CNX-001 Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract:

A mesh topology provides multiple redundant paths between nodes. It offers the highest availability and fault tolerance by allowing communication to continue even if one or more links or nodes fail. This is especially important in rural healthcare systems where reliability and access to critical services are paramount.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Network Topologies and Redundancy Models”:

“Mesh topologies provide optimal fault tolerance and support consistent data transmission through redundant links, ideal for mission-critical systems.”

Other options:

A. Collapsed core is cost-efficient but not fully redundant.

B. Hub-and-spoke introduces a single point of failure at the hub.

D. Star also relies on a central node and is not fault tolerant.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

An Allow List (also known as Whitelisting) is the most restrictive firewall rule approach. It blocks all traffic by default and only permits explicitly defined trusted IPs, URLs, or applications. This minimizes the attack surface and ensures that only known, safe traffic is allowed into the network.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Firewall and Security Rule Configuration”:

“Whitelisting or Allow Listing enforces a default-deny security posture by permitting only specified trusted sources. This approach offers the highest level of control and reduces exposure to unknown threats.”

Other options:

A. URL filtering restricts content access but is not as strict as allow lists.

B. File blocking targets malicious payloads but doesn’t limit traffic sources.

C. Network Security Groups (NSGs) are effective but broader in scope; they use allow/deny rules but may not be as tightly controlled as explicit allow lists.

Comprehensive and Detailed Explanation From Exact Extract:

SD-WAN (Software-Defined Wide Area Network) enables private, encrypted connections over public internet links and supports policy-based routing for application-aware traffic steering. It offers centralized management, redundancy, and automatic path selection — all aligned with the stated requirements.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Software-Defined Networking and WAN Optimization”:

“SD-WAN uses secure tunnels over the public internet, supports dynamic path selection, and provides application-aware routing, making it ideal for multi-site enterprise connectivity without dedicated links.”

Other options:

A. MPLS requires dedicated circuits and is costly.

C. Site-to-site VPN provides security but lacks intelligent traffic steering.

D. ExpressRoute is a private connection to Azure, not suited for general internet-based multi-site connectivity.

Comprehensive and Detailed Explanation From Exact Extract:

When an application is moved from local deployment to a centralized cloud deployment, remote users must connect over the WAN. If the application is sensitive to delays, latency becomes a significant issue, especially across geographically distributed regions. This is a common performance concern for centralized applications serving remote offices.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud Performance and WAN Connectivity”:

“Cloud-hosted applications accessed by remote users may suffer from latency-related performance issues. Optimization strategies may include CDN, caching, or edge deployment.”

Other options:

A. Throttling usually refers to bandwidth or rate-limiting, not general slowness.

B. Overutilization is possible, but infrastructure was said to be centralized and new.

C. Packet loss would likely cause disconnects or failures, not just slowness.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Geofencing allows enforcement of access policies based on the geographic location of the user's IP address. To comply with GDPR and control access based on user region, geofencing should be implemented to restrict or permit access to resources hosted in specific regions like Europe.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Data Sovereignty and Regional Access Control”:

“Geofencing enables organizations to restrict access to data or services based on geographic IP address, aiding in GDPR and other compliance frameworks.”

Other options:

A. SASE is a broader framework, not a direct access control mechanism.

B. NSGs operate at subnet/NIC level and do not interpret geolocation.

C. CDNs cache data globally but don’t control access by region directly.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Establishing two Direct Connect (or equivalent private connectivity services such as Azure ExpressRoute) connections with two different providers ensures maximum redundancy and reliability. This setup complies with high availability (HA) and fault-tolerance design best practices for regulated industries, where minimal downtime and service continuity are critical.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Hybrid Connectivity and High Availability”:

“Redundant connections to cloud providers should use physically separate paths and providers to ensure fault tolerance and meet reliability requirements in hybrid cloud environments.”

“Direct connections provide higher availability and consistent performance than VPNs.”

Other options:

A. Peering to two VPCs does not ensure link redundancy.

B. Combining Direct Connect with VPN offers backup but less reliability than dual Direct Connects.

D. VPNs over the internet are lower in reliability and do not meet high availability standards required for regulated industries.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

To allow private IP-based communication between internal servers and cloud applications over asite-to-site VPN, private DNS resolution is necessary. The internal DNS server can be configured to forward specific DNS queries (for cloud-based applications) to a DNS server located in the cloud. This ensures applications can be resolved to private IPs, not public ones.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Hybrid Networking and DNS Integration”:

“To support name resolution over hybrid connections like site-to-site VPN, enterprises should configure conditional forwarding to cloud-based DNS servers. This allows internal devices to resolve private IP addresses for cloud-based resources.”

Other options:

B. NAT introduces complexity and may hide source IPs, which is not required in this case.

C. Public DNS names map to public IPs, violating the requirement.

D. A proxy is not needed if direct private IP-based access is available via VPN.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

With GitOps, all infrastructure changes are tracked as code and committed to version-controlled repositories. When the main branch is protected, changes should not be committed directly. Instead, best practices require that a new feature or change branch be created, followed by a pull request (PR) for peer review and approval before merging into the protected branch.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Infrastructure as Code and GitOps”:

“In GitOps workflows, changes are made in feature branches, reviewed via pull requests, and merged into protected branches only after validation, ensuring auditability and control over infrastructure deployments.”

Other options:

A. Direct commits to protected branches are restricted and violate GitOps practices.

C. The development branch may exist, but the question specifies main is the default, and the correct process requires a PR.

D. Rebase is for integrating histories, not submitting approved changes.

Comprehensive and Detailed Explanation From Exact Extract:

Replacing reserved IPs with dynamic ones can lead to IP reuse issues. Dynamic public IPs can be reallocated to other customers once released. If DNS entries or firewall rules still refer to the original IP, this can lead to data leakage or incorrect routing. Also, some services (e.g., NSGs, load balancers) may require persistent IPs.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Public IP Management in Cloud Environments”:

“Dynamic public IPs are subject to reuse after release. Services that rely on IP persistence, such as security groups or load balancers, may encounter unexpected behavior or security risks if replaced with dynamically assigned IPs.”

Other options:

A. Asymmetric routing involves traffic leaving and returning via different paths.

B. IP spoofing is a malicious attack, not related to address reassignment.

C. IP exhaustion relates to resource limits, not dynamic reuse.

Comprehensive and Detailed Explanation From Exact Extract:

While resource usage metrics (CPU, memory, disk, network) are important, the missing context here is user demand. Adding "Concurrent users" helps correlate resource utilization spikes with actual user load. For performance monitoring in web applications, concurrent sessions provide crucial insight into whether performance issues are demand-related.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Performance Monitoring and User Metrics”:

“Monitoring user load metrics such as concurrent users provides insight into performance degradation and capacity planning. These are critical for identifying thresholds and auto-scaling requirements.”

Other options:

A. 404 errors indicate broken links but don’t explain performance issues.

C. Number of orders tracks business activity, not system strain.

D. Active incidents belong in an ITSM system, not real-time performance monitoring.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

The Hub-and-Spoke topology is ideal for SD-WAN environments where traffic from branch offices or cloud workloads must route through a central location (the hub) for inspection, monitoring, or security enforcement. This structure centralizes egress and allows for redundant spoke paths via the hub. It also simplifies control and enforces compliance policies.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “SD-WAN Topologies and Cloud Egress Strategies”:

“In a hub-and-spoke topology, spokes (remote offices or cloud nodes) connect through a central hub, allowing for centralized egress, traffic inspection, and simplified routing.”

Other options:

A. Point-to-point doesn’t scale and lacks centralized control.

C. Star topology is similar to hub-and-spoke but is more rigid and less suited for SD-WAN scalability.

D. Partial mesh allows direct spoke-to-spoke communication, bypassing centralized inspection.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

2.4GHz has longer range and better wall penetration than higher frequencies like 5GHz or 6GHz.A patch antenna (a type of directional antenna) focuses the signal in one direction, greatly improving range and reliability over long distances between buildings.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Wireless Deployment and Antenna Selection”:

“2.4GHz offers extended range over 5GHz. Directional antennas such as patch antennas concentrate signals toward a target, improving distance communication.”

Other options:

B & C. Higher frequencies provide faster speeds but shorter range.

D. Omnidirectional antennas spread signal in all directions, not ideal for point-to-point.

F. Built-in antennas are generally low gain and insufficient for building-to-building links.

Comprehensive and Detailed Explanation From Exact Extract:

STP (Spanning Tree Protocol) is a Layer 2 standard protocol that prevents switching loops in Ethernet networks by creating a loop-free logical topology. It can automatically block and unblock redundant paths based on network changes, ensuring reliability and avoiding broadcast storms.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Ethernet Loop Prevention and Switching Protocols”:

“STP is a standard Layer 2 protocol used to detect and prevent network loops, enhancing network stability in switched topologies.”

Other options:

B. SIP is a signaling protocol used in VoIP.

C. RTSP is for media streaming control.

D. BGP is a routing protocol, not for Layer 2 loop prevention.

Comprehensive and Detailed Explanation From Exact Extract:

Quality of Service (QoS) rules at the internet router can prioritize VoIP traffic over other data, such as cloud document access. VoIP is sensitive to latency and jitter, and configuring QoS ensures that voice packets are prioritized during congestion. This is the most cost-effective solution that doesn’t require additional infrastructure.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Traffic Management and Prioritization”:

“QoS policies are essential for ensuring that latency-sensitive traffic, such as VoIP, is prioritized over other types of data, particularly in bandwidth-limited scenarios.”

Other options:

A. Adding a second internet link is effective but not cost-efficient.

C. VLANs provide segmentation but don’t guarantee bandwidth prioritization.

D. Changing the codec may reduce bandwidth usage, but doesn’t address prioritization directly.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Infrastructure as Code (IaC) templates (e.g., Terraform, CloudFormation, ARM templates) allow for automated and repeatable VM deployments with preconfigured settings, includingnetworking, without requiring console access. This approach ensures consistency, security, and compliance.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Infrastructure as Code and Cloud Automation”:

“IaC enables declarative definition of cloud resources, supporting automated deployments that comply with organizational security and configuration policies.”

Other options:

B. SDKs require more complex coding and are less standardized.

C. API scripts are procedural and require manual management.

D. CLI is suitable for one-time use but not for repeatable deployments at scale.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Weighted load balancing allows distribution of traffic based on server capacity or assignedweights. In this case, the new node should receive a weight of 3, and each of the three older nodes a weight of 1. This ensures the new node handles the same total number of requests as the other three combined (3:1:1:1).

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Load Balancing Algorithms and Traffic Distribution”:

“Weighted load balancing accounts for node capacity, distributing requests proportionally according to performance capability or administrator-defined weights.”

Other options:

A. Round-robin sends traffic equally to all servers regardless of capacity.

B. Load-based requires dynamic performance measurement and is more complex.

C. Least connections may work in certain cases, but doesn’t guarantee proportional traffic split based on server performance.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

To verify that the certificate and the private key match, one can extract the modulus from both files and compare their hash values. The correct syntax involves using openssl x509 to extract the modulus from the certificate, and openssl rsa to extract the modulus from the private key, followed by an MD5 hash to ensure they match.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “TLS/SSL Certificate Validation and Troubleshooting”:

“To verify that the private key and certificate match, compare the modulus values. A mismatch results in failed TLS handshakes.”

Other options:

A & C: Incorrect syntax (openssl-list and openssl-rsa are not valid commands).

B: The commands shown are used to verify CSRs, not matching keys.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A. An explicit allow rule in the Network Security Group (NSG) permitting Server A (10.2.3.9) to communicate with Server B (10.2.2.7) ensures intra-cloud communication between segments.

C. A deny rule that blocks any inbound access from external sources (0.0.0.0/0 → internal range 10.2.0.0/16) effectively prevents unsolicited inbound traffic from the public internet, securing the internal servers.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud Security Groups and Firewall Policies”:

“NSGs should be configured with least privilege principles. Allow intra-subnet or intra-application communication while explicitly denying unsolicited internet traffic.”

“Ingress and egress filtering policies should block all traffic by default and permit only what’s required.”

Other options:

B. Incorrect – this allows internal range to internet, which is not requested.

D & E. Apply to outbound policies, not relevant to the need to block inbound external access.

F. Incorrect – this denies internal resources from going outbound, not inbound protection.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A Web Application Firewall (WAF) is primarily used for inspecting HTTP/HTTPS requests and filtering out malicious traffic, such as SQL injection or cross-site scripting (XSS) attacks. However, WAFs do not restrict access based on geographical location by default.

To control access to the cloud-hosted application based on geographical location, the correct measure is to implement geo-restriction (geo-blocking). This technique limits access to cloud-based resources by using the source IP’s geographical origin. Geo-restriction is typically enforced at the cloud firewall or load balancer level.

Relevant Extract from CompTIA CloudNetX CNX-001 Official Objectives:

“Cloud access control policies can enforce geo-restriction settings, ensuring applications and services are only accessible from authorized geographic regions.”

Also found under “Security Controls in Cloud Deployments” section:

“Geo-restriction uses IP geolocation data to restrict access to services based on geographic criteria, supporting compliance and security requirements.”

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A Secure Web Gateway (SWG) provides cloud-based traffic filtering, URL filtering, SSL decryption, and content inspection without requiring traffic to be routed through an on-premises data center. It is ideal for both remote and hybrid users, enforcing security policies in a distributed environment.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud-Based Security Solutions”:

“Secure Web Gateways allow cloud-hosted decryption and inspection of web traffic, enabling policy enforcement for remote and on-campus users without backhauling traffic to the data center.”

Other options:

B. Transit gateways connect VPCs and on-prem but don’t decrypt traffic.

C. VPNs provide encrypted tunnels but don’t inspect traffic.

D. IPS inspects traffic but is usually on-prem and not cloud-hosted.

E. NAC is used for access control, not traffic inspection.

================================================