IBM A1000-106 Advanced Practice Exam: Hard Questions 2025

A global SaaS provider runs a multi-region IBM Cloud architecture with an internet-facing workload fronted by a global load-balancing layer and several regional VPCs. During a DDoS event, they notice that malicious traffic is saturating a regional ingress before it can be dropped, causing intermittent timeouts for legitimate users. They want to reduce attack blast radius, enforce consistent L7 rules, and centralize policy management without redesigning all regional apps. What is the best architectural change?

A financial services company must design a highly available data tier on IBM Cloud. Requirements: (1) tolerate a single zone failure with minimal RPO, (2) avoid cross-zone split-brain, (3) ensure application can continue read/write operations, and (4) provide deterministic failover behavior. Which design best meets these constraints?

A team is migrating a legacy monolith to IBM Cloud using a strangler pattern. They want to incrementally route specific URL paths to new microservices without changing the existing monolith code. They also need to enforce mutual TLS between services and implement canary releases per route. What is the most appropriate approach?

A regulated healthcare provider uses IBM Cloud Object Storage to store PHI. They must ensure that: (1) encryption keys are controlled and rotated by the customer, (2) access is limited to workloads inside specific VPC subnets, and (3) audit trails can demonstrate who accessed which objects. Which combination best satisfies these requirements?

An enterprise wants to implement least privilege across hundreds of IBM Cloud resources owned by multiple teams. They need (1) separation of duties between security admins and application operators, (2) just-in-time elevation for break-glass operations, and (3) strong auditability of privilege grants. What is the best strategy?

A company is onboarding workloads subject to strict data residency rules. They must prove that sensitive workloads cannot inadvertently use services outside an approved geography. They also need a control that prevents new deployments from violating the residency policy. Which approach best addresses this end-to-end?

A team uses a CI/CD pipeline to deploy containerized services to a managed Kubernetes platform on IBM Cloud. A new release intermittently fails in production with image pull errors, but only in one zone. The registry is private, and the cluster spans multiple zones. Which root cause is most likely and what is the best fix?

A retailer runs blue/green deployments for a critical API. After switching traffic to green, they discover that some background jobs still publish events to the old message topic, causing downstream inconsistencies. They need a deployment approach that coordinates compute rollout with dependent integration endpoints while minimizing downtime. What is the best solution?

A microservices platform experiences periodic latency spikes. Metrics show normal CPU and memory, but p99 latency increases across many services simultaneously. Distributed traces show long waits on outbound HTTP calls. The team suspects connection exhaustion or misconfigured timeouts. What is the most effective next step to confirm the hypothesis and mitigate the issue?

A production incident occurs after a network change: services in one VPC can no longer reach a managed database in another VPC over private IP. Security group rules appear correct, and DNS resolves to the expected private address. Packet captures show SYNs leaving the source subnet but no SYN-ACK returns. What is the most likely missing component in the architecture?