50 VMware Cloud on AWS Master Specialist Practice Questions: Question Bank 2025

An administrator is explaining the core components delivered with a VMware Cloud on AWS SDDC. Which component provides the compute virtualization layer for customer workloads?

A customer wants to migrate on-premises VMs to VMware Cloud on AWS with minimal downtime and wants to preserve IP addresses without re-IP. Which capability best addresses this requirement?

A security team requires micro-segmentation between application tiers in the SDDC without relying on VLAN sprawl. Which VMware Cloud on AWS feature is designed for this purpose?

An operator wants to quickly confirm whether the SDDC has adequate physical host capacity for expected growth. Where is the most appropriate place to view capacity utilization and projections for the SDDC?

A company is designing connectivity between an on-premises data center and a VMware Cloud on AWS SDDC. The requirement is consistent latency and predictable bandwidth for migrations and hybrid operations. Which connectivity option is the best fit?

An administrator needs to allow a partner network to reach only a specific application segment in VMware Cloud on AWS while preventing access to all other segments. Which approach is most appropriate?

A migration team plans to move 500 VMs with a mix of Windows and Linux to VMware Cloud on AWS. They need to (1) assess compatibility, (2) map networks, and (3) orchestrate large-scale migrations with minimal downtime. Which toolset best meets these needs?

After deploying new NSX Distributed Firewall rules, several application VMs cannot reach an internal database. The firewall policy looks correct at a high level, but the issue persists intermittently. What is the most effective next step to validate what the firewall is doing in the data path?

A customer must ensure that only approved routes from their on-premises network are learned by the SDDC to prevent accidental propagation of large internal routing tables. They are using a BGP-based connectivity option. Which design best addresses this requirement?

A regulated workload will be migrated to VMware Cloud on AWS. The customer requires continuous enforcement that only sanctioned firewall rules exist, with auditability and the ability to detect configuration drift over time. Which approach best meets the requirement?

An administrator needs to provide management access to vCenter in VMware Cloud on AWS, but wants to avoid placing vCenter on a publicly reachable IP. Which connectivity option best meets this requirement?

A team migrates workloads to VMware Cloud on AWS and wants to keep on-premises IP addresses to avoid reconfiguring applications. Which migration approach best satisfies this requirement?

An administrator needs to quickly confirm that vSAN storage health in the VMware Cloud on AWS cluster is normal after a planned maintenance event. Where should they check first?

A company has a requirement that only a specific group of workloads can reach an on-premises database over TCP 1433 via the SDDC-to-on-premises VPN. The workloads reside on multiple segments. Which configuration best satisfies this with least privilege?

A customer plans to migrate 400 VMs from on-premises to VMware Cloud on AWS. They want to minimize downtime and also ensure the migration can be repeated for multiple waves with consistent network and security policy. Which approach is most appropriate?

After configuring a policy-based VPN from the SDDC to an on-premises firewall, workloads in a segment cannot reach on-premises subnets even though the VPN shows "UP". On-premises can ping the SDDC segment gateway. Which is the most likely missing configuration on the SDDC side?

A security team requires micro-segmentation between application tiers (web, app, db) within the SDDC and wants rules based on VM attributes and dynamic membership rather than IP addresses. Which solution best meets this requirement?

A customer uses VMware Cloud on AWS with Hybrid Linked Mode enabled. They can see the cloud vCenter from on-premises, but cross-site VM migrations fail due to authentication/permission errors. Which condition is most likely required to resolve this?

A company wants to centralize outbound internet access for all SDDCs through a shared security stack in a dedicated "egress" SDDC, while still allowing east-west connectivity between SDDCs. Which design best fits this requirement in VMware Cloud on AWS?

During a migration planning workshop, an architect is asked to design for high availability of north-south connectivity to on-premises with minimal operational complexity. Which approach is most appropriate?

An administrator needs to provide internet access for workloads in a VMware Cloud on AWS SDDC segment while also allowing incoming connections from specific public IPs to a published application. Which component is used to perform these NAT functions in the SDDC?

A company is preparing to migrate several vSphere VMs to VMware Cloud on AWS. They need the simplest method to preserve VM IP addresses during the cutover with minimal network reconfiguration at the destination. Which HCX capability addresses this requirement?

An operations team wants to quickly verify overall health of the VMware Cloud on AWS SDDC components (compute, storage, network) from the cloud console without logging into vCenter. Where should they look first?

A company wants to restrict east-west traffic between two application tiers inside the same VMware Cloud on AWS SDDC segment. The security policy must be based on VM attributes (such as tags) rather than IP addresses. What is the recommended approach?

An administrator needs to provide connectivity from an on-premises data center to multiple VMware Cloud on AWS SDDCs in different regions. They want a hub-and-spoke model with consistent routing control and the ability to attach additional VPCs later. Which design best meets this requirement?

A migration team is using HCX and wants to minimize downtime for a set of large VMs while also taking advantage of bulk scheduling and parallel migrations. Which HCX migration type best aligns with these goals?

Users report intermittent connectivity to an application hosted in VMware Cloud on AWS after new micro-segmentation rules were implemented. The application uses multiple ports between tiers, and the team suspects rule ordering or an implicit deny. What is the most effective first step to validate which NSX distributed firewall rule is dropping the traffic?

A company has strict requirements that management-plane access (vCenter/NSX) must never traverse the public internet. They also want to keep access limited to specific corporate subnets. Which approach best satisfies this requirement in VMware Cloud on AWS?

A network architect must design IP addressing for a new VMware Cloud on AWS deployment that will connect to on-premises using dynamic routing. They want to avoid route conflicts and simplify future expansion to additional SDDCs. Which practice is most appropriate?

After migrating workloads to VMware Cloud on AWS, an administrator notices that application latency is acceptable, but throughput is inconsistent during large data transfers between on-premises and the SDDC. The underlay connectivity is stable. Which VMware Cloud on AWS capability or configuration is most likely to improve throughput for replicated/migrated traffic without changing the application?

An administrator is asked to design connectivity between an on-premises data center and VMware Cloud on AWS for workload migration. The requirement is to keep management traffic separate from compute workload traffic within the SDDC. Which VMware Cloud on AWS construct primarily provides this separation?

A security team needs to limit east-west traffic between two application tiers that reside on the same logical segment in VMware Cloud on AWS. They want policy to follow workloads even if they vMotion to a different host. Which NSX feature best meets this requirement?

An administrator wants to migrate 200 VMs from on-premises to VMware Cloud on AWS with minimal downtime. The organization can tolerate a brief cutover window but does not want extended outages. Which migration approach is most appropriate?

An operations engineer needs a quick way to validate overall SDDC health and identify any active alarms impacting clusters, networking, or management components in VMware Cloud on AWS. Where should they start?

A company wants to provide access from on-premises users to a specific set of VMs in VMware Cloud on AWS without advertising the entire on-premises network into the SDDC. They also want to avoid asymmetric routing. Which approach is most appropriate?

An administrator is planning a migration using HCX and wants to maintain the same IP addresses for a set of VMs after moving them to VMware Cloud on AWS, without renumbering. The applications are sensitive to IP changes. Which HCX capability best addresses this requirement?

A team is troubleshooting intermittent connectivity from on-premises to a workload segment in VMware Cloud on AWS over a Direct Connect-backed private connectivity design. The on-premises router shows BGP flaps. What is the most likely layer to validate first in VMware Cloud on AWS to isolate whether the issue is routing-related?

A customer must integrate VMware Cloud on AWS workloads with multiple AWS VPCs across several accounts while keeping routing centralized and avoiding complex full-mesh peering. Which AWS service is typically leveraged for this type of hub-and-spoke connectivity?

A financial services company requires that all north-south traffic to a specific application be inspected by a third-party firewall appliance they manage. The application runs on a workload segment in VMware Cloud on AWS. Which design best satisfies this requirement while maintaining clear traffic steering?

After migrating a multi-tier app to VMware Cloud on AWS, users report that the web tier can reach the app tier, but the app tier cannot reach a shared services VM on another segment. Routing tables appear correct. The administrator suspects a stateful security policy issue. Where is the MOST precise place to validate whether traffic is being blocked inside the SDDC for east-west flows?

An administrator needs to provide private connectivity from an on-premises data center to VMware Cloud on AWS using an AWS partner network. Which connectivity option best meets this requirement?

A team is troubleshooting why a new workload in the SDDC cannot resolve internal DNS names hosted on-premises. All routing is verified as correct. What is the MOST likely configuration missing in the SDDC?

A customer wants to restrict administrative access so that only a small group can create or delete SDDCs, while a larger operations team can manage vSphere workloads inside the SDDC. Which approach best aligns with least privilege?

A customer must provide east-west micro-segmentation for an application spanning multiple SDDC segments, with rules based on VM tags and dynamic group membership. Which feature best addresses this requirement?

A migration team wants to move workloads to VMware Cloud on AWS while preserving on-premises IP addressing for a subset of VMs during the transition. Which solution is MOST appropriate?

A company wants to deploy a third-party virtual firewall appliance in VMware Cloud on AWS to inspect north-south traffic before it reaches workload segments. Which VMware Cloud on AWS component should the administrator use to steer traffic through the appliance?

An SDDC is connected to an AWS VPC. Application owners report intermittent connectivity to an AWS-managed database in the VPC. The database is reachable sometimes, but connections drop during peak hours. What is the BEST next step to validate whether the issue is due to bandwidth constraints on the SDDC-VPC link?

A customer is planning an SDDC deployment for a regulated workload that requires separation of duties between network administrators and virtualization administrators. Which design approach best supports this requirement in VMware Cloud on AWS?

A customer uses HCX to migrate a large number of VMs. After cutover, several VMs show increased latency and reduced throughput compared to on-premises, even though CPU and memory usage are normal. Which action is MOST likely to identify whether the issue is related to storage policy or datastore placement in the SDDC?

An organization operates multiple SDDCs and must ensure consistent security policies across them. They want a centralized approach to define NSX Distributed Firewall policies once and apply them across SDDCs while maintaining local exceptions. Which solution best fits this requirement?