Networking and Content Delivery
Drill 20 practice questions focused entirely on Networking and Content Delivery for the AWS SOA-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A SysOps administrator manages a CloudFront distribution in front of an Application Load Balancer serving a product catalog application. The application returns different content based on a 'category' query string parameter, but users report they consistently see the same product list regardless of the category they select. CloudWatch shows a high cache hit ratio at CloudFront. What is the MOST likely cause and the correct remediation?
A media company serves static images through a CloudFront distribution backed by an S3 origin. Monitoring shows a low cache hit ratio and higher-than-expected origin request volume, driving up S3 GET costs. Investigating the origin responses, the SysOps administrator finds that S3 returns objects with a Cache-Control: max-age=60 header, and the distribution's cache behavior is configured to use origin cache headers with a Minimum TTL of 0, Maximum TTL of 60, and Default TTL of 0. The images rarely change. What is the MOST effective change to increase the cache hit ratio?
A company serves a single-page web application through a CloudFront distribution backed by an Application Load Balancer origin. During brief backend deployments, the origin returns HTTP 502 and 503 errors, and end users see raw CloudFront error XML. The team wants CloudFront to instead return a friendly maintenance HTML page for these errors and to stop hammering the origin with repeated requests during the outage window. Which configuration should the SysOps administrator implement?
A company runs a single CloudFront distribution for its website. Static assets (images, CSS, JS) are served from an Amazon S3 bucket, while dynamic API requests under the path '/api/*' must be forwarded to an Application Load Balancer. Currently all requests, including '/api/*', are being routed to the S3 origin, causing API calls to fail. Which configuration change correctly routes traffic to the appropriate origins?
A SysOps administrator configures a CloudFront distribution with a custom origin pointing to an Application Load Balancer that fronts a set of virtual-hosted websites on shared EC2 instances. The web servers use the incoming Host header to decide which site content to serve. After deployment, all requests through CloudFront return a generic default site instead of the intended site content, but requests made directly to the ALB DNS name return the correct pages. What is the MOST likely cause and fix?
A media company streams licensed video content through a CloudFront distribution backed by an S3 origin. Due to licensing agreements, the content must not be accessible to viewers located in a specific list of countries. The SysOps administrator must enforce this restriction with minimal operational overhead and without modifying the application. Which approach satisfies this requirement?
A media company serves static content through a CloudFront distribution. They need to add a lightweight, high-scale function that inspects and modifies HTTP request headers (adding a custom header for A/B testing) on every viewer request. The logic is simple string manipulation, requires sub-millisecond startup, and must run at the lowest possible cost with the highest request throughput. Which solution best meets these requirements?
A SysOps administrator serves static website assets from an Amazon S3 bucket through an Amazon CloudFront distribution. The security team requires that users can only reach the objects via the CloudFront distribution URL and must not be able to download objects directly using the S3 bucket URL. The bucket currently has Block Public Access enabled at the bucket level. What should the administrator configure to meet this requirement?
A SysOps administrator manages a CloudFront distribution that serves dynamic and static content from an Application Load Balancer origin located in us-east-1. The distribution has edge locations serving global traffic. During traffic spikes, the origin ALB experiences a high volume of requests for the same objects because many regional edge caches independently forward cache misses to the origin. The team wants to reduce the number of duplicate requests reaching the origin without changing the application. Which CloudFront feature should the administrator enable?
A media company streams paid video-on-demand content through a CloudFront distribution backed by an S3 origin. Subscribers watch multiple videos per session across many files with a common URL path prefix. The company needs to restrict access so only authenticated, paying subscribers can view the content, without generating a separate URL for every individual file the user requests. Which approach meets these requirements?
A company runs a hybrid architecture with a 1 Gbps AWS Direct Connect connection between their on-premises data center and a VPC. The Direct Connect link recently experienced a brief outage, and during that time all connectivity to AWS was lost, disrupting critical applications. The SysOps administrator must add a cost-effective backup path that automatically carries traffic if the Direct Connect connection fails, without requiring manual intervention. Which solution meets these requirements?
A SysOps administrator deploys web servers in a public subnet fronted by an internet-facing load balancer. Inbound HTTPS on port 443 works, but users report that responses time out intermittently. The subnet's network ACL has an inbound rule allowing TCP 443 from 0.0.0.0/0 and an outbound rule allowing only TCP 443 to 0.0.0.0/0. Security groups on the instances allow all necessary traffic. VPC Flow Logs show ACCEPT for inbound requests but REJECT for outbound packets. What is the most likely cause?
A SysOps administrator deploys EC2 instances in a private subnet that must download OS patches from the internet but must not accept any inbound connections initiated from the internet. The private subnet's route table currently only contains the local VPC route. The VPC already has an internet gateway attached, and there is a public subnet with a route to the internet gateway. Instances in the private subnet cannot reach the internet. What is the correct way to enable outbound-only internet access for these private instances?
A company hosts a public website on an Application Load Balancer (ALB). They own the domain example.com in a Route 53 public hosted zone and need requests to the zone apex (example.com, with no subdomain) to resolve directly to the ALB. When the SysOps administrator attempts to create a standard CNAME record for example.com pointing to the ALB's DNS name, Route 53 rejects the configuration. What should the administrator do to correctly route apex traffic to the ALB?
A media company must serve users in Germany from an EU-based origin to comply with data residency regulations, regardless of which endpoint offers the lowest network latency. Users everywhere else should be directed to the nearest of three regional endpoints for the best performance. Which Route 53 configuration meets both requirements?
A SysOps administrator manages a Route 53 public hosted zone for an internal API that runs on eight EC2 instances behind no load balancer (clients connect directly by DNS name). The team wants DNS to return multiple healthy instance IP addresses per query and to automatically stop returning the IP of any instance that fails a health check. The solution must not require provisioning a load balancer. Which Route 53 configuration meets these requirements?
A company runs an internal application in a VPC. Developers created a private hosted zone in Route 53 for the domain 'internal.example.com' and added an A record for 'api.internal.example.com' pointing to an internal ALB. EC2 instances in the VPC cannot resolve 'api.internal.example.com' and receive NXDOMAIN, even though the record exists. The VPC has DNS resolution and DNS hostnames enabled. What is the MOST likely cause?
A company connects its on-premises data center to an AWS VPC using a Site-to-Site VPN. On-premises servers need to resolve the private DNS names of resources hosted in a Route 53 private hosted zone associated with the VPC. Currently, on-premises DNS queries for these private names fail, while EC2 instances inside the VPC resolve the names correctly. What should the SysOps administrator implement to enable on-premises resolution of the private hosted zone records?
A SysOps administrator deploys an EC2 web server in a public subnet. The security group allows inbound TCP 443 from 0.0.0.0/0 but has NO outbound rules configured (all outbound rules were removed). The associated network ACL uses the default allow-all rules. Users report they cannot receive responses when connecting to the web server over HTTPS. What is the MOST likely cause and the correct fix?
A company runs 12 VPCs across a single AWS Region, all attached to a Transit Gateway. To reduce cost and management overhead, the networking team deployed a single 'egress' VPC containing a NAT gateway and an internet gateway, and they want all private subnets in the 12 spoke VPCs to reach the internet through this shared egress VPC. Instances in the spoke VPCs currently cannot reach the internet. The Transit Gateway attachments and association/propagation appear correct. Which additional configuration is required to make centralized internet egress work?
More SOA-C02 practice
Keep going with the other AWS Certified SysOps Administrator - Associate domains, or take a full timed mock exam.
← Back to SOA-C02 overview