Skip to main content
Cloud Computing ⭐ Premium

AWS Certified Solutions Architect Professional - SAP-C02

By Webmaster Certland English 📝 380 questions ❤️ 0 likes

Practice exam for the AWS Certified Solutions Architect - Professional (SAP-C02) certification. Covers organizational complexity design, new solution design, continuous improvement, and workload migration/modernization. 380 advanced scenario-based questions with detailed explanations.

⭐ Premium Updated Mar 2026

Unlock all 380 AWS Certified Solutions Architect Professional - SAP-C02 questions

Full simulation · Detailed explanations · Unlimited attempts

  • 380 questions — ~5 full-length simulations
  • Detailed explanations — why each answer is right or wrong
  • Unlimited attempts — retake as many times as needed
  • Smart Practice + Focus Mode + no ads
380
Questions
All certifications
from $4.90/mo
⭐ Get Premium — $4.90/mo ▶ Try 5 questions free

Sample Questions — AWS Certified Solutions Architect Professional - SAP-C02

5 free sample questions from this practice exam. Correct answers are highlighted.

1. A large enterprise has 40 AWS accounts organized across 5 business units. Each business unit has its own VPCs in multiple AWS Regions. The network team requires full any-to-any connectivity between all VPCs within the same Region, centralized routing policy enforcement, and the ability to isolate traffic between business units. Which architecture best meets these requirements?

A Deploy one AWS Transit Gateway per Region, attach all VPCs, and create a separate Transit Gateway route table per business unit with appropriate association and propagation rules. ✓ Correct
B Establish VPC peering connections between every pair of VPCs across all 40 accounts, and use VPC route tables to enforce routing policy for each business unit.
C Use AWS PrivateLink endpoint services in each business unit's VPCs to allow inter-VPC communication, and enforce isolation through security group rules.
D Deploy one AWS Transit Gateway per Region with a single shared route table and use Network ACLs on each VPC subnet to enforce business unit isolation.

2. A company is connecting its on-premises data center to AWS using AWS Direct Connect. The connection must provide 10 Gbps of dedicated throughput. The network team wants to increase aggregate bandwidth to 20 Gbps and achieve link redundancy without managing multiple separate logical connections in BGP. Which Direct Connect feature should the solutions architect recommend?

A Provision two hosted connections of 10 Gbps each from an APN partner and configure them with a shared virtual interface.
B Create a Link Aggregation Group (LAG) that bundles two 10 Gbps dedicated connections at the same Direct Connect location into a single logical managed connection. ✓ Correct
C Provision two separate 10 Gbps dedicated connections with independent private virtual interfaces and configure BGP with equal-cost multipath routing (ECMP).
D Configure a Site-to-Site VPN over each Direct Connect connection and enable ECMP on the virtual private gateway to aggregate bandwidth.

3. An enterprise uses AWS Direct Connect to connect its on-premises data center to three AWS Regions. The company wants to use a single Direct Connect connection to access VPCs in all three Regions without establishing separate private virtual interfaces for each Region. Which AWS service enables this architecture?

A Attach a Transit Gateway in each Region to a shared Transit Gateway in the primary Region to extend the Direct Connect connection.
B Create VPC peering connections between VPCs in the three Regions so that on-premises traffic can reach all Regions through a single Direct Connect private virtual interface.
C Provision a Direct Connect Gateway and associate it with Virtual Private Gateways in each of the three Regions via a single private virtual interface on the Direct Connect connection. ✓ Correct
D Use AWS Global Accelerator to route on-premises traffic from the Direct Connect connection to VPCs in multiple Regions.

4. A company has an AWS Site-to-Site VPN connection using BGP dynamic routing between its on-premises router and an AWS Virtual Private Gateway. The network team reports that the VPN is routing all on-premises traffic to AWS, including internet-bound traffic, which is causing performance issues. The team wants only traffic destined for the VPC CIDR to traverse the VPN tunnel. Which configuration change resolves this issue?

A Configure an inbound BGP route policy on the customer gateway device to accept only the VPC CIDR prefix advertised by AWS and reject all other routes, including any default route. ✓ Correct
B Replace the BGP dynamic routing configuration with static routing on the Site-to-Site VPN and add only the VPC CIDR as a static route on the Virtual Private Gateway.
C Disable route propagation on the Virtual Private Gateway route tables to prevent AWS from advertising routes to the on-premises network.
D Add a second VPN tunnel to the Virtual Private Gateway and configure it as the primary path only for internet-bound traffic from on-premises.

5. A company needs to provide remote employees with access to internal AWS-hosted applications. The solution must support certificate-based mutual TLS authentication, allow employees to access only specific VPC resources based on their Active Directory group membership, and must not route employee internet traffic through the AWS environment. Which service and configuration meets all requirements?

A Configure AWS Site-to-Site VPN with certificate-based authentication and BGP route filters to restrict access based on Active Directory group membership.
B Deploy AWS Client VPN with Active Directory authentication and authorization rules per AD group, with full tunneling enabled to route all client traffic through the VPC.
C Use AWS Systems Manager Session Manager with IAM policies tied to Active Directory groups to provide per-resource access without routing internet traffic through AWS.
D Deploy AWS Client VPN with mutual certificate authentication using AWS Certificate Manager, configure authorization rules based on Active Directory groups, and enable split tunneling on the endpoint. ✓ Correct

Want to test yourself for real?

Create a free account and run our exam simulation engine.

Free No credit card
  • Simulation engine
  • Up to 10 questions per attempt
  • Score & basic stats
Create free account Already have an account? Sign in
Best
Premium Premium
  • All 380 questions
  • Detailed explanations
  • Smart Practice + Focus Mode
⭐ Get Premium

Information

Questions 380
Time 3h
Difficulty Hard
Minimum Score 75.00%
▶ Try 5 questions — no account needed ⭐ Unlock all questions — Premium 🤍 Like

💰 ROI

Official exam $300.00
CertLand $4.90/mo
Prepare for $300 for less than a coffee/mo

Related Exams

Free

AZ-900: Fundamentos do Microsoft Azure – 340 perguntas

340 questions · Português
Free

Praticante de nuvem certificado pela AWS (CLF-C02) - 340 Questoes

340 questions · Português
Free

Líder digital do Google Cloud (CDL) - 340 perguntas

340 questions · Português
Free

Líder digital de Google Cloud (CDL) - 340 preguntas

340 questions · Español

Discussion

No comments yet. Be the first to start the discussion!

Sign in to join the discussion.