Skip to main content
Cloud Computing ⭐ Premium

AWS Certified Solutions Architect - Professional (SAP-C02) - 340 Questions

By Webmaster Certland ❤️ 0 likes

Prepare for the AWS Certified Solutions Architect – Professional (SAP-C02) exam with 340 advanced practice questions covering all 4 official domains. This question bank validates expert-level skills in designing complex, large-scale distributed systems on AWS. Topics include organizational complexity management, new solutions design, continuous improvement of existing solutions, and accelerating workload migration and modernization using services such as AWS Organizations, Transit Gateway, Control Tower, CloudFormation, and multi-region architectures. SAP-C02 is the most prestigious architect-level AWS certification, designed for experienced cloud architects leading enterprise cloud transformation initiatives. On CertLand, each question reflects the depth and scenario complexity of the official SAP-C02 exam.

🔒

Premium Content

This exam is exclusive to Premium users. Upgrade to get unlimited access!

Become Premium

👁️ Free Preview (5 of 340 questions)

1. A large enterprise has 40 AWS accounts organized across 5 business units. Each business unit has its own VPCs in multiple AWS Regions. The network team requires full any-to-any connectivity between all VPCs within the same Region, centralized routing policy enforcement, and the ability to isolate traffic between business units. Which architecture best meets these requirements?

A Deploy one AWS Transit Gateway per Region, attach all VPCs, and create a separate Transit Gateway route table per business unit with appropriate association and propagation rules.
B Establish VPC peering connections between every pair of VPCs across all 40 accounts, and use VPC route tables to enforce routing policy for each business unit.
C Use AWS PrivateLink endpoint services in each business unit's VPCs to allow inter-VPC communication, and enforce isolation through security group rules.
D Deploy one AWS Transit Gateway per Region with a single shared route table and use Network ACLs on each VPC subnet to enforce business unit isolation.

2. A company is connecting its on-premises data center to AWS using AWS Direct Connect. The connection must provide 10 Gbps of dedicated throughput. The network team wants to increase aggregate bandwidth to 20 Gbps and achieve link redundancy without managing multiple separate logical connections in BGP. Which Direct Connect feature should the solutions architect recommend?

A Provision two hosted connections of 10 Gbps each from an APN partner and configure them with a shared virtual interface.
B Create a Link Aggregation Group (LAG) that bundles two 10 Gbps dedicated connections at the same Direct Connect location into a single logical managed connection.
C Provision two separate 10 Gbps dedicated connections with independent private virtual interfaces and configure BGP with equal-cost multipath routing (ECMP).
D Configure a Site-to-Site VPN over each Direct Connect connection and enable ECMP on the virtual private gateway to aggregate bandwidth.

3. An enterprise uses AWS Direct Connect to connect its on-premises data center to three AWS Regions. The company wants to use a single Direct Connect connection to access VPCs in all three Regions without establishing separate private virtual interfaces for each Region. Which AWS service enables this architecture?

A Attach a Transit Gateway in each Region to a shared Transit Gateway in the primary Region to extend the Direct Connect connection.
B Create VPC peering connections between VPCs in the three Regions so that on-premises traffic can reach all Regions through a single Direct Connect private virtual interface.
C Provision a Direct Connect Gateway and associate it with Virtual Private Gateways in each of the three Regions via a single private virtual interface on the Direct Connect connection.
D Use AWS Global Accelerator to route on-premises traffic from the Direct Connect connection to VPCs in multiple Regions.

4. A company has an AWS Site-to-Site VPN connection using BGP dynamic routing between its on-premises router and an AWS Virtual Private Gateway. The network team reports that the VPN is routing all on-premises traffic to AWS, including internet-bound traffic, which is causing performance issues. The team wants only traffic destined for the VPC CIDR to traverse the VPN tunnel. Which configuration change resolves this issue?

A Configure an inbound BGP route policy on the customer gateway device to accept only the VPC CIDR prefix advertised by AWS and reject all other routes, including any default route.
B Replace the BGP dynamic routing configuration with static routing on the Site-to-Site VPN and add only the VPC CIDR as a static route on the Virtual Private Gateway.
C Disable route propagation on the Virtual Private Gateway route tables to prevent AWS from advertising routes to the on-premises network.
D Add a second VPN tunnel to the Virtual Private Gateway and configure it as the primary path only for internet-bound traffic from on-premises.

5. A company needs to provide remote employees with access to internal AWS-hosted applications. The solution must support certificate-based mutual TLS authentication, allow employees to access only specific VPC resources based on their Active Directory group membership, and must not route employee internet traffic through the AWS environment. Which service and configuration meets all requirements?

A Configure AWS Site-to-Site VPN with certificate-based authentication and BGP route filters to restrict access based on Active Directory group membership.
B Deploy AWS Client VPN with Active Directory authentication and authorization rules per AD group, with full tunneling enabled to route all client traffic through the VPC.
C Use AWS Systems Manager Session Manager with IAM policies tied to Active Directory groups to provide per-resource access without routing internet traffic through AWS.
D Deploy AWS Client VPN with mutual certificate authentication using AWS Certificate Manager, configure authorization rules based on Active Directory groups, and enable split tunneling on the endpoint.

Want to test yourself for real?

Create a free account and run our exam simulation engine.

Free No credit card
  • Simulation engine
  • Up to 10 questions per attempt
  • Score & basic stats
Create free account Already have an account? Sign in
Best
Premium 7-day trial
  • All 340 questions
  • Detailed explanations
  • Smart Practice + Focus Mode
⭐ Start 7-day free trial

Information

Questions 340
Time 3h
Difficulty Hard
Minimum Score 75.00%
🤍 Like

Related Exams

Free

AZ-900: Fundamentos do Microsoft Azure – 340 perguntas

340 questions · 1 attempts
Free

Praticante de nuvem certificado pela AWS (CLF-C02) - 340 Questoes

340 questions · 1 attempts
Free

Líder digital do Google Cloud (CDL) - 340 perguntas

340 questions · 0 attempts
Free

Practicante de nube certificado por AWS (CLF-C02) - 340 preguntas

340 questions · 0 attempts

Discussion

No comments yet. Be the first to start the discussion!

Sign in to join the discussion.