Practice VPC Questions Now

Start a timed practice session focusing on Amazon Virtual Private Cloud (VPC) topics from the SOA-C03 question bank.

SOA-C03 VPC Question Bank (67 Questions)

Browse all 67 practice questions covering Amazon Virtual Private Cloud (VPC) for the SOA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

Question 1Networking & Content Delivery
A SysOps Administrator suspects that an EC2 instance cannot reach an RDS database in another subnet. The administrator wants to verify whether the VPC configuration (route tables, security groups, NACLs) permits the connection without sending actual traffic. Which AWS tool performs this analysis?
AVPC Flow Logs analyzed with CloudWatch Logs Insights.
BVPC Reachability Analyzer, which analyzes the network path between a source and destination and identifies configuration issues without sending packets.
CAWS Network Access Analyzer, which identifies unintended network access.
DTraceroute from the EC2 instance to the RDS endpoint.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 2Deployment, Provisioning & Automation
A SysOps administrator manages a large CloudFormation template that has grown to 400 resources. The team wants to break common patterns (VPC subnets, security groups, NAT gateways) into reusable building blocks that can be shared across templates without nesting stacks. Which CloudFormation feature achieves this?
ACloudFormation StackSets
BCloudFormation modules
CCloudFormation macros
DCloudFormation nested stacks with cross-stack references
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 3Deployment, Provisioning & Automation
A SysOps administrator needs to deploy identical infrastructure (VPC, subnets, security groups, and NAT gateways) to 12 AWS accounts across 3 Regions using CloudFormation. The deployment must be automated and controlled from a central account. Which approach should the administrator use?
AWrite a script that assumes a role in each account and runs `create-stack` for each Region
BUse CloudFormation StackSets with service-managed permissions deployed from the Organizations management account
CShare the CloudFormation template via S3 and have each account deploy it manually
DUse AWS CodePipeline with a deploy action for each account and Region combination
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 4Networking & Content Delivery
A SysOps Administrator needs to provide private connectivity from a VPC to Amazon SQS without using a NAT Gateway or internet gateway. The administrator is concerned about the cost implications. Which statement about using AWS PrivateLink (Interface VPC Endpoints) for SQS is correct?
AInterface VPC endpoints are priced per hour per AZ in which the endpoint is provisioned and per GB of data processed. This is typically more expensive than using a NAT Gateway for low-throughput workloads but provides better security.
BInterface VPC endpoints for SQS are free, like S3 Gateway endpoints.
CInterface VPC endpoints charge only per request, not per hour.
DUsing an interface endpoint eliminates all data transfer charges between the VPC and SQS.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 5Networking & Content Delivery
A SysOps Administrator needs to allow EC2 instances in a private subnet to access Amazon S3 without traversing the internet or a NAT gateway. The instances should also access DynamoDB privately. Which type of VPC endpoint should be created for S3 and DynamoDB?
ACreate VPC interface endpoints (powered by AWS PrivateLink) for both S3 and DynamoDB.
BCreate VPC gateway endpoints for both S3 and DynamoDB. Gateway endpoints are free and add a route to the VPC route table.
CCreate a VPC gateway endpoint for S3 and an interface endpoint for DynamoDB.
DNo endpoint is needed; private-subnet instances automatically use AWS's internal network for S3 and DynamoDB.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 6Networking & Content Delivery
A company runs an application that accesses Amazon S3 frequently from instances in a private subnet. The operations team wants to reduce data transfer costs and avoid routing S3 traffic through a NAT gateway. The traffic does not require private IP-based access to S3. Which VPC endpoint type should the administrator create?
AAn interface VPC endpoint for S3
BA gateway VPC endpoint for S3
CA gateway load balancer endpoint for S3
DAn AWS PrivateLink connection to S3
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 7Networking & Content Delivery
A SysOps administrator needs to analyze VPC Flow Logs to identify the top source IP addresses generating rejected traffic to a database subnet over the past week. The flow logs are stored in S3. Which approach is MOST cost-effective?
ALoad flow logs into Amazon OpenSearch Service and use Kibana dashboards
BQuery the flow logs in S3 directly using Amazon Athena with a SQL query filtering for `REJECT` actions
CStream flow logs to CloudWatch Logs and use Logs Insights queries
DImport flow logs into Amazon Redshift for analysis
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 8Security & Compliance
A SysOps Administrator needs to restrict inbound traffic to a private subnet containing an RDS instance. The subnet uses both a network ACL (NACL) and security groups. A developer reports that after allowing inbound traffic on port 3306 in the security group, the RDS instance is still unreachable from an application in another subnet. What is the MOST likely cause?
AThe NACL on the RDS subnet is denying inbound traffic on port 3306 or denying outbound traffic on the ephemeral port range, because NACLs are stateless and require explicit rules for both directions.
BThe security group is misconfigured and does not have the correct source CIDR.
CRDS does not support security groups; only NACLs can be used.
DThe RDS instance is in a public subnet and needs an internet gateway.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 9Deployment, Provisioning & Automation
A company manages 15 AWS accounts under AWS Organizations. The operations team needs to deploy a standardized VPC with specific CIDR ranges, subnets, and route tables to all accounts in the "Production" OU. Which approach requires the LEAST operational overhead?
ACreate a CloudFormation StackSet targeting the Production OU with automatic deployment enabled, using a service-managed permission model
BWrite a script that assumes a role in each account and runs `aws cloudformation create-stack` in a loop
CUse AWS Service Catalog to create a VPC product and share the portfolio with the Production OU accounts
DDeploy the VPC in the management account and use AWS Resource Access Manager (RAM) to share subnets with member accounts
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 10Security & Compliance
A company wants to share a private subnet in a networking account's VPC with three application accounts using AWS Resource Access Manager (RAM). The application accounts should be able to launch resources in the shared subnet but should NOT be able to modify the subnet's route table or network ACL. Which statement about RAM VPC subnet sharing is correct?
AParticipant accounts can launch resources into the shared subnet and can modify the subnet's route table and NACL since they have full EC2 networking permissions
BParticipant accounts can launch resources into the shared subnet but cannot modify the subnet, its route table, or NACL — those remain under the owner account's control
CRAM cannot share individual subnets; the entire VPC must be shared with participant accounts
DParticipant accounts must create a VPC peering connection to the shared VPC before they can launch resources in the shared subnet
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 11Networking & Content Delivery
A SysOps administrator needs to analyze VPC Flow Logs to identify the top source IP addresses generating rejected traffic to a specific subnet over the past 7 days. The flow logs are stored in CloudWatch Logs. Which approach is the MOST efficient?
AExport the flow logs to S3, then run an Athena query to aggregate rejected traffic by source IP
BUse CloudWatch Logs Insights to query the flow log group with a filter for `action = "REJECT"` and the destination subnet CIDR, then aggregate by source address
CCreate a CloudWatch metric filter that counts rejected packets per source IP and review the custom metrics
DDownload the raw flow log files from CloudWatch Logs and analyze them using a spreadsheet
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 12Deployment, Provisioning & Automation
A SysOps administrator manages infrastructure across 15 AWS accounts in an AWS Organization. A standardized VPC with specific CIDR blocks, subnets, and route tables must be deployed to all accounts in the production OU. The templates must stay in sync when updates are made. Which approach should the administrator use?
ADeploy a CloudFormation nested stack with the VPC template in each account manually
BUse CloudFormation StackSets with service-managed permissions targeting the production OU
CShare the VPC using AWS Resource Access Manager (RAM) from a central networking account
DUse AWS Service Catalog to distribute the VPC template as a product
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 13Networking & Content Delivery
A company has enabled IPv6 on their VPC and configured dual-stack subnets. Instances in a private subnet need to initiate outbound connections to IPv6 internet services but must NOT be reachable from the internet. Which component should the SysOps administrator add to the subnet's route table?
AA NAT gateway with an IPv6 route (::/0 → NAT gateway)
BAn internet gateway with an IPv6 route (::/0 → IGW)
CAn egress-only internet gateway with an IPv6 route (::/0 → eigw-xxx)
DA virtual private gateway with an IPv6 route
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 14Networking & Content Delivery
A company has deployed an interface VPC endpoint for Amazon SQS in a private subnet. Instances in the subnet can resolve the SQS endpoint DNS name, but connections to SQS are timing out. What should the SysOps administrator check?
AWhether the gateway VPC endpoint for SQS has a route in the subnet route table
BWhether the security group associated with the VPC endpoint allows inbound HTTPS (port 443) traffic from the instances
CWhether the SQS queue policy allows access from the VPC endpoint
DWhether the instances have a public IP address for SQS API calls
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 15Networking & Content Delivery
A development team needs to access Amazon DynamoDB and Amazon S3 from instances in a private subnet. The SysOps administrator wants to minimize data transfer costs. DynamoDB requires private IP-based connectivity, and S3 access patterns are standard API calls at high volume. What combination of VPC endpoints should the administrator deploy?
AInterface VPC endpoints for both DynamoDB and S3
BGateway VPC endpoints for both DynamoDB and S3
CAn interface VPC endpoint for DynamoDB and a gateway VPC endpoint for S3
DA gateway VPC endpoint for DynamoDB and an interface VPC endpoint for S3
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 16Cost & Performance Optimization
A company has multiple VPCs with instances that access S3 extensively. Currently, all S3 traffic routes through NAT gateways, incurring significant data processing charges. The SysOps administrator deploys S3 gateway VPC endpoints in each VPC. After the deployment, the team observes that NAT gateway costs for S3 traffic have decreased but not been eliminated. What is the most likely reason?
AThe S3 gateway VPC endpoint only supports requests to S3 buckets in the same Region
BSome route tables in the VPCs have not been updated to include the S3 gateway VPC endpoint as a target
CGateway VPC endpoints do not support all S3 API operations
DThe NAT gateway processes DNS resolution traffic for S3 endpoints
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 17Networking and Content Delivery
A SysOps administrator wants to restrict traffic between two subnets in the same VPC. Security groups are already applied at the instance level. Which additional layer can restrict subnet-to-subnet traffic?
AVPC Peering
BNetwork Access Control Lists (NACLs) applied to each subnet
CRoute table modifications
DVPC Endpoints
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 18Networking & Content Delivery
A company needs to implement stateful packet inspection, intrusion detection, and domain-based filtering for traffic entering and leaving their VPC. Standard security groups and NACLs are insufficient. Which AWS service should the administrator deploy?
AAWS WAF attached to an ALB
BAWS Network Firewall with stateful rule groups for IDS and domain filtering
CA third-party firewall appliance from AWS Marketplace on an EC2 instance
DAWS Shield Advanced with DDoS mitigation
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 19Networking & Content Delivery
A SysOps administrator needs to allow EC2 instances in a private subnet to access Amazon S3 without sending traffic over the internet. The solution should also ensure that traffic stays within the AWS network and does not incur NAT Gateway data processing charges for S3 traffic. What should the administrator configure?
ACreate an S3 Gateway VPC endpoint and add a route to the private subnet's route table pointing to the endpoint.
BCreate an S3 Interface VPC endpoint (powered by PrivateLink) in the private subnet.
CConfigure the NAT Gateway to route S3 traffic over the AWS backbone using an optimized path.
DSet up VPC peering with the S3 service VPC in the same Region.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 20Networking & Content Delivery
A SysOps administrator is troubleshooting connectivity issues between an EC2 instance in a public subnet and the internet. The instance has a public IP address assigned, but outbound internet connections are timing out. The security group allows all outbound traffic. What should the administrator check?
AVerify that the subnet's route table has a route to `0.0.0.0/0` pointing to an internet gateway, and check that the network ACL allows outbound traffic and the corresponding inbound ephemeral port range.
BVerify that the internet gateway is attached to the VPC and that the instance has an Elastic IP instead of an auto-assigned public IP.
CCheck that the VPC has DNS resolution and DNS hostnames enabled.
DVerify that the instance's IAM role has permissions to make outbound network connections.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 21Cost & Performance Optimization
A company's EC2 instances in a private subnet use a NAT Gateway to access the internet. The majority of outbound traffic goes to Amazon S3, and the NAT Gateway data processing charges represent a significant portion of the monthly bill. Which architecture change reduces these costs the MOST?
AReplace the NAT Gateway with a NAT instance on a smaller EC2 instance type.
BCreate an S3 gateway VPC endpoint, which routes S3 traffic through the AWS network at no additional data processing charge, bypassing the NAT Gateway.
CEnable S3 Transfer Acceleration to reduce the time data spends traversing the NAT Gateway.
DMove the EC2 instances to a public subnet with an Internet Gateway to avoid NAT Gateway charges entirely.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 22Select All That ApplyNetworking & Content Delivery
A company uses a NAT gateway for outbound internet access from private subnets. A team member suggests switching to a NAT instance to reduce costs. Which statement accurately compares NAT gateways and NAT instances? (Select TWO.)
ANAT gateways are AWS-managed, highly available within an AZ, and scale automatically; NAT instances are self-managed EC2 instances that require manual HA and scaling.
BNAT instances can be used as bastion hosts and support port forwarding; NAT gateways do not support these features.
CNAT gateways are less expensive than NAT instances for all traffic volumes.
DNAT instances support security groups on the instance; NAT gateways use only NACLs for traffic filtering.
ENAT gateways support traffic over IPv6; NAT instances do not.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 23Networking & Content Delivery
A SysOps administrator manages a multi-tier application with web servers in a public subnet and application servers in a private subnet. The application servers need to connect to an external third-party API over HTTPS. The company does not want the application servers to have public IP addresses or use a NAT gateway due to cost. Which solution allows the application servers to reach the external API?
ADeploy an AWS PrivateLink endpoint for the third-party API in the VPC
BThe application servers cannot reach external endpoints without a NAT gateway or public IP; a NAT gateway is required
CConfigure a VPC peering connection to the third-party's VPC
DDeploy a proxy server (e.g., Squid) on an EC2 instance in the public subnet with a public IP, and route the application servers' HTTPS traffic through the proxy
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 24Security & Compliance
A SysOps administrator needs to ensure that all VPC security groups in an account do not allow unrestricted SSH (port 22) access from `0.0.0.0/0`. If a security group is modified to allow this, it must be automatically remediated within minutes. What is the most effective solution?
AUse AWS Config's `restricted-ssh` managed rule with auto-remediation linked to an SSM Automation document that removes the offending inbound rule.
BCreate an EventBridge rule that detects `AuthorizeSecurityGroupIngress` API calls for port 22 from 0.0.0.0/0 and triggers a Lambda function to revoke the rule.
CUse Security Hub's automated response feature to automatically close SSH access findings.
DApply a Network ACL at the subnet level that blocks all inbound SSH traffic.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 25Networking & Content Delivery
A company has applications running in three VPCs that need to communicate with each other. The company also plans to add additional VPCs in the future. The SysOps administrator wants to avoid the complexity of managing multiple VPC peering connections. Which solution should the administrator implement?
ADeploy an AWS Transit Gateway and attach all three VPCs to it, configuring route tables for full-mesh connectivity.
BCreate VPC peering connections between all three VPCs and add routes to each VPC's route table.
CDeploy a shared services VPC with VPN connections to each of the three VPCs.
DUse AWS PrivateLink to create endpoint services in each VPC for cross-VPC communication.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 26Monitoring, Logging & Remediation
A security team needs to count the number of REJECT actions per source IP address per hour in their VPC Flow Logs, and trigger an alarm when any single IP exceeds 1,000 rejected connections in an hour. The flow logs are sent to a CloudWatch Logs log group. Which approach is MOST operationally efficient?
ACreate a CloudWatch Logs metric filter that matches `REJECT` in the flow log pattern, extracting the source IP as a dimension, then set a CloudWatch alarm on the resulting metric.
BExport VPC Flow Logs to S3 hourly and query with Amazon Athena to count rejects per source IP.
CStream VPC Flow Logs to a Kinesis Data Stream and process with a Lambda function that publishes custom metrics per source IP.
DEnable VPC Traffic Mirroring and analyze the mirrored packets using a third-party IDS.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 27Select All That ApplyDeployment, Provisioning & Automation
A company has two CloudFormation stacks: a "Network" stack that creates a VPC and subnets, and an "Application" stack that needs to reference the VPC ID and subnet IDs from the Network stack. Which CloudFormation feature allows the Application stack to consume values exported by the Network stack? (Select TWO.)
AIn the Network stack, define `Outputs` with `Export` names for the VPC ID and subnet IDs.
BIn the Application stack, use `Fn::ImportValue` to reference the exported values by their export names.
CIn the Application stack, use `Fn::GetAtt` to directly read resources from the Network stack.
DStore the Network stack outputs in SSM Parameter Store and read them with `{{resolve:ssm:...}}` dynamic references.
EUse CloudFormation nested stacks, where the Application stack is a child of the Network stack.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 28Security & Compliance
A company wants to ensure that IAM principals can only make API calls to AWS services from within the corporate network (a specific IP range) or from within AWS services using VPC endpoints. Which IAM policy condition key combination achieves this?
AUse `aws:SourceIp` to restrict to the corporate IP range, combined with `aws:ViaAWSService` to allow calls made through AWS service-to-service communication.
BUse `aws:SourceVpc` to restrict to a specific VPC ID, which automatically covers both corporate VPN and VPC endpoints.
CUse `aws:PrincipalOrgID` to restrict access to only principals within the AWS Organization.
DUse `aws:RequestedRegion` to limit API calls to specific regions where the corporate network has connectivity.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 29Security & Compliance
A company's policy requires that all API calls to AWS services be made through VPC endpoints only, ensuring no traffic to AWS services traverses the public internet. A SysOps Administrator creates a VPC endpoint for S3 and wants to ensure that only specific S3 buckets can be accessed through the endpoint. Which policy should be configured?
AA bucket policy on each S3 bucket that allows access only from the VPC endpoint ID using `aws:sourceVpce`.
BA VPC endpoint policy attached to the S3 VPC endpoint that restricts access to the specified S3 bucket ARNs.
CA NACL on the VPC endpoint's subnet that allows traffic only to the S3 service IP ranges.
DAn IAM policy on all users that restricts `s3:*` actions to only the specified buckets.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 30Select All That ApplyNetworking & Content Delivery
A company runs a SaaS application behind a Network Load Balancer in their VPC. They want to securely expose this service to 50 customer VPCs across different AWS accounts, without requiring VPC peering, Transit Gateway, or public internet exposure. Which architecture should be used? (Select TWO.)
ACreate a VPC Endpoint Service (AWS PrivateLink) backed by the NLB in the provider's VPC.
BEach customer creates an interface VPC endpoint in their VPC pointing to the provider's endpoint service, and the provider approves the connection.
CShare the NLB using AWS Resource Access Manager (RAM) with the customer accounts.
DCreate a public-facing ALB and restrict access using security groups referencing the customer VPC CIDR ranges.
EConfigure VPC peering between the provider VPC and each of the 50 customer VPCs.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 31Networking & Content Delivery
A SysOps Administrator is planning a VPC with the CIDR 10.0.0.0/24 (256 IPs). They want to create four subnets with equal sizing. What is the maximum number of usable IP addresses per subnet, considering AWS reserves 5 IP addresses per subnet?
A64 addresses per subnet (256 / 4), all usable.
B59 addresses per subnet (64 per /26 subnet minus 5 reserved).
C62 addresses per subnet.
D54 addresses per subnet.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 32Networking & Content Delivery
A company has 15 VPCs across three Regions that all need connectivity to a shared services VPC hosting Active Directory and monitoring tools. The company currently manages many VPC peering connections. Which networking service simplifies this hub-and-spoke topology?
AUse AWS PrivateLink to expose shared services to all VPCs.
BUse AWS Transit Gateway in each Region as a hub, attach all VPCs, and use Transit Gateway inter-Region peering for cross-Region connectivity.
CCreate a full mesh of VPC peering connections between all 15 VPCs.
DUse a single large VPC with multiple CIDR blocks instead of separate VPCs.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 33Networking & Content Delivery
A SysOps Administrator is configuring a VPC that must support both IPv4 and IPv6 traffic. EC2 instances in public subnets need both IPv4 and IPv6 internet access, while instances in private subnets need outbound-only IPv6 internet access without being reachable from the internet. Which configuration meets these requirements?
AAssign an IPv6 CIDR block to the VPC and subnets. For private subnets, create an egress-only internet gateway and add a route for `::/0` pointing to it. For public subnets, use the standard internet gateway for both IPv4 and IPv6.
BCreate a separate VPC for IPv6 traffic and peer it with the IPv4 VPC.
CUse a NAT Gateway for IPv6 outbound traffic from private subnets.
DAssign IPv6 addresses only to public subnets; private subnets cannot use IPv6.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 34Networking & Content Delivery
A company has multiple VPCs across different AWS accounts within an AWS Organization. The networking team wants to share a set of subnets from a central VPC (owned by the networking account) with application accounts so that instances launched by the application accounts reside in the shared subnets. Which service enables this?
AAWS Resource Access Manager (RAM), which allows sharing VPC subnets with other accounts in the Organization, enabling participant accounts to launch resources into the shared subnets.
BVPC Peering between each application account VPC and the central VPC.
CAWS Transit Gateway with route propagation.
DAWS PrivateLink endpoints in each application account.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 35Monitoring, Logging & Remediation
A company uses multiple AWS accounts and wants to centralize all VPC Flow Logs and application logs from CloudWatch Logs into a single S3 bucket in the logging account for long-term analysis. The solution must support near-real-time delivery and handle high throughput. Which architecture meets these requirements?
ACreate CloudWatch Logs subscription filters in each account that send logs to a cross-account Kinesis Data Firehose delivery stream in the logging account, which delivers to S3.
BConfigure CloudWatch Logs export tasks in each account on a 5-minute schedule to export logs directly to the central S3 bucket.
CEnable VPC Flow Log delivery directly to the central S3 bucket from each account and use CloudWatch Logs metric filters for application logs.
DDeploy a Kinesis Data Stream in each account, replicate data to a central Kinesis stream using cross-account access, then deliver to S3 via Firehose.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 36Security & Compliance
A company has multiple AWS accounts and wants to share a common set of VPC subnets with development teams in other accounts using AWS Resource Access Manager (RAM). Which resource type can be shared via RAM to enable this?
AVPC subnets can be shared via RAM. The owning account shares subnets, and participant accounts can launch resources (EC2, RDS, etc.) into the shared subnets.
BEntire VPCs can be shared via RAM, giving participant accounts full control over the VPC configuration.
COnly transit gateway attachments can be shared via RAM, not subnets.
DRAM cannot share networking resources; VPC peering must be used instead.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 37Security & Compliance
A SysOps Administrator needs to ensure that an S3 bucket can only be accessed from a specific VPC endpoint. Any request not originating from the VPC endpoint should be denied. Which S3 bucket policy condition achieves this?
AA bucket policy with a `Deny` statement where the condition is `StringNotEquals` on `aws:sourceVpce` matching the VPC endpoint ID.
BA bucket policy with an `Allow` statement restricted to the VPC CIDR range using `aws:SourceIp`.
CA VPC endpoint policy that allows access only to the specific bucket ARN.
DAn S3 Access Point policy restricted to the VPC.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 38Networking & Content Delivery
Two VPCs are peered: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). An application in VPC-A needs to connect to an EC2 instance in VPC-B. The security group on the VPC-B instance references the security group ID of the VPC-A instance in its inbound rule. The connection fails. What is the MOST LIKELY cause?
ASecurity group cross-referencing works only within the same VPC. For peered VPCs, the inbound rule must use the CIDR block of VPC-A instead of a security group ID.
BThe VPC peering connection's route table entries are missing.
CSecurity group cross-referencing across peered VPCs is supported only in the same Region. The VPCs are in different Regions.
DThe VPC peering connection does not allow DNS resolution across VPCs.
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 39Networking & Content Delivery
A SysOps administrator is configuring a VPC with public and private subnets. EC2 instances in the private subnet need to download software updates from the internet but must not be directly accessible from the internet. Which architecture component is required?
AAn Internet Gateway attached to the VPC with a route from the private subnet
BA NAT Gateway deployed in a public subnet with a route from the private subnet to the NAT Gateway
CA VPC peering connection to a VPC with internet access
DAn Elastic IP address attached to each private instance
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 40Networking & Content Delivery
A SysOps administrator is troubleshooting connectivity between two VPCs that are peered. Instances in VPC A (`10.0.0.0/16`) cannot communicate with instances in VPC B (`172.16.0.0/16`). The peering connection is active. What should the administrator check FIRST?
AVerify that route tables in both VPCs have routes pointing to the peering connection for the other VPC's CIDR
BVerify that both VPCs are in the same region
CVerify that the VPC peering connection supports transitive routing
DVerify that DNS resolution is enabled on the peering connection
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 41Networking & Content Delivery
A SysOps administrator is configuring VPC Flow Logs for a VPC to troubleshoot connectivity issues. The administrator needs to capture only rejected traffic to minimize log volume. Which configuration should be used?
ACreate a VPC Flow Log with the filter set to `REJECT`
BCreate a VPC Flow Log with the filter set to `ALL` and use CloudWatch Logs Insights to filter rejected traffic
CCreate a VPC Flow Log with the default filter and configure an S3 lifecycle policy to delete accepted traffic logs
DEnable VPC Flow Logs at the subnet level only for subnets with connectivity issues
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 42Monitoring, Logging & Remediation
A SysOps administrator is analyzing VPC Flow Logs stored in CloudWatch Logs. The administrator needs to identify the top 5 source IP addresses generating rejected traffic on port 443 in the last 6 hours. Which CloudWatch Logs Insights query is correct?
A`filter action = "REJECT" and dstPort = 443 | stats count(*) as rejectCount by srcAddr | sort rejectCount desc | limit 5`
B`fields srcAddr | filter action like "REJECT" | filter dstPort > 440 and dstPort < 444 | group by srcAddr | limit 5`
C`parse @message "* * * * * * * * REJECT * * * *" as f1,f2,srcAddr,f4,f5,f6,dstPort,f8,f9,f10,f11,f12 | filter dstPort = "443" | stats count() by srcAddr | sort count() desc | limit 5`
D`filter @message like /REJECT/ and @message like /443/ | stats count(*) by @message | sort count(*) desc | limit 5`
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 43Networking & Content Delivery
A company has a VPC endpoint (gateway type) for S3. The administrator needs to restrict the endpoint so that EC2 instances in the VPC can only access a specific S3 bucket through the endpoint. How should this be configured?
AAttach a VPC endpoint policy to the S3 gateway endpoint that allows `s3:*` actions only on the specific bucket ARN
BModify the S3 bucket policy to include a condition limiting access to the VPC endpoint ID using `aws:sourceVpce`
CConfigure the route table associated with the endpoint to only route traffic for the specific bucket's IP range
DUse security groups on the VPC endpoint to restrict access to the specific bucket
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 44Select All That ApplyNetworking & Content Delivery
A company deploys AWS Network Firewall in a VPC to inspect all traffic flowing between subnets and to the internet. The administrator needs to block traffic to specific known malicious domains while allowing all other HTTPS traffic. (Select TWO.)
ACreate a Network Firewall rule group with stateful rules using the domain list rule type to deny traffic to the malicious domains
BConfigure the firewall policy with a default action of `aws:forward_to_sfe` for stateful inspection and `aws:pass` for non-matching traffic
CUse Network ACLs to block the IP addresses associated with the malicious domains
DConfigure the Network Firewall with stateless rules matching destination IP addresses of the malicious domains
EEnable TLS inspection on the Network Firewall to decrypt HTTPS traffic for all domain-based rules
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 45Networking & Content Delivery
A SysOps administrator needs to restrict an interface VPC endpoint for AWS Secrets Manager so that only specific IAM roles can use the endpoint to retrieve secrets. How is this accomplished?
AAttach a VPC endpoint policy that includes a condition restricting `aws:PrincipalArn` to the allowed IAM role ARNs
BConfigure security groups on the VPC endpoint to restrict access by source IP of the allowed instances
CModify the Secrets Manager resource policy to deny all requests not originating from the VPC endpoint
DUse NACLs on the subnets where the endpoint ENIs are created to restrict traffic to specific instance IPs
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 46Monitoring, Logging & Remediation
A SysOps administrator wants to send VPC Flow Logs to Amazon S3 in Apache Parquet format for cost-efficient querying with Athena. The logs should be partitioned by hour. Which configuration is correct?
ACreate a VPC flow log with a destination of S3, select Parquet as the file format, and set the partition period to every 1 hour using Hive-compatible prefixes
BCreate a VPC flow log to CloudWatch Logs, then use a Kinesis Data Firehose subscription filter to convert to Parquet and write to S3
CCreate a VPC flow log to S3 in plain text, then run a scheduled Glue ETL job hourly to convert to Parquet
DCreate a VPC flow log to S3 and use an S3 Lifecycle policy to convert log files to Parquet format
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 47Networking & Content Delivery
A company has three VPCs in the same Region that need full mesh connectivity. The network team wants to avoid managing multiple peering connections and prefers a hub-and-spoke model with centralized routing. Which solution should the SysOps administrator implement?
ACreate VPC peering connections between all three VPCs and update route tables in each VPC
BDeploy an AWS Transit Gateway, attach all three VPCs, and configure the Transit Gateway route table for full connectivity
CUse AWS PrivateLink to connect the three VPCs through VPC endpoint services
DDeploy a VPN gateway in a shared VPC and create VPN connections from the other two VPCs
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 48Networking & Content Delivery
A company has a centralized networking account and multiple application accounts in AWS Organizations. The networking team wants to share specific subnets of a VPC with application accounts so that EC2 instances launched by application teams reside in the shared VPC. Which service should the networking team use?
AVPC peering between the networking account and each application account
BAWS Resource Access Manager (RAM) to share VPC subnets
CAWS Transit Gateway with VPC attachments from each account
DAWS PrivateLink to create interface endpoints in each application account
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 49Networking & Content Delivery
A SysOps administrator needs to share a VPC subnet with another account using AWS RAM. The administrator shares the subnet, but the participant account cannot see the shared subnet when launching an EC2 instance. What should the administrator verify?
AThe participant account has accepted the RAM resource share invitation
BThe VPC has been peered with the participant account's VPC
CThe participant account has created an identical subnet with the same CIDR
DThe shared subnet has a tag granting access to the participant account
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 50Networking & Content Delivery
A company connects to AWS using a Site-to-Site VPN with BGP. The on-premises router advertises a default route (0.0.0.0/0) and several specific prefixes. The VPC route table shows more routes than expected. The administrator wants to limit the routes accepted from BGP. What can the administrator configure on the AWS side?
AConfigure a BGP route filter on the virtual private gateway to reject the default route
BAWS does not provide BGP route filtering; configure the route filters on the on-premises router
CUse a route table policy to deny specific propagated routes
DDisable route propagation on the VPC route table and manually add the desired routes
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 51Networking and Content Delivery
A SysOps administrator uses VPC Flow Logs. A security team asks why certain connections are being rejected. How can Flow Logs be queried efficiently?
ADownload the Flow Log files from S3 and grep locally
BUse CloudWatch Logs Insights or Amazon Athena to query Flow Logs with SQL-like syntax
CUse the AWS Console to filter Flow Logs interactively
DEnable CloudTrail to trace network rejections
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 52Networking and Content Delivery
A SysOps administrator sets up a VPC with public and private subnets. Instances in the private subnet cannot reach the internet. What is the most likely cause?
AThe security group blocks outbound traffic
BNo NAT Gateway (or NAT Instance) in the public subnet, or the private subnet route table lacks a route to the NAT Gateway
CThe Internet Gateway is not attached to the VPC
DThe VPC CIDR is incorrectly configured
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 53Networking and Content Delivery
A SysOps administrator enables VPC Flow Logs. Which traffic does Flow Logs NOT capture?
ATraffic to and from EC2 instances
BTraffic to the Amazon DNS server (Route 53 Resolver) from within the VPC
CTraffic rejected by NACLs
DTraffic to the Internet Gateway
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 54Networking and Content Delivery
A SysOps administrator uses AWS Transit Gateway. What is its primary advantage over VPC Peering for a large number of VPCs?
ATransit Gateway is cheaper per GB than VPC Peering
BTransit Gateway allows many VPCs to connect through a central hub, avoiding N*(N-1)/2 peering connections
CTransit Gateway supports cross-region connections; VPC Peering does not
DTransit Gateway provides lower latency than VPC Peering
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 55Security and Compliance
A SysOps administrator uses VPC Flow Logs and identifies a large amount of REJECT traffic from an EC2 instance to port 443. What does this indicate?
AThe instance is being attacked
BA security group or NACL is blocking outbound HTTPS traffic from the instance
CThe instance is attempting a DDoS attack
DThe VPC has no Internet Gateway
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 56Networking and Content Delivery
A SysOps administrator configures a Network ACL. Unlike security groups, NACLs are stateless. What does stateless mean in this context?
ANACLs do not remember previous connections
BReturn traffic must be explicitly allowed by a separate outbound (or inbound) rule
CNACLs apply to individual instances, not subnets
DNACLs evaluate all rules and allow the most permissive one
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 57Deployment, Provisioning, and Automation
A SysOps administrator needs to provision a new AWS account with a VPC, subnets, and baseline security controls automatically when it's added to an OU. What combination achieves this?
AAWS Control Tower Account Factory + StackSets
BAWS Organizations + manual CloudFormation deployment
CCloudFormation StackSets with SERVICE_MANAGED + automatic deployment on OU
DBoth A and C
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 58Networking and Content Delivery
A SysOps administrator uses Amazon VPC. What is the maximum number of subnets per VPC?
A16
B200 (default, can be increased)
C5
DUnlimited
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 59Networking and Content Delivery
A SysOps administrator configures a VPC with private subnets. Applications in these subnets need to access an on-premises database. Which connection option provides private connectivity?
AInternet Gateway + NAT Gateway
BAWS Site-to-Site VPN or Direct Connect with a route from the private subnet to the on-premises CIDR
CVPC Peering
DAWS Transit Gateway with a peered VPC
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 60Networking and Content Delivery
A SysOps administrator wants to monitor VPC-to-VPC traffic through a Transit Gateway. Where are these flow logs captured?
AVPC Flow Logs on each VPC's ENIs
BTransit Gateway Flow Logs
CCloudTrail API events for Transit Gateway
DBoth A and B
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 61Networking and Content Delivery
A SysOps administrator needs to expose a private RDS database to a partner's VPC without VPC peering (to avoid overlapping CIDR issues). Which service enables this?
AAWS PrivateLink — create a VPC endpoint service backed by an NLB in front of RDS
BVPN connection between the two VPCs
CTransit Gateway between the VPCs
DDirect Connect between the VPCs
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 62Reliability and Business Continuity
A SysOps administrator uses VPC endpoint Gateway for S3. The traffic fails to reach S3 from private EC2 instances. What is likely misconfigured?
AThe S3 bucket policy doesn't allow VPC endpoint access
BThe route table for the private subnet does not have a route to the S3 Gateway endpoint
CThe security group on the EC2 instance blocks S3 traffic
DBoth A and B are possible causes
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 63Security and Compliance
A SysOps administrator wants to prevent data exfiltration from EC2 instances by restricting which S3 buckets they can access. Which VPC endpoint policy achieves this?
ASecurity group rule blocking S3 traffic
BVPC endpoint policy for S3 that restricts access to specific company-owned bucket ARNs
CS3 bucket policy requiring VPC endpoint access
DNACL rule blocking non-company S3 buckets
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 64Networking and Content Delivery
A SysOps administrator uses Amazon VPC. Two VPCs (10.0.0.0/16 and 10.0.0.0/16) need to communicate. VPC peering is not possible due to overlapping CIDRs. What alternative enables connectivity?
ATransit Gateway with CIDR overlap support
BAWS PrivateLink — expose services via endpoint services without route-based connectivity (no CIDR conflict)
CDirect Connect between the VPCs
DVPN between the VPCs
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 65Networking and Content Delivery
A SysOps administrator uses Amazon VPC and wants to control which IP addresses can access the public subnet. Which two network security features work at the subnet level and instance level respectively?
ANACL (subnet level) and Security Group (instance/ENI level)
BSecurity Group (subnet level) and NACL (instance level)
CRoute tables and Security Groups
DNACL and Route tables
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 66Networking and Content Delivery
A SysOps administrator sets up a VPC with public and private subnets. EC2 instances in the private subnet need to communicate with the internet for OS updates. Which component enables outbound-only internet access?
AInternet Gateway — bidirectional internet access
BNAT Gateway in the public subnet — allows outbound-initiated connections, blocks inbound unsolicited traffic
CVPC Endpoint — private access to AWS services only
DTransit Gateway — for inter-VPC routing only
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz
Question 67Networking and Content Delivery
A SysOps administrator wants to restrict access to an S3 bucket to only requests that arrive via a specific VPC endpoint. Which policy achieves this?
AS3 bucket policy with Condition: StringEquals aws:SourceVpce to the specific VPC endpoint ID
BSecurity group on the S3 bucket
CVPC NACL blocking non-endpoint traffic
DIAM policy restricting S3 access by IP
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start SOA-C03 Quiz

Key VPC Concepts for SOA-C03

vpcsubnetroute tablenat gatewayinternet gatewaysecurity groupnaclvpc endpointflow logspeering

SOA-C03 VPC Exam Tips

Amazon Virtual Private Cloud (VPC) questions in SOA-C03 are typically scenario-based. Focus on operations, observability, incident response, and automated remediation. Priority concepts: vpc, subnet, route table, nat gateway, internet gateway, security group.

What SOA-C03 Expects

Anchor your answer in prioritize operational visibility and repeatable runbook-ready automation.
VPC scenarios for SOA-C03 are frequently mapped to Domain 1 (22%), Domain 4 (16%), Domain 5 (18%), so read the objective carefully before picking controls or architecture.
Expect multi-topic scenarios where VPC interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value VPC Concepts

Know the core VPC building blocks cold: vpc, subnet, route table, nat gateway.
Review the edge-case features and limits for internet gateway, security group; these details are commonly used to differentiate answer choices.
Practice service-integration reasoning: how VPC pairs with Route 53, Load Balancing, Direct Connect, CloudFront in real deployment patterns.
For SOA-C03, explain why the chosen VPC design meets reliability, security, and cost expectations better than the alternatives.

Common SOA-C03 Traps

Watch for answers that deploy quickly but are hard to monitor or recover.
Questions in Monitoring, Logging, Analysis, Remediation, and Performance Optimization often include distractors that look correct for VPC but violate least-privilege, durability, or availability requirements.
Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

Can you compare at least two VPC implementation paths and justify which one best fits the scenario?
Can you map the chosen answer back to Monitoring, Logging, Analysis, Remediation, and Performance Optimization (22%) outcomes for SOA-C03?
Can you explain security and access boundaries for VPC without relying on default-open assumptions?
Can you describe how VPC integrates with Route 53 and Load Balancing during failure, scaling, and monitoring events?

Exam Domains Covering VPC

Domain 1Monitoring, Logging, Analysis, Remediation, and Performance Optimization22%Domain 4Security and Compliance16%Domain 5Networking and Content Delivery18%

Related Resources

🎯 Free SOA-C03 Mock Exam Route 53 Questions Load Balancing Questions Direct Connect Questions CloudFront Questions

More SOA-C03 Study Resources

← SOA-C03 Study Hub 30-Day Study Plan Full Practice Exam

🌐 Amazon Virtual Private Cloud (VPC) - SOA-C03 Practice Questions