to aggregate other checks. CloudWatch Alarm health checks monitor the state of a CloudWatch alarm metric, not a collection of Route 53 checks. Failover health check is not a Route 53 health check type — Failover Routing Policy uses health checks to switch endpoints but does not combine multiple checks into one.
Route 53 has a health check type specifically designed to aggregate other checks with boolean logic.
Question 40
A video streaming platform wants to restrict its entire content library (thousands of videos) to paid subscribers only. Once a subscriber authenticates, they should be able to stream any video without per-file restrictions. Which CloudFront access control mechanism is correct?
✓
Correct!
Signed Cookies are designed for exactly this scenario: the user authenticates once and receives a cookie that grants access to multiple files for the session — no per-video URL generation needed. Signed URLs are ideal for single-file access (e.g., sharing a download link to one document), but generating thousands of them per subscriber session is impractical. OAC controls whether S3 allows CloudFront to fetch content at all — it does not differentiate between authenticated and unauthenticated users at the CloudFront layer. Geo-restriction controls access by country, not by subscription status.
✗
Incorrect
Signed Cookies are designed for exactly this scenario: the user authenticates once and receives a cookie that grants access to multiple files for the session — no per-video URL generation needed. Signed URLs are ideal for single-file access (e.g., sharing a download link to one document), but generating thousands of them per subscriber session is impractical. OAC controls whether S3 allows CloudFront to fetch content at all — it does not differentiate between authenticated and unauthenticated users at the CloudFront layer. Geo-restriction controls access by country, not by subscription status.
One mechanism works per-file; the other works for the entire session.
Question 41
A team needs Route 53 to return multiple IP addresses in a single DNS response and automatically exclude unhealthy endpoints from those responses. Which routing policy meets both requirements?
✓
Correct!
Multivalue Answer Routing returns up to 8 records per response and supports health checks — unhealthy endpoints are automatically excluded. The client receives multiple healthy IPs and can load balance or retry among them. Simple Routing can store multiple values but does not support health checks — it returns all configured IPs regardless of endpoint health, including ones that are down. Weighted Routing assigns traffic percentages to separate records and returns one IP per query, not multiple. Latency-Based Routing selects the single lowest-latency endpoint per query; it does not return a set of IPs.
✗
Incorrect
Multivalue Answer Routing returns up to 8 records per response and supports health checks — unhealthy endpoints are automatically excluded. The client receives multiple healthy IPs and can load balance or retry among them. Simple Routing can store multiple values but does not support health checks — it returns all configured IPs regardless of endpoint health, including ones that are down. Weighted Routing assigns traffic percentages to separate records and returns one IP per query, not multiple. Latency-Based Routing selects the single lowest-latency endpoint per query; it does not return a set of IPs.
The key distinction from Simple Routing is built-in health check support.
Question 42
AWS Client VPN is built on the ____ open-source VPN protocol, which users must install a compatible client for.
✓
Correct!
Client VPN is a managed OpenVPN service. Users install an OpenVPN-compatible client — such as the AWS-provided VPN client, Tunnelblick (macOS), or OpenVPN Connect — to establish the encrypted tunnel. This is why Client VPN supports certificate-based authentication and SAML IdPs that integrate with OpenVPN clients.
✗
Incorrect
Client VPN is a managed OpenVPN service. Users install an OpenVPN-compatible client — such as the AWS-provided VPN client, Tunnelblick (macOS), or OpenVPN Connect — to establish the encrypted tunnel. This is why Client VPN supports certificate-based authentication and SAML IdPs that integrate with OpenVPN clients.
It’s a popular open-source VPN protocol, also the name of the company behind it.
Question 43
An application uses Route 53 Failover Routing with a 60-second TTL. The team claims switching to AWS Global Accelerator would enable sub-second failover. Are they correct, and why?
✓
Correct!
The team is correct. With Route 53 + 60s TTL, failover takes at least 60 seconds and often longer because DNS resolvers may cache beyond TTL — clients cannot reach the new endpoint until their cached record expires. Global Accelerator uses static anycast IPs (no DNS change ever needed) and health checks that trigger rerouting at the AWS network layer in seconds. Users’ connections shift without waiting for any DNS cache to expire. This makes Global Accelerator the right choice for applications with strict availability SLAs that cannot tolerate DNS-based failover delays. Health checks are still required — GA doesn’t eliminate them, it just acts on them faster.
✗
Incorrect
The team is correct. With Route 53 + 60s TTL, failover takes at least 60 seconds and often longer because DNS resolvers may cache beyond TTL — clients cannot reach the new endpoint until their cached record expires. Global Accelerator uses static anycast IPs (no DNS change ever needed) and health checks that trigger rerouting at the AWS network layer in seconds. Users’ connections shift without waiting for any DNS cache to expire. This makes Global Accelerator the right choice for applications with strict availability SLAs that cannot tolerate DNS-based failover delays. Health checks are still required — GA doesn’t eliminate them, it just acts on them faster.
The key difference is whether failover waits for DNS caches to expire.
Question 44
Which CloudFront features specifically control who can access your content or restrict content access by identity or location?
✓
Correct!
Signed URLs grant time-limited access to individual files. OAC ensures only CloudFront can fetch from the S3 origin, preventing direct S3 access. Signed Cookies grant session-based access to multiple files for authenticated users. Geo-restriction blocks or allows content delivery based on the user’s country. Regional Edge Caches are an intermediate caching layer for performance — they have no access control role. Minimum TLS version enforces encryption standards for in-transit security but does not control who can access content, only how the connection is secured.
✗
Incorrect
Signed URLs grant time-limited access to individual files. OAC ensures only CloudFront can fetch from the S3 origin, preventing direct S3 access. Signed Cookies grant session-based access to multiple files for authenticated users. Geo-restriction blocks or allows content delivery based on the user’s country. Regional Edge Caches are an intermediate caching layer for performance — they have no access control role. Minimum TLS version enforces encryption standards for in-transit security but does not control who can access content, only how the connection is secured.
Focus on features that gate access based on identity or geography, not on encryption or performance.
Question 45
A company configures Route 53 Geolocation Routing with explicit records for North America and Europe only. A user from Southeast Asia queries the domain. What does Route 53 return?
✓
Correct!
Geolocation Routing is explicit mapping, not proximity-based. If a user’s location doesn’t match any configured geographic rule and there is no default record, Route 53 returns no answer — the domain is effectively unreachable for that user. Routing to the ’nearest’ geographic record is how Geoproximity Routing works, not Geolocation. There is no automatic fallback to Simple Routing. The best practice is to always configure a default record in Geolocation Routing to catch all locations without explicit rules, preventing unexpected outages for unmatched regions.
✗
Incorrect
Geolocation Routing is explicit mapping, not proximity-based. If a user’s location doesn’t match any configured geographic rule and there is no default record, Route 53 returns no answer — the domain is effectively unreachable for that user. Routing to the ’nearest’ geographic record is how Geoproximity Routing works, not Geolocation. There is no automatic fallback to Simple Routing. The best practice is to always configure a default record in Geolocation Routing to catch all locations without explicit rules, preventing unexpected outages for unmatched regions.
Geolocation requires an explicit match — there is no automatic nearest-neighbor fallback.
Quiz Results
Score
0/0
Accuracy
0%
Right
0
Wrong
Skipped
0
Last updated on