Q01: Which networking entinty in the cloud infrastructure allows operators to run

commands to see BGP state, route tables, diagnostics, logs etc.

A) AWS VPC Implicit Router
B) Azure VNET Router
C) Google Cloud Router
D) Aviatrix Gateway

A01: D
Ref:

Q02: Which Aviatrix feature customer might leverage to help prevent connected
partners from affecting cloud routing when peered with dynamic routing protocols?
A) TGW OChestrator
B) TGW Audit
C) BGP Route Approval
D) VPN Route Audit
A02: C
Ref:
- https://community.aviatrix.com/t/q6hxpyt/multi-cloud-transit-routing-and-
networking
- Watch video "Feature Overview Part 1" - time stamp 24:35 - BGP Route Approval

Q03: AWS Global Accelerator is a service which allows direct connectivity between
AWS DirectConnect and Azure Express Route
A) False
B) True
A03: A
Ref:
- https://community.aviatrix.com/t/h7hxphg/aws-networking-and-security-101
- Global Accelerator : Allows users to connect their remote branches to the closest
point in the AWS System.

Q04: AWS Security Group, Azure Network Security Group, GCP Firewall service, by
default support FQDN based firewall rules (e.g. www.yahoo.com) as a destination in
their configuration, to allow/block traffic to the specified domain
A) AWS Security Group does, others not
B) GCP Firewall Service, others not
C) True
D) False
A04: False
Ref:
- Watch video "Feature Overview Part 1" - time stamp 30:45 -FQDN Egress Filter
- Answer are confusing. If any of A,B is True then C canot be and that also says
that the statement in question is False. As not all CSP's provide the support.
- From the below links, we can see that Azure NSG does support FQDN.
- https://docs.aviatrix.com/HowTos/fqdn_faq.html
- https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
- AWS SG does not resolve DNS
- https://stackoverflow.com/questions/33339057/can-i-add-dns-name-in-aws-
security-group

Q05: In order for a customer to leverage Aviatrix Firenet to orchestrate the

deployment and insertion of NGFWs, customers must leverage Aviatrix gateways in the
spokes VPC/NETs in order to program the necessary routing to insert the firewall
into the traffic flow?
A) True
B) False
A05: A*, B
Ref:
- https://community.aviatrix.com/t/y4hxdvy/firewall-network-firenet-faqs
- Watch video "Feature Overview Part 2" - time stamp 11:40
- Watch video "Feature Overview Part 2" - time stamp 24:00 onwards - Aviatrix
gateways are installed on all spokes.
- Dumps says its B - False
- from the video the understanding is - each spokes shall have aviatrix gateways to
communicate with Firenet if we need to leverage 70 Gbps and other benefits
- But AWS TGW FireNet intro diagram shows that we can use the Native constructs - -
Watch video "Feature Overview Part 2" - time stamp 14:20 onwards, but that is for
on-prem Direct links

Q06: The feature in Aviatrix Controller that allows customers to see path between
two instances/AMI/EC2/VM (including, but not limited to Security Groups, ACLs,
Routes, etc.) is called:
A) FlightPath
B) Netflow
C) FlightControl
D) Network Connectivity Test
A06: A
Ref:
- https://community.aviatrix.com/t/q6hxbm1/operations-visibility-and-trouble-
shooting-in-the-public-cloud
- Watch video "Day 2 Operations" - time stamp 4:25 - FlightPath
- https://docs.aviatrix.com/HowTos/flightpath.html

Q07: Which elements are traversed on the path of a packet from the VM to the
Internet in AWS (Select the right order)
A) Route Table
B) Network Interface ENI
C) Network ACL
D) Security Group
E) Internet GW
A07: B,D,C,A,E
Ref:
- Watch video "AWS Networking 101" - time stamp 10:55
- Network Interface > Security Group > Network ACL > Route Table > Internet Gateway

Q08: In an Azure setup where all VNETs are directly peered (full-mesh) using VNET
peering
A) there are no real limitations for bandwidth
B) peering needs to be broken for VNET CIDR change
C) it is easy to insert a centralized FW
D) ExpressRoute Edge Router does the actual routing
A08: A, B
Ref:
- Watch video "Azure Networking 101" - time stamp 16:15
- As per video there is no limiation on bandwidth and peering needs to be broken
down to CIDR

Q09: Azure supports Availability Zones in all its regions

A) True
B) False
A09: B
Ref:
- Watch video "Azure Networking 101" - time stamp 5:10
- Availability Zones don't exists in all regions

Q10: As per the cloud architecture best practices guidelines in Multi-Cloud Network
Architecture (MCNA), which component provides a consistent transit available in all
regions across all public cloud providers.
A) Cloud Operations Layer
B) Cloud Applications Layer
C) Cloud Transit Layer
D) Cloud Security Layer
A10: C
Ref:
- https://community.aviatrix.com/t/h7h3sta

Q11: As a Cloud Networking Consultant, you are reviewing a Microsoft Azure Virtual
WAN network design that will be used to connect several VNets branches, users and a
Data Center (using ExpressRoute). What are some known challenges with this design
pattern?
A) No support for multi-cloud
B) Lack of encryption within the cloud
C) Inability to selectively advertise routes
D) No support for BGP
E) No support for VPN Users
F) Inability to have default any to any connectivity
A11: A,B*,C
Ref:
- https://community.aviatrix.com/t/h7hxdf6/an-introduction-to-microsoft-azure
- Watch video "Azure Networking 101" - time stamp 17:50
- Video only describes two drawback from above opiton. But some other video says
that there is a lack of encryption within the cloud

Q12: Which Aviatrix solution lets customers connect and manage their branch Cisco
ISR routers to AWS or Azure without requiring any manual effort on branch routers
or replacement of equipment?
A) FlightPath
B) High Performance Encyption (Insane Mode)
C) Direct Connect
D) CloudWAN
A12: D
Ref:
- https://docs.aviatrix.com/HowTos/cloud_wan_faq.html?highlight=cloudWAN

Q13: Aviatrix platform has several operational features and capabilities built-in
to help network engineers perform day to day operational tasks.
Below, match the aviatrix platform feature with the operational problem it
addresses.

1) Export to Terraform
2) Packet Capture
3) Ping and Traceroute
4) VPC Tracker

A) A feature that allows users to export their current Controller configurations

(resources) into Terraform files (.tf) and import them into their Terraform
enviornment, facilitating an easy transition to using Terraform to manage their
infrastructure.
B) Ability to take live packet capture at any spoke VPC/VNet/VNC and also display
it in Wireshark.
C) Ability to run basic troubleshooting tools from a simplified UI.
D) A tool that collects and helps you manage your network CIDR ranges at central
place, eliminating the need to keep an Excel sheet.

A13: 1-A,2-B, 3-C, 4-D

Ref:
- https://docs.aviatrix.com/HowTos/vpc_tracker.html?highlight=VPC%20Tracker
- https://docs.aviatrix.com/HowTos/tf_export.html?highlight=Export%20to%20terraform
- https://docs.aviatrix.com/HowTos/Troubleshoot_Diagnostics.html?highlight=Packet
%20Capture#packet-capture
- https://docs.aviatrix.com/HowTos/troubleshooting.html?highlight=Ping%20and
%20Traceroute#network-traceroute

Q14: AWS Guard Duty automatically enforces its findings through the ingress routing
feature, blocking the traffic by default
A) False
B) True
A14: B
Ref:
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
- https://community.aviatrix.com/t/x2hxp2c/fqdnurl-based-egress-filtering-ingress-
security
- Watch video "Feature Overview Part1" - time stamp 35:00 onwards - Guard Duty is
only detection, cannot enforce rules.

Q15: Match the Azure transit option below to the description which best describes
it:

1) VNET Peering
2) Hairpinning through MSEE (Microsoft Enterprise Edge) routers
3) Using an NVA

A) While undocumented and not preferred by MSFT Product Groups, this is the most
common transit routing mechanisms deployed by customers.
B) While the preferred option by Microsoft Product Group, this option fails to
scale as customer grow due to the 1 to 1 mapping this method depends upn.
C) This method can provide more granular control but UDR management at scale can
become problematic.

A15: 1-B, 2-A, 3-C

Ref:
- Watch video "Azure Networking 101" - time stamp 12:30 onwards

Q16: ACE Inc. has been using 10 Gbps ExpressRoute connection into Microsoft Azure,
Security and compliance team has recently flagged this as a policy violation as
company data is going unencrypted over untrusted transport. What are the encryption
options available to ACE Inc. for connecting to Azure?
(Choose 2)
A) Data over ExpressRoute is encrypted by default
B) You can open a support ticket with Microsoft Azure to encrypt at 10 Gbps
C) Use Aviatrix High Performance Encryption over ExpressRoute to encrypt at 10 Gbps
line rate
D) Manually build IPSec tunnel from on-prem router to cloud over ExpressRoute to
achieve a reduced thruput of 1.2 Gbps
A16: C, D
Ref:
- https://docs.aviatrix.com/HowTos/insane_mode.html?highlight=High%20Performance
%20Encryption

Q17: Aviatrix Controller allows customers to export Netflow data from all or select
Aviatrix Gateways to any Netflow collector on a custom port.
A) False
B) True
A17: B, A*
Ref:
- https://docs.aviatrix.com/HowTos/netflow.html?highlight=export%20netflow
- Dumps says its False (A)

Q18: Statefull Firewall rule:

A) allows the return traffic implicitly
B) is another name for Azure Active Directory Firewall
C) requires explicit rule for the return traffic
D) alone can easily satisfy the enterprise security needs
A18: A
Ref:
- Watch video "AWS Networking 101" - time stamp 09:05 onwards, Security Groups are
statefull and don't require bidirectional rule
- https://network-insight.net/2014/12/stateful-firewall-traffic-flow-and-default-
inspection/#:~:text=Stateful%20Firewalls%20keep%20state%20connections,flow%20if
%20not%20its%20dropped.

Q19: As a Cloud Networking Consultant, you are reviewing a Microsoft Azure network
design that will be using Microsoft Azure ExpressRoute Edge routers as transit for
inter-VNet communication. What are some known challenges with the design pattern?
A) Multiple customers using same edge router may create noisy neighbor issues
B) Lack of visibility into traffic at the edge routers
C) No granular control to be able to route VNets selectively
D) All of the above
A19: D
Ref:
- Watch video "Azure Networking 101" - time stamp 14:15 onwards. Noisy neighbor

Q20: What native methods are available to configure Public Cloud Networks using
Aviatrix
(Choose 3)
A) Powershell
B) UI (User Interface)
C) Terraform
D) REST API
E) Bash
A20: B,C,D
Ref:
- https://community.aviatrix.com/t/y4hh4ml/ace-associate-self-paced-learning-
guidelines Automation

Q21: Which Aviatrix feature would help to not only provide this segmentation but
also decrease the complexity of this topology and routing configuration by
orchestrating life-cycle management of AWS Transit Gateways?
(Choose 2)
A) Aviatrix AWS TGW Encrypted Peering
B) Aviatrix TGW Orchestrator
C) Aviatrix Security Domain
D) Aviatrix Stie-to-Cloud (S2C)
A21: B, C
Ref:
- https://docs.aviatrix.com/HowTos/tgw_faq.html?highlight=TGW
- Dumps seems to be wrongly stating Encrypted Peering.
- Site2Cloud builds an encrypted connection between two sites over the Internet

Q22: Customers do not need to sign a separate licensing agreement with Aviatrix to
get started because controller can be launched from any cloud provider's
marketplace (Pay-As-You-Go metering).
A) True
B) False
A22: A
Ref:
- https://docs.aviatrix.com/StartUpGuides/aviatrix_overview.html?
highlight=marketplace#how-to-launch-aviatrix
- Online webinar slides clearly showed that only one controller and do not need to
sign seperate lic

Q23: Which AWS feature does Aviatrix integrate with to provide Public Subnet
Filtering for Ingress Internet Traffic to a VPC?
A) AWS GuardDuty
B) AWS Inspector
C) AWS WAF
D) AWS Shield
A23: A
Ref:
-

Q24: ACE Inc. had been using standard marketplace router as an NVA (Network Virtual
Appliance) in the hub Virtual Network (VNet) for spoke to spoke communication. The
NVA has just been replaced by Azure Firewall.
Now the security operations team is reporting that the traffic between Virtual
Machines in the same VNet is working however any inter-VNet traffic is being
dropped by the NSGs (Network Security Groups) at destination. What could be
possible reason?
A) Azure Firewall is blocking all the traffic
B) There is no route at the Azure Firewall
C) Azure Firewall is doing SNAT for inter-VNet traffic
D) BGP routes in UDR needs to be updated
A24: C or D*
Ref:
- Watch video "Azure Networking 101" - time stamp 16:05 onwards - Says about SNAT
- Watch video "Azure Networking 101" - time stamp 17:05 onwards - Says about NVA
option with UDRs

Q25: High speed private connectivity from customer locations (data centers,
Headquarters) to public cloud such as AWS Direct Connect, Azure ExpressRoute,
Google Interconnect and OCI FastConnect are encrypted by default?
A) True
B) False
A25: False
Ref:
-

Q26: An example of a Network Virtual Appliance (NVA) in Azure would include which
of the following?
A) UDR
B) Virtual Network Gateway (VNG)
C) Azure Load Balancer
D) Paolo Alto Firewall
A26: D
Ref:
- Watch video "Azure Networking 101" - time stamp 8:36 onwards - Common NVA is
paolo alto

Q27: When AWS Direct Connect, Azure ExpressRoute, Google Interconnect and OCI
FastConnect are encrypted without using Aviatrix High Performance Encryption, the
effective throughput is reduced to ____.
A) 1.25 Gbps
B) 10.25 Gbps
C) 5.25 Gbps
D) 525 Mbps
A27: A
Ref:
- Watch video "Feature Overview Part1" - time stamp 9:00 onwards - High Performance
Encyption 1.25 Gbps
- Watch video "Feature Overview Part1" - time stamp 27:30 onwards - IPSec tunnel
1.25 Gbps

Q28: What is/are the protocolos supported by Aviatrix Site2Cloud Gateway?

A) UDP only
B) Both TCP and UDP
C) GRE
D) TCP Only
A28: B
Ref:
- Watch video "Feature Overview Part1" - time stamp 29:40 onwards - Supports both
UDP/TCP tunnel

Q29: Choose the two best statements that describe challenges of deploying a NextGen
Firewall (NGFW)
(Choose 2)
A) Reduced visibility due to NAT
B) Reduced effective throughput of the NGFW
C) Firewalls can only be deployed in Active/Active
D) Firewalls can only be deployed in Active/Standby
E) Reduced firewall feature availablility
A29: A, D - (A, B*)
Ref:
- Watch video "Feature Overview Part 2" - time stamp 4:39 onwards, last line of ppt
shows lacks visibility and reduce thruput
- And IPSec based Friewall can still be deployed using Active/Active as mention in
the same video for AWS solution

Q30: The IPSec tunnels terminating at AWS TGW/VGW, Azure VPN GW, and other native
VPN support interconnecting networks with overlapping IP ranges.
A) True
B) False
A30: B , A*
Ref:
- https://www.juniper.net/documentation/en_US/release-independent/nce/topics/
concept/lan2lan-vpn-jseries-srx-series-overview.html
- https://docs.aviatrix.com/HowTos/overlapping_network_solutions.html?
highlight=overlapping#scenario-2-multi-sites-overlap-in-tgw-deployment

Q31: One differrence between Microsoft ExpressRoute circuits as compared to other

cloud providers direct connect options, is that ExpressRoute is always provisioned
as redundant pair with two physical connections to the Microsoft Enterprise Edge
Routers (MSEE)?
A) False
B) True
A31: B
Ref:
- Watch video "Azure Networking 101" - time stamp 10:36 onwards - Always
provisioned with Dual Paths

Q32: You can peer AWS TGWs within a Region

A) True
B) False
A32: B
Ref:
- Watch video "Feature Overview Part1" - time stamp 17:45 onwards - can't peer
within region AWS Transit

Q34: Few key differrences between Aviatrix based transit and other non-Aviatrix 3rd
party transit (such as Cisco CSR) are:
(Choose 2)
A) Aviatrix transit architecture lets you chose any instance size. Throughput will
depend on the instance size.
B) Cisco CSR based transit lets you choose any instance size. Throughput will
depend on the instance size characteristics.
C) Aviatrix based transit can do 1.25 Gbps encrypted throughput whereas Cisco CSR
can do upto 70 Gbps.
D) With default settings, Cisco CSR based transit can do 1.25 Gbps encrypted
throughput whereas Aviatrix can do upto 70 Gbps
A34: A, D
Ref:
- Watch video "Feature Overview Part1" - time stamp 28:45 onwards - can go upto 70
Gbps

Q35: An operator needs to create a new VPC, VCN or VNet using Aviatrix Controller.
Can the operator use Aviatrix VPC Tracker feature to validate potential
CIDR/Prefix/Adress space duplication across multiple clouds?
A) True
B) False
A35: A
Ref:
- Watch video "Day 2 Operations" - time stamp 13:00 - VPC Tracker - detect
overlapping CIDRs before creating a new one, records multi cloud

Q36: AWS Public VIF for DirectConnect annouces the CIDR ranges of the publicly-
available AWS services. It advertises
A) all publicly-available services from the selected AWS region
B) the selected publicly-available services from the selected AWS region
C) the selected publicly-available services from all AWS regions
D) all publicly-available services from all AWS regions
A36: A
Ref:
- https://aws.amazon.com/premiumsupport/knowledge-center/public-private-interface-
dx/
- Access publicly routable Amazon services in any AWS Region (except the AWS
China Region).

Q37: ACE Inc. has a VNet-A hosting Database services which is peered with several
app VNets. There is a new requirement to add another CIDR to VNet-A. How can you
prevent a database connectivity outage for all the peered VNets while performing
this task?
A) Use Powershell to update the VNet-A CIDR
B) You cannot add a CIDR to a VNet after it has been created
C) It's not possible to perform this action without an outage as you need to delete
all existing peering before new CIDR can be added
D) First modify peering routes for all the VNets to add the new CIDR and then add
the new CIDR to VNet-A
A37: D
Ref:
-

Q38: Choose two examples where you would leverage the Aviatrix Controller's S2C
(Site-2-Cloud) workflow?
(Choose 2)
A) Connect several telecommuting employees to cloud resources based on their
geographic location
B) Connect a partner directly to a VPC/VNET hosting your application
C) Connect your brance office to the cloud resources
D) Connect two branch offices directly to each other
A38: B, C
Ref:
-

Q39: ACE Inc. currently uses AWS as their primary cloud provider with a strong
desire to expand to Azure and GCP. IT team has strict security and control
requirements from different business units that require isolation and control from
each other. The different business units want
- to own their own transit architecture
- the ability to control firewall rules for their own application
- to not share same transit with other business units but have ability to connect
to other business units if needed.

The architecture board has mandated that there needs to be a single design pattern
that accommodates above requirements irrespective of the public cloud vendor being
used.

Choose the best design option to meet above needs. Each option presents a complete
solution.
A) Use AWS Transit Gateway (TGW). Deploy several TGWs in each region and peer them
together as needed. Use TGW VPN to build IPSec tunnels to Azure Virtual WAN and
Google Cloud VPN.
B)
C)
D)
A39: A
Ref:
- Its incomplete question.

Q40: Aviatrix Controller provides a VPC Creator tool that allows customers to
create VPC, VNETs across multiple clouds like AWS, GCP, Azure and OCI from single
pane of glass.
A) True
B) False
A40: A
Ref:
- https://docs.aviatrix.com/HowTos/create_vpc.html#create-a-vpc
- https://docs.aviatrix.com/HowTos/config_FortiGate.html?highlight=VPC
%20Creator#deploy-fortigate-instance-from-aws-marketplace

Q41: Operations team has noticed that during the peak working hours, Aviatrix
Gateway's throughput utilization stays around 80% of the current instance size. A
decision has been made to scale up the instance size to provide more throughput.
Which below statement accurately describes instance sizing of Aviatrix Gateways?
A) Aviatrix Gateways can scale down but not scale up
B) Aviatrix Gateways instance size has to be chosen at deployment and can't change
later
C) Aviatrix Gateways can scale up but not scale down
D) Aviatrix Gateways can scale up and down both
A41: D
Ref:
-

Q42: Choose two statements that best describe Aviatrix UserVPN/OpenVPN service.
A) Requries AWS NAT Gateway
B) Is limited to one Gateway per VPC/VNET
C) Can integrate with DUO for MFA
D) Can integrate with Active Directory
A42: C, D
Ref:
- https://docs.aviatrix.com/Support/support_center_openvpn_gateway.html?
highlight=OpenVPN
- https://docs.aviatrix.com/HowTos/openvpn_faq.html?highlight=DUO#is-duo-multi-
factor-authentication-supported (DUO)
- https://docs.aviatrix.com/HowTos/openvpn_faq.html?highlight=DUO#how-do-i-
configure-ldap-authentication (LDAP/AD)

Q43: Using AWS Terraform provider, a customer created an AWS Transit Gateway with
50 VPCs attached to it. After attaching the VPCs and spinning up some EC2 instances
in them, none of the instances can communicate with each other. What should be done
to resolve the issue?
A) There must be security group rules blocking traffic as AWS auto configures VPC
routing tables
B) Configure BGP communities in VPC such that all VPCs that need to commnicate with
eachother have same community defined
C) Create routing tables in each VPC, add CIDR for all the other VPCs in the
routing table pointing to AWS Transit Gateway
D) There must be security group rules blocking traffic as BGP in VPC auto
configures VPC routing tables
A43: A*, C
Ref:
- Watch video "AWS Networking 101" - time stamp 16:45 onwards, VPC routing needs to
be done manually.
- Dump says A - but seems video says C
-
https://docs.aviatrix.com/TroubleshootingPlaybook/troubleshooting_playbook_aviatrix
_gateway.html (Troubleshoot guide just says check Security group but nothing about
default routing)
- Check the Security Group which is attached to Aviatrix Gateway
Expect to have the below rules in inbound rules as default:
Type: All traffic, Protocol: All, Port Range: 0-65535, Source: Custom:
‘VPC CIDR’
Type: HTTPS. Protocol: TCP, Port Range:443, Source: Custom:
‘CONTROLLER’S PUBLIC IP’

Q44: Which Aviatrix Controller feature automates the configuration of AWS Transit
Gateway, VPC Route Tables, DirectConnect learned routes and Security Domain?
A) Aviatrix Site to Cloud (S2C)
B) Aviatrix High Performance Encryption (HPE)
C) Aviatrix Firewall Networks (FireNet)
D) Aviatrix AWS TGW Orchestrator
A44: D
Ref:
-

Q45: Match the issues of deploying firewalls in public cloud to appropriate problem
statement

1) When using 3rd party NextGen FWs deployed in a Azure Hub VNet
2) When using native features of Google Cloud Platform and a 3rd party NextGen
Firewall is needed
3) When using AWS native Transit Gateway and a 3rd party NextGen Firewall is
deployed as Active/Active
4) When using AWS native Transit Gateway and a 3rd party NextGen Firewall is
deployed as Active/Standby

A) the general recommendation is to deploy firewall in each VPC

B) scaling out of firewalls is not possible
C) throughput of each NetGen FW is limited to 500 Mbps
D) static routes are needed to manually redirect interesting traffic to load-
balancers

A45: 1-B, 2-A, 3-C, 4-D

Ref:
- Watch video "Feature Overview Part 2" - time stamp 7:10 onwards, difficult
managemnet - manual work for scale out requried for Azure 3rd party
- Watch video "Feature Overview Part 2" - time stamp 9:10 onwards, difficult
managemnet - Actie/Standby requries manual route tables
- Watch video "Feature Overview Part 2" - time stamp 10:45 onwards, difficult
managemnet - Actie/Active 500 Mbps limitations

Q46: What is Aviatrix CoPilot?

A) A tool inside Aviatrix Controller to run FlighPath and other troubleshooting
aspects
B) A tool that is used to upgrade Aviatrix Controller and perform other maintenance
tasks
C) A component of Aviatrix platform that provides end to end visibiliy showing
deployment overview, cloud topology and provides views based on Netflow data
D) A product that run analytics and machine learning against the architecture
A46: C
Ref:
- https://docs.aviatrix.com/HowTos/copilot_overview.html?highlight=copilot

Q47: Aviatrix Gateways support NAT capability in which public cloud?

A) AWS
B) All the public Cloud listed here in the options
C) Google Cloud
D) Microsoft Azure
A47: B
Ref:
- https://docs.aviatrix.com/HowTos/gateway.html

Q48: Aviatrix platform provides rich capabilites around networking, security and
operations in public cloud networks. In addition to Aviatrix Transit, it also helps
customers overcome limiations of native cloud constructs. Below, match the aviatrix
platform capability for AWS Transit Gateway (TGW) with the appropriate problem
description.
1) AWS TGW Route Approval
2) AWS TGW View
3) AWS TGW Route Audit
4) AWS TGW List
5) AWS TGW and VPC route table orchestration

A) Customers are responsible for managing route tables at TGW and all the VPCs
which is huge administrative and technical overhead for customers.
B) Inability to have consolidated list of VPCs across AWS TGWs accounts, regions
with CIDRs, IDs etc.
C) If someone makes a mistake and inserts bad routes, manually or via automation
such as terraform, there is no ability to catch this common issue.
D) With multiple Transit Gateways and VPCs attached to them, there is a need for
visualization to map how VPCs and TGWs are connected.
E) When a route is advertised over BGP, this route is automatically propogated to
all VPCs. There needs to be an ability for the network engineers to approve the
route before it is propogated

A48: 1-E, 2-D, 3-C, 4-B, 5-A

Ref:
- Answers are kind of make sense without any ref.

Q49: ACE Inc. needs to dploy a single consistent network infrastructure across AWS,
Azure, GCP and OCI using Aviatrix.
How many Aviatrix controllers will be needed?
A) 3
B) 2
C) 4
D) 1
A49: 1
Ref:
- Watch video "Case Study Multiple Region" - time stamp 5:40 onwards - The
architecture shows only one Aviatrix Controller for the multiple region
- Watch video "Feature Overview Part 1" - time stamp 2:50 onwards - You only need
one controller
- Watch video "Feature Overview Part 2" - time stamp 24:00 onwards - You only need
one controller

Q50: A customer has 100 VPCs in GCP that they want to be able to route between.
What are some of the solutions customers can use. Each option represents a complete
solution.
(Choose 2)
A) Google already provides global routing for inter-VPC traffic
B) Use Aviatrix Transit solution to connect the VPCs with a Transit VPC running
Aviatrix Gateways
C) Manually configure routing tables in each VPC
D) Use Google Routers
E) Build full mesh connectivity using VPC peering
A50: A, B*, (B, E)
Ref:
- Watch video "GCP Networking 101" - time stamp 5:30 onwards - implicit routing is
possible for the VPC in same region
- BUT in the same video 6:30 onwards it is clarified that if VPCs are in different
region then manual VPC Peering is requried
- Webinar slides showed that for inter-VPC google don't offer routing and VPC
peering is required

Q51: ACE Inc. has a Direct Connect for their on-premise location to connect to AWS.
Security team has recently been notified of issues where employees and contractors
working from the on-premise location are using non-corporate (personal or public)
S3 buckets using ACE Inc.'s Direct Connect. This is overwhelming the Direct Connect
and also showing the source of traffic to these S3 buckets as ACE Inc. which has
potential compliance and security risks.

As a cloud architect, you are tasked with securing the Dricet Connect for specific
ACE Inc. corporate S3 buckets access only.

Which Aviatirx feature can help ACE inc. overcome this problem?

A) Aviatrix FlightPath
B) Aviatrix CoPilot
C) Aviatrix Private S3
D) Aviatrix Multi-Account Onboarding

A51: C
Ref:
- Watch video "Feature Overview Part 1" - time stamp 27:40 onwards - Aviatrix
Private S3

Q52: Customer has an Aviatirx Controller deployed in AWS and wants to back up the
Aviatrix Controller configuration. Where would the backup file be saved?
A) An S3 bucket
B) SFTP Server
C) On one of the Aviatrix Gateways
D) FTP Server
A52: A
Ref:
- Watch video "Day 2 Operations" - time stamp 11:50 onwards - We leverage S3 for
backup.

Q53: What is one of the limiations of Microsoft Azure ExpressRoute that becomes
more problematic in a Virtual WAN deployment with 'any-to-any' default connectivity
behavior?
A) BGP is not allowed over ExpressRoute when used with Virtual WAN
B) From Azure cloud, only 200 routes can be advertised to on-prem over a single
ExpressRoute Gateway
C) You have to use Microsoft Edge Routers as transit between VNets
D) Use of Azure Firewall is requried
A53: C*, B*
Ref:
- Watch video "Azure Networking 101" - time stamp 14:00 onwards - ExpressRoute with
Edge Router
- https://docs.microsoft.com/en-us/azure/expressroute/expressroute-
faqs#:~:text=There%20is%20a%20maximum%20of,be%20advertised%20to%20on%2Dpremises.
- The limiation is for VNet to on-prem private peering.

Q54: What are some limitations of using Public Cloud Provider's (AWS, Azure, GCP,
OCI) native VPN Gateways that network engineers must account for in their
deployments?
(Choose 2)
A) No support for NAT which becomes problematic in case of overlapping IPs and
connecting to (customer and partner) sites where IP allocation is out of your
administrative control
B) No support for Active/Active deployment
C) Inability to use common troubleshooting tools like ping, traceroute
D) Only support UDP
A54: A, C
Ref:
- Watch video "Feature Overview Part 2" - time stamp 27:40 onwards - Aviatrix
Private S3

Q55: An example of when would you use Aviatirx FlighPath is:

A) To insert Firewall into traffic path between 2 VPCs
B) To connect your branch office to the cloud resources
C) To view controller logs
D) To troubleshoot connectivity between EC2 instances in 2 AWS VPCs
A55: D
Ref:
-

Q56: Choose the best definition for Firewall Network (FireNet)?

A) Aviatrix turn key solution to scalably deploy firewall instances in the cloud
B) Azure functionality to deploy 3red party firewalls in a VPC
C) AWS functionality to deploy 3red party firewalls in a VPC
D) GCP functionality to deploy 3red party firewalls in a VPC
A56: A
Ref:
-

Q57: What is a challenge of using ExpressRoute Edge Routers as transit to

interconnect VNets in Azure?
A) Not recommended by Microsoft Product Group / not officially documented
B) BW limited by ExpressRoute Gateway SKU
C) Limited Control of routing propogation
D) All of the above
A57: D
Ref:
- Watch video "Azure Network 101" - time stamp 12:35 onwards - Limiation of Azure
Express Route
- SKU on 14:45 onwards

Q58: ACE Inc. is curently using AWS Transit Gateway (TGW) with 100 VPCs attached to
it from different security domains.

These 100 VPCs are used as following:

- 20 VPCs belong to Production,
- 40 VPCs belong to Development,
- 20 are part of UAT and
- 20 VPCs are for shared services and miscellanous common needs.

ACE Inc. requirements are to:

- provide network and traffic segmentation between Prod, Development, UAT VPCs such
that there is no traffic between VPCs belonging to different domains
- allow all VPCs in each domain to communicate with each other
- allow every VPC access to shared services VPCs

Which Aviatrix feature would help to not only provide this segmentation but also
decrease the complexity of this topology and routing configuration by orchestrating
life-cycle management of AWS Transit Gateways?
(Choose 2)
A) Aviatirx AWS-TGW Encrypted Peering
B) Aviatrix TGW Orchestrator
C) Aviatrix Security Domain
D) Aviatirx Site-to-Cloud (S2C)
A58: B,C (A*)
Ref:
-
Q59: Match the terminology to the appropriate Public Cloud provider

1) GuardDuty
2) VPC Global Routing
3) Virtual Network (VNet)

A) Google Cloud
B) AWS
C) Microsoft Azure
A59: 1-B, 2-A, 3-C
Ref:
-

Q60: Can the Aviatrix platform help you interconnect VPCs/VNets/VCNs with
overlapping IP address ranges?
A) Yes, using standard encypted peering
B) Yes, using S2C (Site-to-Cloud)
C) Yes, using FlightPath
D) No
A60: B
Ref:
-

Q61: What are the connectivity options for customers to access Azure?
A) Inernet only
B) VPN and Express Route
C) Internet VPN, and DirectConnect
D) Internet, VPN, ExpressRoute
A61: D
Ref:
-

Q62: Choose the correct behavior around software upgrade and security patching of
Aviatirx Platform
A) Aviatrix platform offers hitless upgrades
B) Aviatrix platform software upgrade requries long downtime
C) Security Patching of the Aviatirx platform always requires a version upgrade for
entire deployment
D) Security Patching of the Aviatirx platform can be done without requiring version
upgrade of entire platform
A62: A, D
Ref:
- Watch video "Day 2 Operations" - time stamp 18:30 onwards - hitless upgrade,
patch

Q63: AEC Inc. has 50 VPCs in AWS with applications that need access to SaaS
services on the internet using pre-defined FQDNs. Current deployment has AWS NAT
instances deployed that allow full internet access.
ACE Inc.'s security team has mandated that these applications should only be
allowed access to pre-approved FQDNs.
You have been tasked to solve this problem considering the following three goals
1. Solution must be easy to implement
2. Same URLs definitions can be used for multiple applications
3. Keep the cost down

A) Deploy a WAF Solution

B) Deploy a NGFW firewall in each VPC
C) Deploy Aviatrix Gateways to perform FQDN filtering
D) Configure NAT polices on the AWS NAT instance
A63: C
Ref:
-

Q64: Private, Public, Transit VIFs (Virtual Interfaces) are terms related to
which...
A) Azure ExpressRoute
B) AWS Virtual Private Gateway (VGW)
C) AWS DirectConnect
D) AWS Transit Gateway
A64: C
Ref:
-

Q65: Azure Firewall (native service):

A) Performs Load Balancing and SNAT Automatically
B) Handles UDR updates and route propogation for all the peered spoke VNets
C) Is encrypting the traffic in transit
D) By default provides Malware Protection, IDS (Intrusion Detection) and IPS
(Intrusion Prevention)
A65: A
Ref:
- Watch video "Azure Network 101" - time stamp 6:25 onwards - one good thing is
enabled SNAT bydefualt on Azure Firewall only
- Dump says D - but the slide in video shows clearly that there is no IDS, IPS in
Azure Firewall native

Q66: What is Availability Zone?

A) A technology developed for Multi Cloud for automatic moving of resources between
DC and Cloud regions
B) A zone provided by Cloud Service Providers (CSP) that is available to multiple
regions across the globe to deploy
C) Grouping of many on-prem data centers within a geographic area to provide
regional service availablility
D) Distinct location within cloud provider's network that is engineered to be
isolated from failures of otehr such
A66: D
Ref:
- Watch video "Networking Principles In the Cloud" - time stamp 6:44 onwards - AZ -
distinct location