The Replace Guide To CV0-003 Exam

NEW QUESTION 1

A cloud architect is designing the VPCs for a new hybrid cloud deployment. The business requires the following:
✑ High availability
✑ Horizontal auto-scaling
✑ 60 nodes peak capacity per region
✑ Five reserved network IP addresses per subnet
✑ /24 range
Which of the following would BEST meet the above requirements?

• A. Create two /25 subnets in different regions
• B. Create three /25 subnets in different regions
• C. Create two /26 subnets in different regions
• D. Create three /26 subnets in different regions
• E. Create two /27 subnets in different regions
• F. Create three /27 subnets in different regions

Answer: C

Explanation:
A /26 subnet is a subnet that has a network prefix of 26 bits and a host prefix of 6 bits. A /26 subnet can support up to 64 hosts (62 usable hosts) and has a subnet mask of 255.255.255.192. Creating two /26 subnets in different regions can best meet the business requirements for deploying a high availability, horizontally auto-scaling solution that has a peak capacity of 60 nodes per region and five reserved network IP addresses per subnet. Creating two /26 subnets can provide enough host addresses for the peak capacity and the reserved addresses, as well as allow for some growth or redundancy. Creating the subnets in different regions can provide high availability and horizontal auto- scaling, as it can distribute the workload across multiple locations and scale out or in based on demand. References: CompTIA Cloud+ Certification Exam Objectives, page 15, section 2.8

NEW QUESTION 2

A company recently experienced a power outage that lasted 30 minutes. During this time, a whole rack of servers was inaccessible, even though the servers did not lose power.
Which of the following should be investigated FIRST?

• A. Server power
• B. Rack power
• C. Switch power
• D. SAN power

Answer: C

Explanation:
If a whole rack of servers was inaccessible during a power outage, even though the servers did not lose power, it is likely that the switch that connects them to the network lost power. Without network connectivity, the servers would not be able to communicate with other devices or services. The administrator should investigate the switch power source and ensure it has a backup power supply or UPS.

NEW QUESTION 3

A cloud architect is reviewing the design for a new cloud-based ERP solution. The solution consists of eight servers with a single network interface. The allocated IP range is 172.16.0.0/28. One of the requirements of the solution is that it must be able to handle the potential addition of 16 new servers to the environment. Because of the complexity of the firewall and related ACL requirements, these new servers will need to be in the same network range. Which of the following changes
would allow for the potential server addition?

• A. Change the IP address range to use a 10.0.0.0 address.
• B. Change the server template to add network interfaces.
• C. Change the subnet mask to use a 255.255.255.128 range.
• D. Change the server scaling configuration to increase the maximum limit.

Answer: C

Explanation:
Changing the subnet mask to use a 255.255.255.128 range would allow for the potential server addition. The current subnet mask of 255.255.255.240 (/28) only allows for 14 usable host addresses in the 172.16.0.0 network, which is not enough to accommodate the existing eight servers and the possible 16 new servers. Changing the subnet mask to 255.255.255.128 (/25) would increase the number of usable host addresses to 126 in the same network, which is sufficient to handle the server expansion. Changing the IP address range to use a 10.0.0.0 address, changing the server template to add network interfaces, or changing the server scaling configuration to increase the maximum limit would not solve the issue of the limited host addresses in the same network range. References: CompTIA Cloud+ CV0-003 Certification Study Guide, Chapter 3, Objective 3.1: Given a scenario, implement cloud networking solutions.

NEW QUESTION 4

A company is using a hybrid cloud environment. The private cloud is hosting the business applications, and the cloud services are being used to replicate for availability purposes.
The cloud services are also being used to accommodate the additional resource requirements to provide continued services. Which of the following scalability models is the company utilizing?

• A. Vertical scaling
• B. Autoscaling
• C. Cloud bursting
• D. Horizontal scaling

Answer: C

Explanation:
Cloud bursting is a scalability model that allows a company to use a hybrid cloud environment to handle peak or unpredictable workloads. Cloud bursting involves using the private cloud to host the core or critical applications, and using the public cloud to provide additional or temporary resources when the demand exceeds the capacity of the private cloud .
Cloud bursting can help a company to:
Improve the availability and reliability of the applications by replicating them across multiple cloud platforms and locations .
Optimize the performance and efficiency of the applications by dynamically allocating and releasing resources based on the workload and traffic .
Reduce the cost and complexity of the IT infrastructure by leveraging the pay-as-you-go and on-demand models of the public cloud .

NEW QUESTION 5

A systems administrator is deploying a solution that includes multiple network I/O-intensive VMs. The solution design requires that vNICs of the VMs provide low-latency, near-native performance of a physical NIC and data protection between the VMs. Which of the following would BEST satisfy these requirements?

• A. SR-IOV
• B. GENEVE
• C. SDN
• D. VLAN

Answer: A

Explanation:
SR-IOV (Single Root Input/Output Virtualization) is what would best satisfy the requirements of low-latency, near-native performance of a physical NIC and data protection between VMs for multiple network I/O-intensive VMs. SR-IOV is a technology that allows a physical NIC to be partitioned into multiple virtual NICs that can be assigned to different VMs. SR-IOV can provide the following benefits:
✑ Low-latency: SR-IOV can reduce latency by bypassing the hypervisor and allowing direct communication between the VMs and the physical NIC, without any overhead or interference.
✑ Near-native performance: SR-IOV can provide near-native performance by allowing the VMs to use the full capacity and functionality of the physical NIC, without any emulation or translation.
✑ Data protection: SR-IOV can provide data protection by isolating and securing the network traffic between the VMs and the physical NIC, without any exposure or leakage.

NEW QUESTION 6

An organization is hosting a cloud-based web server infrastructure that provides web- hosting solutions. Sudden continuous bursts of traffic have caused the web servers to saturate CPU and network utilizations.
Which of the following should be implemented to prevent such disruptive traffic from reaching the web servers?

• A. Solutions to perform NAC and DLP
• B. DDoS protection
• C. QoS on the network
• D. A solution to achieve microsegmentation

Answer: B

Explanation:
Distributed denial-of-service (DDoS) protection is a type of security solution that detects and mitigates DDoS attacks that aim to overwhelm or disrupt a system or service by sending large volumes of traffic from multiple sources. DDoS protection can prevent such disruptive traffic from reaching the web servers by filtering out malicious or unwanted traffic and allowing only legitimate traffic to pass through. DDoS protection can also help maintain the availability and functionality of web services and applications during a DDoS attack. References: CompTIA Cloud+ Certification Exam Objectives, page 14, section 2.7
Reference: https://blog.paessler.com/the-top-5-causes-of-sudden-network-spikes

NEW QUESTION 7

A company has developed a cloud-ready application. Before deployment, an administrator needs to select a deployment technology that provides a high level of portability and is lightweight in terms of footprint and resource requirements.
Which of the following solutions will be BEST to help the administrator achieve the requirements?

• A. Containers
• B. Infrastructure as code
• C. Desktop virtualization
• D. Virtual machines

Answer: A

Explanation:
Containers are a type of deployment technology that packages an application and its dependencies into a lightweight and portable unit that can run on any platform or environment. Containers can provide a high level of portability and are lightweight in terms of footprint and resource requirements, as they do not need a full operating system or hypervisor to run. Containers can also enable faster and easier deployment, scaling, and management of cloud-based applications. Containers are the best solution to help the administrator achieve the requirements for deploying a cloud- ready application. References: CompTIA Cloud+ Certification Exam Objectives, page 11, section 1.6
Reference: https://blog.netapp.com/blogs/containers-vs-vms/

NEW QUESTION 8

A security team is conducting an audit of the security group configurations for the Linux servers that are hosted in a public laaS. The team identifies the following rule as a potential

A cloud administrator, who is working remotely, logs in to the cloud management console and modifies the rule to set the source to "My IR" Shortly after deploying the rule, an internal developer receives the following error message when attempting to log in to the server using SSH: Network error: connection timed out. However, the administrator is able to connect successfully to the same server using SSH. Which of the following is the BEST option for both the developer and the administrator to access the
server from their locations?

• A. Modify the outbound rule to allow the company's external IP address as a source.
• B. Add an inbound rule to use the IP address for the company's main office as a source.
• C. Modify the inbound rule to allow the company's external IP address as a source.
• D. Delete the inbound rule to allow the company's external IP address as a source.

Answer: C

Explanation:
The inbound rule that the security team identified as a potential vulnerability is the one that allows SSH access (port 22) from any source (0.0.0.0/0). This means that anyone on the internet can try to connect to the Linux servers using SSH, which poses a risk of unauthorized access or brute-force attacks. The cloud administrator, who is working remotely, logs in to the cloud management console and modifies the rule to set the source to “My IP”. This means that only the administrator’s IP address can connect to the Linux servers using SSH, which improves the security of the servers. However, this also prevents other authorized users, such as the internal developer, from accessing the servers using SSH, as they have different IP addresses than the administrator. Therefore, the administrator needs to modify the rule again to allow more sources for SSH access.
The best option for both the developer and the administrator to access the server from their locations is to modify the inbound rule to allow the company’s external IP address as a source. This means that only the IP addresses that belong to the company’s network can connect to the Linux servers using SSH, which reduces the attack surface and ensures that only authorized users can access the servers. The company’s external IP address can be obtained by using a web service such as [What Is My IP Address?] or [IP Location]. The administrator can then enter this IP address or its CIDR notation in the source field of the inbound rule.

NEW QUESTION 9

Which of the following will provide a systems administrator with the MOST information about potential attacks on a cloud IaaS instance?

• A. Network flows
• B. FIM
• C. Software firewall
• D. HIDS

Answer: D

Explanation:
HIDS (Host-based Intrusion Detection System) is the tool that will provide the administrator with the most information about potential attacks on a cloud IaaS instance. HIDS is a software or agent that monitors and analyzes the activities and events on a host system or device, such as a cloud instance. HIDS can detect and alert on any malicious or anomalous behavior, such as unauthorized access, malware infection, configuration changes, etc., that may indicate an attack or compromise.

NEW QUESTION 10

A company is deploying a public cloud solution for an existing application using lift and shift. The requirements for the applications are scalability and external access. Which of the following should the company implement? (Select TWO).

• A. A load balancer
• B. SON
• C. A firewall
• D. SR-IOV
• E. Storage replication
• F. A VPN

Answer: AF

Explanation:
The best options to implement for a public cloud solution for an existing application using lift and shift that requires scalability and external access are a load balancer and a VPN (virtual private network). A load balancer is a device or service that distributes incoming traffic across multiple servers or instances based on various criteria, such as availability, capacity, or performance. A load balancer can improve scalability by balancing the workload and optimizing resource utilization. A VPN is a technology that creates a secure and encrypted connection over a public network, such as the internet. A VPN can provide external access by allowing remote users or sites to connect to the cloud resources as if they were on the same private network. Reference: CompTIA Cloud+ Certification Exam Objectives, Domain 1.0 Configuration and Deployment, Objective 1.4 Given a scenario, execute a provided deployment plan.

NEW QUESTION 11

A cloud administrator needs to verify domain ownership with a third party. The third party has provided a secret that must be added to the DNS server. Which of the following DNS records does the administrator need to update to include the secret?

• A. NS
• B. TXT
• C. AAAA
• D. SOA

Answer: B

Explanation:
TXT is a type of DNS record that can store arbitrary text data, such as a secret, a verification code, or a configuration parameter. TXT records are often used to verify domain ownership with a third party, such as a certificate authority, an email service provider, or a cloud service provider. The third party can check the TXT record of the domain and compare it with the secret they provided to confirm the identity and authority of the domain owner .

NEW QUESTION 12

A cloud administrator is configuring several security appliances hosted in the private laaS environment to forward the logs to a central log aggregation solution using syslog. Which of the following firewall rules should the administrator add to allow the web servers to connect to the central log collector?

• A. Allow UDP 161 outbound from the web servers to the log collector .
• B. Allow TCP 514 outbound from the web servers to the log collector.
• C. Allow UDP 161 inbound from the log collector to the web servers .
• D. Allow TCP 514 inbound from the log collector to the web servers .

Answer: B

Explanation:
As mentioned in the question, the security appliances are using syslog to forward the logs to a central log aggregation solution. According to the web search results, syslog is a protocol that runs over UDP port 514 by default, or TCP port 6514 for secure and reliable transport1. However, some implementations of syslog can also use TCP port 514 for non-secure transport2. Therefore, to allow the web servers to connect to the central log collector using syslog over TCP, the firewall rule should allow TCP 514 outbound from the web servers to the log collector.

NEW QUESTION 13

A systems administrator wants the VMs on the hypervisor to share CPU resources on the same core when feasible.
Which of the following will BEST achieve this goal?

• A. Configure CPU passthrough
• B. Oversubscribe CPU resources
• C. Switch from a Type 1 to a Type 2 hypervisor
• D. Increase instructions per cycle
• E. Enable simultaneous multithreading

Answer: E

Explanation:
Simultaneous multithreading (SMT) is a type of CPU technology that allows multiple threads to run concurrently on a single CPU core. Enabling SMT can help achieve
the goal of having the VMs on the hypervisor share CPU resources on the same core when feasible, as it can increase the CPU utilization and efficiency by executing more instructions per cycle and reducing idle time or wasted cycles. Enabling SMT can also improve performance and throughput, as it can speed up processing and handle increased workload or demand. References: CompTIA Cloud+ Certification Exam Objectives, page 9, section 1.4

NEW QUESTION 14

A systems administrator is informed that a database server containing PHI and PII is unencrypted. The environment does not support VM encryption, nor does it have a key management system. The server needs to be able to be rebooted for patching without manual intervention.
Which of the following will BEST resolve this issue?

• A. Ensure all database queries are encrypted
• B. Create an IPSec tunnel between the database server and its clients
• C. Enable protocol encryption between the storage and the hypervisor
• D. Enable volume encryption on the storage
• E. Enable OS encryption

Answer: D

Explanation:
Volume encryption is a type of encryption that protects data at the storage level by encrypting an entire disk or partition. Volume encryption can provide strong security for data at rest, as it prevents unauthorized access to the data even if the storage device is lost, stolen, or compromised. Volume encryption can also support automatic booting without manual intervention, as it can use a pre-boot authentication mechanism that does not require user input. Enabling volume encryption on the storage is the best way to resolve the issue of having an unencrypted database server containing PHI and PII, as it can protect the sensitive data without relying on VM encryption or a key management
system. References: CompTIA Cloud+ Certification Exam Objectives, page 14, section 2.7

NEW QUESTION 15

A cloud administrator is troubleshooting a highly available web application running within three containers behind a Layer 7 load balancer with a WAF inspecting all traffic. The application frequently asks the users to log in again even when the session timeout has not been reached. Which of the following should the cloud administrator configure to solve this issue?

• A. Firewall outbound rules
• B. Firewall inbound rules
• C. Load balancer certificates
• D. Load balancer stickiness
• E. WAF transaction throttling

Answer: D

Explanation:
Reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load- balancers.html#sticky-sessions
Load balancer stickiness is what the cloud administrator should configure to solve the issue of the application frequently asking the users to log in again even when the session timeout has not been reached for a highly available web application running within three containers behind a Layer 7 load balancer with a WAF inspecting all traffic. Load balancer stickiness is a feature that allows customers to maintain user sessions or connections with the same server or node that provides a service or function, such as a web application, database, etc., even when there are multiple servers or nodes behind a load balancer. Load balancer stickiness can solve the issue by providing benefits such as:
Consistency: Load balancer stickiness can provide consistency by ensuring that users receive the same service or function from the same server or node throughout their session or connection, without any changes or variations.
Performance: Load balancer stickiness can provide performance by reducing the latency or overhead of switching between different servers or nodes during a session or connection, which may cause delays or errors.
Security: Load balancer stickiness can provide security by preserving and protecting user authentication or authorization information on the same server or node during a session or connection, without exposing or transferring it to other servers or nodes.

NEW QUESTION 16

A cloud engineer recently used a deployment script template to implement changes on a cloud-hosted web application. The web application communicates with a managed database on the back end. The engineer later notices the web application is no longer receiving data from the managed database. Which of the following is the MOST likely cause of the issue?

• A. Misconfiguration in the user permissions
• B. Misconfiguration in the routing traffic
• C. Misconfiguration in the network ACL
• D. Misconfiguration in the firewall

Answer: C

Explanation:
The most likely cause of the issue is C. Misconfiguration in the network ACL. A network ACL (access control list) is a set of rules that controls the inbound and outbound traffic for a subnet or a virtual network in a cloud environment. A misconfiguration in the network ACL can block the communication between the web application and the managed database, resulting in data loss or unavailability. For example, according to the Azure SQL Database documentation1, if you use a virtual network service endpoint to secure your database, you need to configure the network ACL to allow traffic from the web application subnet to the database subnet. Otherwise, the web application will not be able to connect
to the database. Similarly, according to the DigitalOcean tutorial2, if you use a managed database cluster, you need to add the web application’s IP address or Droplet to the cluster’s trusted sources list. Otherwise, the web application will not be able to access the database.
A misconfiguration in the user permissions, the routing traffic, or the firewall can also cause connectivity issues between the web application and the managed database, but they are less likely than a misconfiguration in the network ACL. A misconfiguration in the user permissions can prevent the web application from authenticating or authorizing with the database, but it will not affect the data transmission. A misconfiguration in the routing traffic can cause packets to be lost or delayed, but it will not block the communication entirely. A misconfiguration in the firewall can filter out unwanted traffic, but it will not affect the traffic that is allowed by the network ACL. Therefore, these are not the most likely causes of the issue. For more information on how to troubleshoot connectivity issues between a cloud- hosted web application and a managed database, you can refer to the AWS documentation3 or the Google Cloud documentation.

NEW QUESTION 17

An engineer is responsible for configuring a new firewall solution that will be deployed in a new public cloud environment. All traffic must pass through the firewall. The SLA for the firewall is 99.999%. Which of the following should be deployed?

• A. Two load balancers behind a single firewall
• B. Firewalls in a blue-green configuration
• C. Two firewalls in a HA configuration
• D. A web application firewall

Answer: C

Explanation:
Deploying two firewalls in a HA (High Availability) configuration is the best option to ensure all traffic passes through the firewall and meets the SLA (Service Level Agreement) of 99.999%. HA is a design principle that aims to minimize downtime and ensure continuous operation of a system or service. HA can be achieved by using redundancy, failover, load balancing, clustering, etc. Two firewalls in a HA configuration can provide redundancy and failover in case one firewall fails or becomes overloaded.

NEW QUESTION 18

A cloud engineer is troubleshooting RSA key-based authentication from a local computer to a cloud-based server, which is running SSH service on a default port. The following file permissions are set on the authorized keys file:
-rw-rw-rw-1 ubuntu ubuntu 391 Mar S 01:36 authorized _ keys
Which Of the following security practices are the required actions the engineer Should take to gain access to the server? (Select TWO).

• A. Fix the file permissions with execute permissions to the owner of the file.
• B. Open port 21 access for the computer's public IP address.
• C. Fix the file permissions with read-only access to the owner Of the file.
• D. Open port 22 access for the computer's public IP address.
• E. Open port 21 access for 0.0.0.0/0 CIDR.
• F. open port 22 access for 0.0.0.0/0 CIDR.

Answer: CD

Explanation:
The correct answer is C and D.
* C. Fix the file permissions with read-only access to the owner of the file.
* D. Open port 22 access for the computer’s public IP address.
The authorized_keys file on the server should have read-only access for the owner of the file, and no access for anyone else. This ensures that only the owner can read the public keys that are authorized to log in, and no one can modify or delete them. The file permissions can be fixed with the command chmod 400 ~/.ssh/authorized_keys on the server. This is a recommended security practice for SSH key-based authentication123. The computer that wants to log in to the server using SSH key-based authentication needs to have access to port 22 on the server, which is the default port for SSH service. This can be done by opening port 22 access for the computer’s public IP address on the server’s firewall or security group settings. This allows the computer to initiate an SSH connection to the server and authenticate with its private key. Opening port 21, which is used for FTP service, is not relevant or secure for SSH key-based authentication1.

NEW QUESTION 19

A company has entered into a business relationship with another organization and needs to provide access to internal resources through directory services. Which of the following should a systems administrator implement?

• A. sso
• B. VPN
• C. SSH
• D. SAML

Answer: B

Explanation:
The answer is B. A VPN tunnel. A VPN tunnel is a secure and encrypted connection between two networks over a public network, such as the Internet. A VPN tunnel can help protect data in transit by encrypting it before it leaves the company’s network and decrypting it when it reaches the public cloud service provider. A VPN tunnel can also authenticate the endpoints and verify the integrity of the data.
Some possible sources of information about VPN tunnels are:
✑ What is a VPN Tunnel? | Fortinet: This page explains what a VPN tunnel is, how it works, and what benefits it provides.
✑ VPN Gateway: Create a Site-to-Site connection using a VPN gateway | Microsoft Docs: This page shows how to create a site-to-site connection using a VPN gateway in Azure.
✑ [Cloud VPN overview | Google Cloud]: This page provides an overview of Cloud VPN, a service that creates secure and reliable VPN tunnels to Google Cloud.

NEW QUESTION 20
......