Back to AWS Certified SysOps Administrator - Associate (SOA-C02)

Networking and Content Delivery

Implement and manage networking features, connectivity, and content delivery (~18% of exam).

Covers implementing networking features including VPC components (subnets, route tables, internet gateways, NAT gateways), VPC peering, VPC endpoints (interface and gateway), AWS Transit Gateway, and AWS Direct Connect. Also covers DNS and content delivery using Amazon Route 53 (hosted zones, record types, routing policies, health checks), Amazon CloudFront (distributions, behaviors, caching, origin configurations), and AWS Global Accelerator. Covers hybrid connectivity including Site-to-Site VPN, Client VPN, and network troubleshooting using VPC Flow Logs, Reachability Analyzer, and Network Access Analyzer.
5 minutes 5 Questions

Networking and Content Delivery is a critical domain in the AWS Certified SysOps Administrator - Associate exam, focusing on how to configure, manage, and troubleshoot AWS networking services. **Amazon VPC (Virtual Private Cloud)** is the foundation of AWS networking. SysOps administrators must un…

Concepts covered: AWS PrivateLink, AWS Transit Gateway, Transit Gateway route tables, VPC route tables, AWS Client VPN, NAT instances, Amazon VPC fundamentals, VPC peering, VPC endpoints, VPC subnets, Public and private subnets, Internet gateways, NAT gateways, Gateway VPC endpoints, Interface VPC endpoints, AWS Direct Connect, Site-to-Site VPN, VPN CloudHub, Amazon Route 53 overview, Route 53 hosted zones, Route 53 record types, Route 53 routing policies, Simple routing policy, Weighted routing policy, Latency-based routing, Geolocation routing, Geoproximity routing, Route 53 alias records, Amazon CloudFront, CloudFront distributions, CloudFront origins, CloudFront cache behaviors, CloudFront invalidation, CloudFront signed URLs, CloudFront origin access control, AWS Global Accelerator, VPC Flow Logs analysis, VPC Reachability Analyzer, Network Access Analyzer, Network troubleshooting tools, DNS troubleshooting

Test mode:
Start practice test
SOA-C02 - Networking and Content Delivery Example Questions

Test your knowledge of Networking and Content Delivery

Question 1

A software company is expanding their AWS infrastructure and plans to connect their existing Production VPC (10.0.0.0/16) in us-east-1 to a newly created Analytics VPC (10.0.0.0/16) in the same Region. The Analytics team requires real-time data feeds from production databases. The network administrator initiates a VPC peering request from the Production VPC to the Analytics VPC. When attempting to complete the peering setup, the administrator notices that the peering connection cannot be established. IAM permissions have been verified, and both VPCs are in the same AWS account. What is preventing the VPC peering connection from being established?

Correct Answer: The VPCs have overlapping CIDR blocks, which is not allowed for VPC peering connections

The VPCs have overlapping CIDR blocks, which is not allowed for VPC peering connections.

In this scenario, both the Production VPC and the Analytics VPC are using the same CIDR block (10.0.0.0/16). This is a fundamental limitation of VPC peering - you cannot create a VPC peering connection between VPCs that have matching or overlapping IPv4 CIDR blocks.

When VPCs are peered, traffic is routed between them based on IP addresses. If both VPCs use the same CIDR range, the routing would be ambiguous and impossible to resolve, as the same IP address could exist in both VPCs. AWS prevents this configuration entirely by not allowing the peering connection to be established.

To resolve this issue, the company would need to either:
- Create a new Analytics VPC with a non-overlapping CIDR block (e.g., 10.1.0.0/16)
- Use a different connectivity solution that can handle overlapping CIDRs through NAT, such as AWS PrivateLink

The other options are incorrect:

  • DNS resolution settings are optional configuration settings that can be enabled after a peering connection is established. They do not prevent the initial establishment of the peering connection.

  • Transit Gateway is a separate networking service and is not required for VPC peering. VPC peering works independently and does not need any transit gateway attachment.

  • Availability Zone configurations have no bearing on VPC peering. VPCs can be peered regardless of which Availability Zones their subnets are configured to use.

Question 2

A SysOps Administrator at a software company is setting up an AWS Transit Gateway to connect four VPCs: Frontend (10.1.0.0/16), Backend (10.2.0.0/16), Database (10.3.0.0/16), and DevOps (10.4.0.0/16). The administrator creates the Transit Gateway and attaches all four VPCs. When testing connectivity, instances in the Frontend VPC cannot reach instances in the Backend VPC, even though both attachments show as Available. The administrator checks the Transit Gateway configuration and notices that only the default Transit Gateway route table exists with no route propagation enabled and no static routes configured. What should the administrator do first to establish connectivity between the VPCs through the Transit Gateway?

Correct Answer: Enable route propagation for all VPC attachments on the default Transit Gateway route table to populate the necessary routes

The correct answer is to enable route propagation for all VPC attachments on the default Transit Gateway route table.

When a Transit Gateway is created and VPCs are attached, the attachments being in 'Available' state only means the connection between the VPC and Transit Gateway is established. However, for traffic to flow between VPCs, the Transit Gateway route table must know how to route traffic to each VPC's CIDR block.

With route propagation disabled and no static routes configured, the Transit Gateway route table is essentially empty - it has no knowledge of where to send traffic destined for any of the VPC CIDR ranges (10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, 10.4.0.0/16).

Enabling route propagation is the simplest and most efficient first step because:
1. It automatically populates the route table with routes to all attached VPC CIDRs
2. It requires minimal manual configuration
3. Routes are dynamically maintained as attachments change
4. It's the recommended approach for basic connectivity scenarios

Creating individual static routes would also work technically, but it's more manual effort and error-prone when route propagation can accomplish the same result automatically.

Creating separate route tables for each attachment and configuring peering between them is unnecessarily complex for this straightforward connectivity requirement. Transit Gateway route tables don't peer with each other in that manner.

Modifying Transit Gateway settings to enable automatic route table creation is not a valid configuration option that would solve the immediate routing issue. The automatic association settings apply during attachment creation, not retroactively.

Note: The administrator should also verify that the VPC subnet route tables have routes pointing to the Transit Gateway for the other VPC CIDRs.

Question 3

Which statement accurately describes the relationship between Transit Gateway route table associations and propagations?

Correct Answer: An attachment can be associated with only one route table but can propagate its routes to multiple route tables

An attachment can be associated with only one route table but can propagate its routes to multiple route tables. This is the correct statement about AWS Transit Gateway route table associations and propagations.

In AWS Transit Gateway:

Association: Each attachment (VPC, VPN, Direct Connect Gateway, or peering connection) can only be associated with ONE route table at a time. The association determines which route table is used to route traffic FROM that attachment.

Propagation: An attachment can propagate its routes to MULTIPLE route tables. Route propagation automatically adds routes to the route table(s) based on the attachment's CIDR blocks or learned routes.

This design allows for flexible routing scenarios. For example, a VPC attachment might be associated with one route table (determining how traffic from that VPC is routed) while propagating its routes to several other route tables (allowing other attachments to learn about and route traffic to that VPC).

The other answers are incorrect because:

  • Attachments cannot be associated with multiple route tables simultaneously - each attachment has exactly one association.

  • There is no requirement that an attachment must be associated with the same route table to which it propagates routes - these are independent configurations that serve different purposes.

  • The statement about propagating to only one route table while being associated with several is backwards - it's the opposite of how Transit Gateway actually works.

More Networking and Content Delivery questions
817 questions (total)
Start 100 question test