Free CompTIA CloudNetX CNX-001 Actual Exam Questions

D and B make sense since logging tracks issues and disabling unused services cuts risks.

Disabling unused services definitely lowers risk by shutting down possible exploits. Pairing that with enabling logging makes sense to catch any weird activity early on. Firmware updates could be tricky depending on policies.

I’d check the routing table too—maybe traffic to App A’s IP is getting misrouted or dropped before hitting the VM subnet. NSGs aren’t the only place where connectivity can break.

If workstations can reach Server B but not App A, NSG rules on the VM subnet might be blocking those

I agree with the general breakdown but want to add that the core layer usually doesn’t deal directly with VLANs or security policies—it’s more about fast, reliable transport. So if one device is mostly routing and applying security controls, it’s probably distribution. Also, access layers are typically where you see end devices connected, with port security or 802.1X features enabled. If any of the devices show those commands or role-based access control configs, that helps confirm access layer. So double-check those details in the output to make sure the labeling matches these roles.

A seems like access, since it probably connects end-user devices directly.

B imo, BLE is designed for indoor positioning and can easily meet the 5ft accuracy requirement. SSID and IoT are too broad or indirect, and NFC’s range is way too short for this use case.

B/C? BLE definitely fits the precision and range needed here, plus it supports continuous tracking without requiring direct user interaction. NFC’s range is too limited for anything beyond point-of-contact interactions, so it seems unlikely to cover all these use cases. IoT is more of an umbrella term for connected devices, not a specific tracking tech. SSID doesn’t provide location info. So between B and C, BLE makes more sense given the proximity accuracy and practical implementation in stadiums.

B imo, since TACACS+ is mainly for device admin access, not user Wi-Fi auth. For network access and tying into Active Directory on Wi-Fi, RADIUS is the typical go-to.

RADIUS is the standard for Wi-Fi authentication with Active Directory integration.

D, since it's designed to store all types of data for analytics at scale.

It’s D because relational databases (A) can’t efficiently handle the massive, varied data from global apps like a data lake can. The other options don’t fit the logging and monitoring use case either.

It’s B because if the database server’s firewall wasn’t updated for the new subnet, it might block connections even if IPs look right. That’s an easy miss after changing subnets.

Maybe D. The web server’s IP is outside the 10.10.10.64/27 subnet range, so it probably can’t route traffic correctly to the database server at 10.10.10.93.

A imo, knowledge base articles often have the most current and detailed info on specific application setups, especially right after a migration when things might not yet be fully reflected in official databases. CMDBs are ideal for structured dependency mapping but can lag behind real-time changes. Since they’re asking about dependencies between app and database tiers, the internal knowledge base might capture those nuances better than the CMDB if it’s not fully updated for the cloud environment yet. Plus, things like SOW or physical diagrams don’t really cover those relationships directly.

I think B is still the best call because a CMDB is designed specifically to map out relationships between components, including apps and databases, unlike the other options that don’t track dependencies clearly.

B imo, because having the author’s code reviewed directly tackles mistakes before they hit production, especially if CI/CD isn’t fully set up yet. It’s a simple step that can catch errors early.

D, automation in CI/CD ensures consistent checks before deployment.

D is not needed because blocking outbound traffic to everywhere isn’t required here. A for allowing specific server access inside the cloud and C for denying external inbound traffic makes the most sense.

A/C? A is necessary for access between the servers. C denies all inbound traffic from outside, which fits the requirement to block external inbound traffic without messing with internal flows.

It’s C because throttling controls usage per customer, keeping access balanced without extra infrastructure.

It’s C for me. Throttling ensures no single customer can overload the system, so everyone gets fair access without needing to throw more money at extra VMs. Increasing VMs (B) can get pricey and might not solve fairness if some users still abuse the system. Also, changing MTU (D) won’t help with fairness or slowdowns caused by too many requests. An allow list (A) could block some users but isn’t really “fair” access. So throttling is the most cost-effective way to keep things balanced during peak times.

A/B? Since they’re using the same channel now, switching to different ones with minimal overlap should help. A’s channels (1, 2, 3) are too close and will overlap a lot, causing interference. B’s channels (2, 4, 9) are spaced out better than A but still not ideal because 2 and 4 overlap. C’s channels (1, 6, 11) are well-known non-overlapping choices, but since that’s already mentioned a lot, B could be considered if C is somehow not allowed. D’s channels overlap too much. So, if C isn’t an option for some reason, B might be a secondary choice.

C, only those three channels avoid overlap in 2.4 GHz Wi-Fi.

D. Since the goal is to limit access based on geographic location, geo-restriction is the most direct and effective method. WAF rules mainly handle threats and traffic patterns, not location-based blocking. NAT gateway or CDN won’t restrict where users connect from either, so they’re irrelevant here. Geo-restriction is designed for precisely this use case.

A/D? WAF rules might need tuning if geo blocks aren’t working as expected.

It’s C because relying on two different suppliers for Direct Connect avoids vendor lock-in and single points of failure, which is crucial for meeting strict reliability and availability requirements.

B/C? If the VPN backup is reliable enough, B’s simpler setup might be enough for high availability. But if the regulations are strict about avoiding any single vendor risk, C seems safer with two different suppliers.

A and C, since roles limit access and a small subnet hints at segmenting the network.

A imo, role-based access is all about least privilege. For the subnet part, C fits since restricting to a small subnet is a basic form of microsegmentation, even if not super detailed here.