Networking and Content Delivery
Drill 20 practice questions focused entirely on Networking and Content Delivery for the AWS SOA-C03 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A CloudOps engineer manages a single Application Load Balancer that fronts three microservices running on separate Amazon ECS services. Requests to /api/orders must reach the orders service, /api/inventory must reach the inventory service, and all other requests must reach a default web frontend service. All three services are already registered in separate target groups. What is the correct way to configure the ALB to achieve this routing?
A company runs a stateful web application behind an Application Load Balancer (ALB) with a target group of six EC2 instances across three Availability Zones. To keep user sessions on the same backend, the team enabled duration-based cookie stickiness on the target group. After a marketing campaign, users report slow response times, and CloudWatch shows two instances consistently at high CPU while the other four remain nearly idle. What is the MOST likely cause of the uneven load and the BEST corrective action?
A company serves a website through Amazon CloudFront with an Application Load Balancer origin. Static assets under /static/* are cached correctly, but API responses under /api/* are being served stale and are also ignoring session-specific results because CloudFront caches responses regardless of the Authorization header and query strings. The default cache behavior uses a caching policy with a long TTL. A CloudOps engineer must ensure that /api/* requests always reach the origin with the Authorization header and all query strings forwarded, while keeping /static/* cached. What is the MOST appropriate solution?
A media company serves images through Amazon CloudFront with an Amazon S3 origin. The CloudOps team notices a low cache hit ratio and higher-than-expected S3 request costs. Investigation shows the application appends a unique tracking query string parameter (for example, ?userId=xxxx) to every image URL, though the parameter does not affect which image is returned. What is the MOST effective change to improve the cache hit ratio?
A CloudOps engineer manages a static website hosted in an S3 bucket and served through Amazon CloudFront with a default TTL of 86400 seconds. The web team just deployed updated HTML and CSS files to the S3 origin, but users continue to see the old versions of the pages when browsing the site. The team needs the updated files to be served to all users as quickly as possible without waiting for the TTL to expire. Which action should the engineer take?
A company serves a single-page web application from an Amazon S3 bucket through Amazon CloudFront. During brief origin outages and deployment windows, users see raw XML error responses returned directly from S3, which harms the user experience. The CloudOps team wants CloudFront to return a branded, friendly HTML error page whenever the origin responds with HTTP 500, 502, 503, or 504 errors, without changing the application code. Which action meets this requirement?
A media company distributes licensed video content through an Amazon CloudFront distribution backed by an S3 origin. Due to licensing agreements, the content must not be accessible from viewers located in three specific countries. The CloudOps engineer must enforce this restriction at the edge with minimal operational overhead and without modifying the origin. Which approach meets these requirements?
A company serves a static website from an Amazon S3 bucket through an Amazon CloudFront distribution. The bucket has Block Public Access enabled. After migrating from a legacy Origin Access Identity (OAI) to Origin Access Control (OAC), users report that all requests to the site return HTTP 403 Access Denied. The CloudFront origin is correctly configured to use OAC. What is the MOST likely cause that a CloudOps engineer should investigate first?
A media company serves web assets through Amazon CloudFront with a single Amazon S3 bucket as the origin. During a recent regional S3 disruption, users received 5xx errors because CloudFront could not reach the origin. The company has already replicated all assets to a second S3 bucket in another Region. A CloudOps engineer must configure CloudFront so that requests automatically fail over to the secondary bucket when the primary origin returns specific error responses, without changing the viewer-facing domain name. What should the engineer do?
A media company hosts premium video files in an Amazon S3 bucket served through Amazon CloudFront. The business requires that only authenticated, paying subscribers can access individual video files, and each access link must automatically expire 15 minutes after it is issued. The company wants to enforce this without exposing the S3 bucket publicly. Which approach meets these requirements?
A company has a Direct Connect connection between their on-premises data center and AWS. Applications on-premises need to access Amazon S3 buckets over the Direct Connect link without traversing the public internet, while also being able to reach EC2 instances in a private subnet of their VPC. Currently only a private VIF is configured, allowing access to the VPC. Which action should the CloudOps engineer take to enable on-premises access to S3 over Direct Connect while keeping traffic off the public internet?
A company connects its on-premises data center to a VPC using a single 1 Gbps Direct Connect dedicated connection through a private virtual interface (VIF) to a virtual private gateway. During a recent Direct Connect maintenance event, all connectivity between the data center and the VPC was lost, causing an application outage. The CloudOps team must add a resilient backup path that automatically carries traffic if the Direct Connect connection fails, while keeping ongoing costs as low as possible. Which solution meets these requirements?
A company is migrating an on-premises TCP-based payment processing application to AWS. Their downstream partners require whitelisting a small set of fixed IP addresses for inbound connections, and the backend fraud-detection service needs to see the original client source IP address for each request. The CloudOps engineer must expose the application through a load balancer that satisfies both requirements. Which solution meets these needs?
A company runs an internal application on EC2 instances across two VPCs (VPC-A and VPC-B) in the same AWS account. Developers need to reach the application in VPC-A using the custom domain name app.internal.example.com. A CloudOps engineer created a Route 53 private hosted zone for internal.example.com and associated it only with VPC-A. Instances in VPC-A resolve the name correctly, but instances in VPC-B receive an NXDOMAIN response when querying app.internal.example.com. What is the correct action to enable resolution from VPC-B?
A company runs an on-premises data center connected to an AWS VPC over AWS Direct Connect. Applications running on servers in the data center need to resolve the private DNS names of resources hosted in a Route 53 private hosted zone associated with the VPC. Currently, on-premises DNS queries for these private names fail because the on-premises DNS servers cannot forward queries to AWS. Which solution enables the on-premises servers to resolve the private hosted zone records?
A company runs applications in a VPC that must resolve DNS records hosted on their on-premises Active Directory DNS servers (domain corp.internal), which are reachable over an existing AWS Direct Connect connection. Currently, EC2 instances in the VPC can resolve public domains and internal AWS resources but fail to resolve any corp.internal hostnames. A CloudOps engineer must enable resolution of corp.internal names from the VPC with the least operational overhead. What should the engineer configure?
A company has 12 VPCs across two AWS Regions connected using a full mesh of VPC peering connections. As the number of VPCs grows, the networking team struggles to manage the increasing number of peering connections and route table entries. They need a solution that provides centralized, scalable connectivity between all VPCs (including transitive routing) and supports future growth with minimal operational overhead. Which solution should the team implement?
A CloudOps engineer has enabled IPv6 on a VPC. EC2 instances in a private subnet have IPv6 addresses and must initiate outbound connections to external APIs over IPv6 to download updates. For security, these external hosts must NOT be able to initiate inbound connections to the instances. The instances do not need IPv4 internet access. What should the engineer configure to meet these requirements?
A CloudOps engineer created a Gateway VPC endpoint for Amazon S3 so that EC2 instances in private subnets can reach S3 without traversing a NAT gateway. Route tables and security groups are correctly configured, and instances can list and download from any S3 bucket. However, the security team requires that traffic through this endpoint be allowed to reach ONLY two specific corporate buckets and be denied access to all other buckets, including buckets in other AWS accounts. What is the MOST appropriate way to enforce this restriction?
A CloudOps engineer is troubleshooting intermittent connection failures between an application server in a private subnet and an Amazon RDS database in another private subnet within the same VPC. The security groups appear correctly configured to allow the database port. The engineer needs to determine whether traffic is actually reaching the database subnet and identify exactly where packets are being dropped, including which rule set is rejecting them. Which action provides the most direct visibility into the accepted and rejected traffic at the network interface level?
More SOA-C03 practice
Keep going with the other AWS Certified CloudOps Engineer - Associate domains, or take a full timed mock exam.
← Back to SOA-C03 overview