☁︎SAA-C03

Week2 Networking — SAA-C03 Mock Test

Mock Test — Week 2 Networking & Edge (15 questions)

  • Date: 2026-06-01
  • Topics: VPC, NAT, SG/NACL, VPC Endpoints, Peering, TGW, PrivateLink, VPN, Direct Connect, Route 53, CloudFront, Global Accelerator
  • Difficulty: exam-realistic
  • Suggested time: ~25 min

Q1.

EC2 instances in a private subnet must download OS patches from the internet. What is the simplest managed way to allow this without exposing them to inbound internet traffic?

  • A) Move them to a public subnet with an Elastic IP
  • B) Put a NAT Gateway in a public subnet and route 0.0.0.0/0 there
  • C) Attach an Internet Gateway directly to the private subnet
  • D) Create a VPN to an on-prem proxy

Q2.

A company has 20 VPCs across 4 accounts. They want full any-to-any connectivity with simple central management. Which is best?

  • A) VPC Peering mesh
  • B) Transit Gateway with attachments
  • C) Multiple VPN tunnels between VPCs
  • D) PrivateLink between every pair

Q3.

You must block a specific malicious IP 203.0.113.7 from reaching any instance in a subnet. Which AWS feature works?

  • A) Security Group inbound rule with Deny
  • B) NACL inbound Deny rule
  • C) Route table blackhole
  • D) IAM policy condition

Q4.

An application in a private subnet reads thousands of objects from S3. The company wants to avoid NAT data-processing charges while keeping S3 traffic off the public internet. What should you add?

  • A) Interface VPC endpoint for S3
  • B) Gateway VPC endpoint for S3
  • C) Site-to-Site VPN to S3
  • D) NAT Gateway redirect

Q5.

A SaaS provider wants to expose a service to many customer VPCs without IP overlap concerns or peering management. Which AWS feature is purpose-built for this?

  • A) VPC peering for each customer
  • B) Transit Gateway shared via RAM
  • C) AWS PrivateLink (VPC Endpoint Service)
  • D) Direct Connect

Q6.

A company needs a 10 Gbps, predictable latency, dedicated link from its data center to AWS. Setup time is acceptable. Which option fits?

  • A) Site-to-Site VPN with two tunnels
  • B) AWS Direct Connect
  • C) Software VPN over the public internet
  • D) Multiple VPN connections aggregated

Q7.

Direct Connect is being established but takes weeks. Until then, you need an immediate encrypted hybrid connection. Which is best?

  • A) Wait for DX; nothing else works
  • B) Stand up a Site-to-Site VPN as interim, replace with DX later
  • C) Use Snowball to ship data
  • D) PrivateLink to on-prem

Q8.

Compliance requires you to send EU users to the EU-region backend and US users to the US backend regardless of latency. Which Route 53 policy?

  • A) Latency-based routing
  • B) Weighted routing
  • C) Geolocation routing
  • D) Multi-value answer routing

Q9.

The apex record example.com must point to an Application Load Balancer. Which DNS record type should you use?

  • A) CNAME
  • B) Route 53 Alias A record (Alias)
  • C) MX
  • D) TXT

Q10.

A real-time multiplayer mobile game uses UDP, must minimize latency for players on 4 continents, and partners need to whitelist 2 static IPs. Which solution fits?

  • A) CloudFront with custom origins
  • B) Route 53 latency-based routing to regional NLBs
  • C) AWS Global Accelerator with ALB/NLB endpoints in each region
  • D) API Gateway WebSocket

Q11.

You want to serve a static website from S3 to global users with HTTPS, low latency, and only the CloudFront distribution able to access the bucket. Which combo is correct?

  • A) S3 static website + Route 53 + Geo restriction
  • B) S3 + CloudFront + Origin Access Control (OAC) + ACM cert in us-east-1
  • C) S3 + CloudFront + bucket public-read ACL
  • D) S3 + Global Accelerator + ACM cert in any region

Q12.

Which statement about Security Groups vs Network ACLs is correct?

  • A) SGs are stateless; NACLs are stateful
  • B) SGs are evaluated by rule number; NACLs evaluate all rules
  • C) SGs allow only (no Deny); NACLs support Deny rules
  • D) SGs operate at the subnet level; NACLs operate at the ENI level

Q13.

A company wants a private connection from on-prem to S3 without going over the public internet. They already have a Direct Connect Private VIF. What is the simplest add-on?

  • A) S3 Gateway endpoint via DX Private VIF
  • B) Direct Connect Public VIF to reach S3 public endpoints over private link
  • C) S3 Transfer Acceleration
  • D) PrivateLink for S3 over the Private VIF

Q14.

For a TCP API that must fail over from us-east-1 to us-west-2 within a few seconds if the region becomes unhealthy, which is most appropriate?

  • A) Route 53 failover policy with a 60-second TTL
  • B) CloudFront with multi-origin failover
  • C) AWS Global Accelerator with endpoint groups in both regions
  • D) ALB with multi-region targets

Q15.

Which VPC endpoint type is free and used for S3 and DynamoDB?

  • A) Interface endpoint (PrivateLink)
  • B) Gateway endpoint
  • C) Gateway Load Balancer endpoint
  • D) NAT endpoint

Your answers

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Answer Key & Explanations — don't peek!

Q1 — Correct: B

NAT Gateway in a public subnet is the managed, HA outbound-only solution. Putting instances in a public subnet (A) breaks the "no inbound exposure" requirement.

Q2 — Correct: B

Transit Gateway is the hub-and-spoke standard for many VPCs/accounts; RAM can share it. A full peering mesh of 20 VPCs is N×(N-1)/2 connections — unmanageable.

Q3 — Correct: B

Only NACLs support explicit Deny. SGs are allow-only.

Q4 — Correct: B

Gateway endpoint for S3 is free, keeps traffic on AWS backbone, and avoids NAT charges.

Q5 — Correct: C

PrivateLink with a VPC Endpoint Service backed by an NLB is the canonical SaaS-exposure pattern. Customers create Interface endpoints; no peering or IP overlap.

Q6 — Correct: B

Direct Connect provides dedicated, predictable latency at multi-Gbps. VPN is internet-based and limited to ~1.25 Gbps per tunnel.

Q7 — Correct: B

VPN is fast to set up and encrypted; standard hybrid pattern is "VPN now, DX later," or VPN as DX backup.

Q8 — Correct: C

Geolocation routes by user geography for compliance/residency. Latency optimizes performance but might not match the country requirement.

Q9 — Correct: B

CNAME is forbidden at the zone apex. Route 53 Alias records work at apex and target AWS resources for free.

Q10 — Correct: C

Global Accelerator supports UDP, gives 2 static anycast IPs (for whitelisting), routes over the AWS backbone, and fails over quickly. CloudFront doesn't do UDP.

Q11 — Correct: B

OAC locks the S3 bucket so only CloudFront can read; the ACM cert for CF must be in us-east-1. Public ACLs (C) violate security; GA (D) is not for static caching.

Q12 — Correct: C

SGs allow-only; NACLs support both Allow and Deny. SGs are stateful, NACLs stateless (so A is reversed). SGs apply at ENI, NACLs at subnet (D is reversed).

Q13 — Correct: B

A Direct Connect Public VIF lets you reach AWS public services (S3, DynamoDB, etc.) over the private DX circuit. Gateway endpoints are for traffic from inside a VPC, not on-prem.

Q14 — Correct: C

Global Accelerator does health-check-driven failover within seconds; Route 53 is bounded by DNS TTL and resolver caching.

Q15 — Correct: B

Gateway endpoints are free and only available for S3 and DynamoDB. Interface endpoints cost hourly and per GB.