Question 1

Which of the following technologies should be used by a person who is visually impaired to access data from the cloud?

Accepted Answer

B

Explanation: Text-to-voice, also known as text-to-speech (TTS), is an assistive technology that converts digital text into synthesized speech. For a person who is visually impaired, this is a fundamental technology for accessing digital information, including data stored in the cloud. Applications and operating systems use TTS engines, often as part of a screen reader, to read aloud on-screen text, menus, and documents, thereby enabling non-visual interaction with the user interface and content. Cloud services often provide TTS APIs to build accessible applications.

Question 2

Which of the following migration types is best to use when migrating a highly available application, which is normally hosted on a local VM cluster, for usage with an external user population?

Accepted Answer

C

Explanation: The scenario describes an application currently hosted on a "local VM cluster," which is an on-premises environment. The goal is to migrate it to better serve an "external user population." Migrating from an on-premises data center to a public or hybrid cloud environment is the standard approach to achieve greater scalability, high availability, and global accessibility for external users. This process is defined as an on-premises-to-cloud migration, often referred to as Physical-to-Cloud (P2C) or Virtual-to-Cloud (V2C). The cloud's inherent internet-facing infrastructure and distributed nature make it the ideal target for this requirement.

Question 3

Which of the following describes the main difference between public and private container repositories?

Accepted Answer

A

Explanation: The fundamental difference between public and private container repositories is access control. Public repositories, such as those on Docker Hub, are accessible to anyone on the internet for pulling images without requiring authentication. Private repositories are restricted; a user must first authenticate (prove their identity) and then be authorized (have the correct permissions) to access the images within it. This mechanism is essential for organizations to securely store and manage proprietary or sensitive application images, ensuring they are not exposed to the public.

Question 4

A cloud engineer needs to migrate an application from on premises to a public cloud. Due to timing
constraints, the application cannot be changed prior to migration. Which of the
following migration strategies is best approach for this use case?

Accepted Answer

D

Explanation: Rehosting, commonly known as "lift and shift," is the migration strategy of moving an application from its on-premises environment to a cloud IaaS platform with minimal or no modification. This approach is the fastest way to migrate because it does not require changes to the application's architecture or code. Given the strict constraints that the application cannot be changed and the migration must happen quickly, rehosting is the only suitable strategy. It allows the organization to meet its deadline by essentially replicating the existing environment in the cloud.

Question 5

A company wants to create a few additional VDIs so support vendors and contractors have a secure
method to access the company's cloud environment. When a cloud
administrator attempts to create the additional instances in the new locations, the operation is
successful in some locations but fails in others. Which of the following is the
most likely reason for this failure?

Accepted Answer

C

Explanation: Cloud providers impose service quotas or limits on the number of resources an account can provision within a specific region. When a cloud administrator attempts to create new resources, such as VDI instances, the request will fail if the account has already reached its predefined limit for that resource type (e.g., vCPUs, virtual machines) in that particular region. Since quotas are typically managed on a per-region basis, this explains why the creation is successful in some locations (where the quota has not been met) but fails in others (where the quota has been exceeded). This is a common operational constraint in cloud environments.

Question 6

Which of the following cloud-native architecture designs is the most easily maintained, decentralized, and decoupled?

Accepted Answer

D

Explanation: Microservices is an architectural style that structures an application as a collection of small, autonomous, and loosely coupled services. Each service is self-contained, runs its own process, and communicates with others through well-defined APIs. This inherent modularity allows individual services to be developed, deployed, and maintained independently without impacting the entire system. This design directly promotes decentralization (no single point of control), decoupling (minimal dependencies), and easier maintenance, as changes are isolated to specific services. This contrasts sharply with monolithic architectures, which are centralized and tightly coupled.

Question 7

An organization's internal security team mandated that public cloud resources must be accessible
only by a corporate VPN and not by direct public internet access. Which of the
following would achieve this objective?

Accepted Answer

C

Explanation: A Virtual Private Cloud (VPC) provides a logically isolated section of a public cloud, allowing an organization to define and control its own virtual network. To meet the requirement, an administrator can configure the VPC without a direct connection to the public internet (e.g., by not attaching an Internet Gateway). Instead, a VPN Gateway can be configured on the VPC to establish a secure, private connection to the corporate network. This architecture ensures that all traffic to and from the cloud resources must traverse the corporate VPN, effectively blocking direct public internet access and fulfilling the security mandate.

Question 8

A bank informs an administrator that changes must be made to backups for long-term reporting
purposes. Which of the following is the most important change the administrator
should make to satisfy these requirements?

Accepted Answer

C

Explanation: The key phrase in the scenario is "long-term reporting purposes," which is a direct reference to data retention requirements. In highly regulated industries like banking, there are legal and compliance mandates (e.g., SOX, FINRA, Basel II/III) that specify the minimum duration for which financial records and related data must be stored. Therefore, adjusting the backup retention policy to ensure data is kept for the required number of years is the most critical change to meet these long-term obligations for auditing and reporting.

Question 9

A company's content management system (CMS) service runs on an laaS cluster on a public cloud.
The CMS service is frequently targeted by a malicious threat actor using DDoS.
Which of the following should a cloud engineer monitor to identify attacks?

Accepted Answer

A

Explanation: A Distributed Denial of Service (DDoS) attack is fundamentally a network-based attack designed to overwhelm a target with a massive volume of traffic from multiple sources. Network flow logs capture metadata about all IP traffic traversing a network interface, including source/destination IP addresses, ports, protocols, and the volume of packets/bytes. By monitoring and analyzing these logs, a cloud engineer can identify the characteristic signatures of a DDoS attack, such as an abnormally high volume of traffic from a large number of disparate IP addresses targeting the CMS service. This provides the necessary network-level visibility to detect the attack in its early stages.

Question 10

A cloud engineer needs to integrate a new payment processor with an existing e-commerce website. Which of the following technologies is the best fit for this integration?

Accepted Answer

C

Explanation: A REST (Representational State Transfer) API (Application Programming Interface) is the industry-standard architectural style for integrating web services. For an e-commerce site to communicate with a payment processor, it needs a secure, scalable, and stateless method. REST APIs use standard HTTP methods (like POST for submitting payment data) and are designed for this type of client-server interaction. Encapsulating the communication within HTTPS (HTTP Secure) ensures that sensitive payment information is encrypted in transit, which is a critical security requirement for handling financial data. This combination provides a robust, secure, and widely supported solution for this integration task.

Question 11

You are a cloud engineer working for a cloud service provider that is responsible for an IaaS offering. Your customer, who creates VMs and manages virtual storage, has noticed I/O bandwidth issues and low IOPS (under 9000). Your manager wants you to verify the proper storage configuration as dictated by your service level agreement (SLA). The SLA specifies: . Each SFP on the hypervisor host must be set to the maximum link speed allowed by the SAN array. . All SAN array disk groups must be configured in a RAID 5. . The SAN array must be fully configured for redundant fabric paths. . IOPS should not fall below 14000 INSTRUCTIONS Click on each service processor to review the displayed information. Then click on the drop-down menus to change the settings of each device as necessary to conform to the SLA requirements. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_132_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_133_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_134_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_134_img_2.jpg

Accepted Answer

SET SLOT A FIBER CHANNEL CARD, PORT 1 LINK SPEED TO 8 GBPS.

SET SLOT A FIBER CHANNEL CARD, PORT 2 LINK SPEED TO 8 GBPS.

SET SLOT B FIBER CHANNEL CARD, PORT 1 LINK SPEED TO 8 GBPS.

SET SLOT B FIBER CHANNEL CARD, PORT 2 LINK SPEED TO 8 GBPS.

Explanation: The Service Level Agreement (SLA) mandates that each hypervisor SFP must match the maximum link speed of the SAN array . By inspecting the service processors, we see the SAN array's ports are operating at 8 Gbps . The hypervisor's ports were initially misconfigured to 16 Gbps, creating a link speed mismatch. This mismatch prevented successful link negotiation, which is why Service Processor A had "no initiators currently logged in." This failure breaks the required path redundancy, halves the available I/O bandwidth, and causes the observed low IOPS. Adjusting all four hypervisor ports to 8 Gbps resolves the configuration conflict, restores redundant paths to both service processors, and meets the performance and SLA requirements.

Question 12

HOTSPOT A highly regulated business is required to work remotely, and the risk tolerance is very low. You are tasked with providing an identity solution to the company cloud that includes the following: secure connectivity that minimizes user login tracks user activity and monitors for anomalous activity requires secondary authentication INSTRUCTIONS Select controls and servers for the proper control points. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_73_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_73_img_2.jpg

Accepted Answer

FIRST CONTROL: SSO

SECOND CONTROL: MFA

SERVER: SIEM

Explanation: This configuration correctly implements the required security layers for a low-risk tolerance identity solution. SSO (Single Sign-On): This control addresses the requirement to minimize user logins . It allows authenticated users to access multiple applications and resources within the cloud environment without needing to log in repeatedly. MFA (Multi-Factor Authentication): This control fulfills the need for secondary authentication . It enhances security by requiring users to provide two or more verification factors, making it significantly harder for unauthorized users to gain access. SIEM (Security Information and Event Management): This server is essential to track user activity and monitor for anomalies . A SIEM system collects, aggregates, and analyzes log data from across the network, including authentication events from SSO and MFA, to detect and alert on suspicious behavior.

Question 13

HOTSPOT An e-commerce company is migrating from an on-premises private cloud environment to a public cloud IaaS environment. You are tasked with right-sizing the environment to save costs after the migration. The company's requirements are to provide a 20% overhead above the average resource consumption, rounded up. INSTRUCTIONS Review the specifications and graphs showing resource usage for the web and database servers. Determine the average resource usage and select the correct specifications from the available drop- down options. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_58_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_59_img_1.jpg

Accepted Answer

WEB SERVER

CPU: 1 VCPU

RAM: 4GB

DISK SPEED: 10MBPS

DATABASE SERVER

CPU: 4 VCPU

RAM: 16GB

DISK SPEED: 110MBPS

Explanation: The process involves calculating the average usage for each resource, adding a 20% overhead, and selecting the smallest available specification that meets the new requirement. CPU: The average CPU usage is 16.57% of 4 vCPUs, which is 0.66 vCPUs. With a 20% overhead, the requirement is $0.66 imes 1.20 = 0.79$ vCPUs. The smallest option is 1 vCPU . RAM: Average RAM usage is 15% of 16GB, which is 2.4GB. With a 20% overhead, the requirement is $2.4 ext{GB} imes 1.20 = 2.88 ext{GB}$. The smallest option is 4GB . Disk: Average disk throughput is 4.43 MBps. With a 20% overhead, the requirement is $4.43 imes 1.20 \approx 5.32$ MBps. The smallest option is 10MBps . Following the same right-sizing methodology as the web server: CPU: The average CPU usage is 65.57% of 4 vCPUs, which is 2.62 vCPUs. With a 20% overhead, the requirement is $2.62 imes 1.20 \approx 3.15$ vCPUs. The best-fit option is 4 vCPU . RAM: Average RAM usage is 80% of 16GB, which is 12.8GB. With a 20% overhead, the requirement is $12.8 ext{GB} imes 1.20 = 15.36 ext{GB}$. The smallest available option that meets this is 16GB . Disk: Average disk throughput is 86.71 MBps. With a 20% overhead, the requirement is $86.71 imes 1.20 \approx 104.05$ MBps. The next available tier is 110MBps .

Question 14

A company has decided to scale its e-commerce application from its corporate datacenter to a commercial cloud provider to meet an anticipated increase in demand during an upcoming holiday. The majority of the application load takes place on the application server under normal conditions. For this reason, the company decides to deploy additional application servers into a commercial cloud provider using the on-premises orchestration engine that installs and configures common software and network configurations. The remote computing environment is connected to the on-premises datacenter via a site-to-site IPSec tunnel. The external DNS provider has been configured to use weighted round-robin routing to load balance connections from the Internet.

During testing, the company discovers that only 20% of connections completed successfully.

INSTRUCTIONS

Review the network architecture and supporting documents and fulfill these requirements:

Part 1:

Analyze the configuration of the following components: DNS, Firewall 1, Firewall 2, Router 1, Router

2, VPN and Orchestrator Server.

Identify the problematic device(s).

Part 2:

Identify the correct options to provide adequate configuration for hybrid cloud architecture.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All

button.

Part 1:

Cloud Hybrid Network Diagram

Part 2:

Only select a maximum of TWO options from the multiple choice question

Accepted Answer

PART 1:

PROBLEMATIC DEVICE IDENTIFICATION

PART 2: SOLUTION

UPDATE THE PSK (PRE-SHARED KEY) IN ROUTER 2.

DEPLOY A REPLICA OF THE DATABASE SERVER IN THE CLOUD PROVIDER.

Explanation: Part 1: The problematic devices are Router 1 and Router 2 , which are failing to establish a stable Site-to-Site IPsec VPN tunnel. This failure is due to two specific misconfigurations: Mismatched Pre-Shared Keys (PSK): Router 1 is configured with the PSK Cloud001 , while Router 2 is configured with Cloud002 . For a successful IKE Phase 1 negotiation, the PSKs on both VPN gateways must be identical. Incorrect Remote Network on Router 1: The VPN configuration for Router 1 incorrectly defines the remote "Address Space" as 10.1.1.0/24 , which is its own local network. It should be configured to route for the remote cloud network, 10.1.2.0/24 . The consequence of this failed VPN connection is that the application servers in the cloud ( 10.1.2.0/24 network) cannot communicate with the database server in the on-premises datacenter ( 10.1.1.0/24 network), causing the 80% of user sessions routed to the cloud to fail. Part 2: The selected options resolve the issue through two different strategies. Fixing the VPN Connectivity: Updating the PSK on Router 2 to match Router 1 ( Cloud001 ) is a required step to correct the IPsec tunnel configuration. A mismatched PSK is a fundamental error that prevents the VPN tunnel from being established. Architectural Improvement: Deploying a database replica in the cloud is a strategic solution that resolves the application failure by removing the real-time dependency on the cross-site VPN connection for database queries. This is a common best practice in hybrid cloud architectures to improve application performance, increase resilience, and reduce data transfer latency. By placing a database replica close to the cloud application servers, the application can function even if the VPN tunnel is unstable or has high latency. These two actions combined ensure both the immediate connectivity issue is addressed and the long-term architectural stability of the hybrid application is improved.

Question 15

A company hosts various containerized applications for business uses. A client reports that one of its routine business applications fails to load the web-based login prompt hosted in the company cloud. Click on each device and resource. Review the configurations, logs, and characteristics of each node in the architecture to diagnose the issue. Then, make the necessary changes to the WAF configuration to remediate the issue. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_60_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_61_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_61_img_2.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_61_img_3.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_61_img_4.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Cloud+_CV0-004/page_62_img_1.jpg

Accepted Answer

CHANGE THE ACTION FOR RULE ID 1006 FROM BLOCK TO ALLOW.

Explanation: The user's inability to access the web-based login prompt points to a misconfiguration in the Web Application Firewall (WAF). The finance application ( FIN ) is hosted on webapp1 as per its service details. Upon reviewing the WAF configuration, Rule ID 1006 is specifically configured to Block traffic destined for the URL ^https://webapp[1].jcompita[.]org/login[.]html$ . This rule is the direct cause of the login page failing to load. Changing the action for this specific rule from Block to Allow will permit traffic to the login page and resolve the client's access issue.

Free COMPTIA Cloud+ CV0-004 Actual Exam Questions