CNX-001 Practice Exam Questions with Answers CompTIA CloudNetX Exam Certification

Comprehensive and Detailed Explanation From Exact Extract:

A 403 Forbidden error indicates that the request was understood by the server but is refusing to fulfill it due to insufficient authorization. The developer is attempting to call a protected API that requires valid credentials such as an access key and signature (often used in HMAC-based APIs), but the values appear as Postman variables (e.g., {{rapyd_access_key}}), which suggests they were not replaced with actual credentials.

This typically means that the request lacks proper authentication or authorization headers, or the keys/signature are incorrect or missing. The presence of access_key, signature, salt, and timestamp in the request implies the API requires authentication, but the variables were not resolved or valid.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “API Security and Authentication”:

“A 403 error typically results from failed authentication or lack of proper authorization. Developers must ensure that tokens or signatures are valid, not missing, and properly injected.”

Other options:

A. 404 is the code for a missing resource, not 403.

C. A firewall rule would block the request entirely (e.g., no response or a 0 status), not result in a 403 from the server.

D. HTTP redirection issues typically result in 3xx codes, not 403.

?

Comprehensive and Detailed Explanation From Exact Extract:

To allow private IP-based communication between internal servers and cloud applications over asite-to-site VPN, private DNS resolution is necessary. The internal DNS server can be configured to forward specific DNS queries (for cloud-based applications) to a DNS server located in the cloud. This ensures applications can be resolved to private IPs, not public ones.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Hybrid Networking and DNS Integration”:

“To support name resolution over hybrid connections like site-to-site VPN, enterprises should configure conditional forwarding to cloud-based DNS servers. This allows internal devices to resolve private IP addresses for cloud-based resources.”

Other options:

B. NAT introduces complexity and may hide source IPs, which is not required in this case.

C. Public DNS names map to public IPs, violating the requirement.

D. A proxy is not needed if direct private IP-based access is available via VPN.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A Secure Web Gateway (SWG) provides cloud-based traffic filtering, URL filtering, SSL decryption, and content inspection without requiring traffic to be routed through an on-premises data center. It is ideal for both remote and hybrid users, enforcing security policies in a distributed environment.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud-Based Security Solutions”:

“Secure Web Gateways allow cloud-hosted decryption and inspection of web traffic, enabling policy enforcement for remote and on-campus users without backhauling traffic to the data center.”

Other options:

B. Transit gateways connect VPCs and on-prem but don’t decrypt traffic.

C. VPNs provide encrypted tunnels but don’t inspect traffic.

D. IPS inspects traffic but is usually on-prem and not cloud-hosted.

E. NAC is used for access control, not traffic inspection.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Geofencing is a network access control method that enforces restrictions based on location data. In this scenario, the organization requires access to be permitted only when users are on premises (i.e., within a specific physical location). Geofencing can be implemented using source IP ranges or GPS-based location data to define boundaries (fences). This allows access to certain applications or services only when the user is inside a designated network or area.

MFA (Option A) provides identity assurance but does not enforce physical location-based restrictions.

UEBA (Option C) provides behavioral analytics but is not used for real-time access control.

PKI (Option D) provides identity validation through certificates but is not location-aware.

Relevant Extract from CompTIA CloudNetX CNX-001 Official Study Guide:

“Geofencing allows organizations to define physical or logical boundaries that restrict or allow access based on user location. Policies can be configured to allow access only when users are on a trusted campus or corporate network, denying requests originating from outside the geofenced area.”

Covered under the topic: “Access Control Technologies and Identity Enforcement Mechanisms.”

Comprehensive and Detailed Explanation From Exact Extract:

The best way to prevent unscheduled outages caused by Infrastructure as Code (IaC) changes is to implement automated review and approval gates in the CI/CD pipeline. This ensures that all changes undergo validation, peer review, testing, and possibly approval from stakeholders before being deployed, thus reducing the likelihood of production-impacting issues.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “CI/CD Security and IaC Controls”:

“Incorporating approval gates and automated validation into CI/CD pipelines helps detect misconfigurations and unauthorized changes before deployment, reducing the risk of outages.”

Other options:

A. Making changes directly to the master branch violates best practices.

B. Self-review (by the author) lacks objectivity and fails peer validation.

C. Forking creates a copy but does not introduce formal validation processes.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

PF_RING is a high-performance packet capture and filtering framework that allows IDS systems to handle large volumes of traffic efficiently. By offloading and filtering out traffic that is known and trusted (such as HTTPS traffic from a patch server), the IDS can focus on analyzing critical traffic and reduce dropped packets.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Traffic Filtering and IDS Performance Optimization”:

“Advanced filtering solutions like PF_RING allow offloading of known trusted traffic, reducing processing overhead on IDS systems and improving visibility into meaningful events.”

Other options:

A. Directly configuring the IDS to ignore traffic may bypass too much, affecting visibility.

C. BPF filters on the tap itself may interfere with other systems using the tap.

D. Disabling the IDS temporarily removes all visibility — a poor security practice.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

To meet the requirement of restricting inbound traffic and allowing outbound traffic, two components are most appropriate:

D. Firewall – A firewall enforces ingress and egress traffic policies. It can be configured to deny all inbound traffic by default and allow all outbound traffic, meeting the security policy requirement.

E. Network Security Group (NSG) – In cloud environments such as Azure, NSGs serve as virtual firewalls at the subnet or interface level. NSGs allow you to define rules that block or allow inbound and outbound traffic, and they are the preferred method for enforcing network access rules for cloud resources.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud Network Security Configuration”:

“Network security groups and firewalls are key to enforcing inbound and outbound traffic restrictions in hybrid and public cloud environments.”

“NSGs are used to define network access control policies for cloud resources at the subnet or NIC level.”

Other options:

A. Application gateway controls HTTP/S traffic at Layer 7 but does not manage full access policy.

B. IPS detects/prevents malicious behavior but is not primarily used for general traffic restriction.

C. Port security restricts MAC addresses on switch ports, applicable in LANs, not cloud.

F. A screened subnet (DMZ) can provide additional isolation but is not required for basic traffic control.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A. An explicit allow rule in the Network Security Group (NSG) permitting Server A (10.2.3.9) to communicate with Server B (10.2.2.7) ensures intra-cloud communication between segments.

C. A deny rule that blocks any inbound access from external sources (0.0.0.0/0 ? internal range 10.2.0.0/16) effectively prevents unsolicited inbound traffic from the public internet, securing the internal servers.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud Security Groups and Firewall Policies”:

“NSGs should be configured with least privilege principles. Allow intra-subnet or intra-application communication while explicitly denying unsolicited internet traffic.”

“Ingress and egress filtering policies should block all traffic by default and permit only what’s required.”

Other options:

B. Incorrect – this allows internal range to internet, which is not requested.

D & E. Apply to outbound policies, not relevant to the need to block inbound external access.

F. Incorrect – this denies internal resources from going outbound, not inbound protection.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Since payments are working and orders are being recorded in the cloud, the issue likely lies in the local wireless network between the tablets and the kitchen printers. If the issue only occurs during high usage periods, it’s likely a congestion or signal quality issue. Adding a dedicated access point for the kitchen can isolate printer traffic and improve reliability.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Wireless Performance and Interference Management”:

“Segmenting traffic or deploying dedicated APs for mission-critical devices can reduce contention and ensure reliability in congested wireless environments.”

Other options:

A. App updates won’t fix wireless interference.

C. Dongle upgrades may help but don’t isolate the traffic.

D. Static IPs help with addressing, not with wireless reliability.

Comprehensive and Detailed Explanation From Exact Extract:

When building infrastructure for business units that process financial transactions (such as in the retail or banking sector), the architect must first understand all relevant compliance and regulatory requirements. These may include PCI DSS, SOX, or GDPR, depending on the nature of the data and jurisdiction. These regulations influence design decisions regarding encryption, segmentation, data retention, and logging.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Compliance and Regulatory Considerations”:

“Regulatory requirements such as PCI DSS, HIPAA, and others dictate the security controls, logging, data protection, and architectural design of infrastructure handling sensitive or financial data.”

Other options:

B. Statement of Work defines project scope, but doesn't include legal/compliance mandates.

C. Business case studies illustrate value or ROI, not security or compliance needs.

D. Internal reference architectures may help with standards but are based on already defined requirements.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A CMDB (Configuration Management Database) is a centralized repository used to store information about IT assets and their relationships, including configuration items such as servers, applications, and databases. It provides visibility into dependencies between infrastructure components, including application and database tiers. This is essential for cloud migration and modernization projects where understanding interdependencies ensures accurate planning and reduces risks.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under the “Infrastructure Documentation and Planning” domain:

“CMDBs are used to track asset relationships, allowing network and systems engineers to visualize and manage dependencies between services, applications, and infrastructure components critical for change management and cloud migration.”

Other options:

A. Internal knowledge base articles may offer general guidance but not structured dependency mapping.

C. WBS (Work Breakdown Structure) outlines tasks and deliverables, not technical dependencies.

D. Physical server diagrams are not relevant in virtualized/cloud environments.

E. SOW (Statement of Work) defines project scope but lacks infrastructure-level detail.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

SD-WAN (Software-Defined Wide Area Networking) is ideal for enterprises that want to simplify WAN management, reduce operational overhead, and optimize connectivity to cloudservices. SD-WAN provides intelligent traffic routing, dynamic path selection, and direct-to-cloud access without backhauling traffic through a central data center.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “SD-WAN and Cloud Connectivity”:

“SD-WAN enables efficient cloud access from branch offices and simplifies management through centralized policy control. It is cost-effective and reduces the need for complex hardware configurations and manual routing.”

Other options:

B. Adds latency and overhead by backhauling through headquarters.

C. MPLS is expensive and less flexible than SD-WAN.

D. Dark fiber is high-cost and not scalable for cloud-first architectures.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Network Access Control (NAC) evaluates the posture of a device before allowing access to the network. It can enforce security policies, authenticate users and devices, and isolate or remediate non-compliant devices. NAC is widely used in enterprise environments to secure access at the network edge, such as in guest or public areas.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Access Control and Posture Assessment”:

“NAC provides device authentication, security posture validation, and can enforce automated remediation or quarantine actions based on policy compliance.”

Other options:

A. IPS detects and prevents known threats but does not perform access control or posture checks.

B. Microsegmentation isolates workloads but lacks posture checks and auto-remediation.

?

Comprehensive and Detailed Explanation From Exact Extract:

The local machine has the IP address 10.21.12.8 and the physical address 1A-21-11-33-44-5A.However, the ARP table shows that 10.21.12.8 is mapped to a different MAC address (1A-21-11-31-74-4C), meaning another device on the network is responding to ARP requests for the same IP. This is a clear sign of an IP address conflict, which would prevent the workstation from functioning properly on the network.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Troubleshooting IP Addressing Issues”:

“An IP conflict occurs when two devices on the same network are assigned the same IP address. Symptoms include connectivity loss, duplicate ARP entries, and inconsistent routing behavior.”

Other options:

A. Asynchronous routing refers to packets taking different return paths, which is unrelated to ARP inconsistencies.

C. DHCP server issues would affect IP assignment but are not indicated here — the workstation has an IP address assigned.

Comprehensive and Detailed Explanation From Exact Extract:

Round-robin DNS is a simplistic form of load balancing that does not perform health checks. If one of the four servers is down, DNS will still resolve its IP to 25% of users, resulting in failed connections. This matches the symptom of 25% failure rate — 1 out of 4.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Load Balancing Techniques and Availability”:

“Round-robin DNS distributes requests without regard for health status. Without external health checks, failed servers will continue to receive traffic, leading to partial service disruptions.”

Other options:

B. The percentages do not align with a 25% failure rate.

C. Least-connection algorithms usually have integrated health checks.

D. If health checks are active, the load balancer would not forward requests to a failed server.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Risk transference is a risk management strategy in which the financial impact of a risk is shifted to a third party, such as an insurance company. In this scenario, the purchase of an insurance policy to cover potential damage or loss from a natural disaster is an example of transferring risk, not avoiding, mitigating, or accepting it.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide under “Risk Management Concepts”:

“Risk transference involves moving the responsibility or financial burden of a risk to a third party, often through the purchase of insurance or third-party service agreements.”

This approach is contrasted with mitigation (reducing risk), acceptance (living with the risk), or avoidance (eliminating the risk).

================================================

Comprehensive and Detailed Explanation From Exact Extract:

D includes all the key elements of Zero Trust:

MFA (Multi-Factor Authentication) supports secondary passkey-based authentication.

Geolocation settings enforce geo-restrictions.

SSO federation allows use of an existing SAML identity provider.

Continuous access policies support dynamic reauthentication based on changes in posture.

Trusted endpoint policies ensure only corporate-owned, compliant devices are allowed to connect.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Zero Trust Architecture and Identity Management”:

“ZTA enforces continuous access policies that monitor session state, posture, and user behavior.”

“Federated identity with SSO and posture-based trust evaluation are core ZTA components.”

“Geo-restrictions and trusted endpoint policies limit exposure and enforce device compliance.”

Other options:

A uses static session tokens and disables timely expiration, violating Zero Trust principles.

B allows BYOD and disables auditing, which conflicts with compliance and monitoring.

Comprehensive and Detailed Explanation From Exact Extract:

PortFast is a feature in Spanning Tree Protocol (STP) that allows switch ports connected to end devices (like user workstations) to bypass the usual STP states (Listening and Learning) and transition immediately to the Forwarding state. This significantly reduces convergence time and speeds up the network availability when new switches or ports are introduced.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “STP Optimization Techniques”:

“PortFast reduces STP convergence time by immediately placing access ports into the forwarding state, useful in environments where rapid network availability is required.”

Other options:

A. BPDU Guard is used to disable ports that receive Bridge Protocol Data Units, enhancing security but not STP speed.

B. Priority modifies bridge priority but doesn’t reduce convergence time.

C. Tagging relates to VLAN identification, not STP behavior.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

When an application is moved from local deployment to a centralized cloud deployment, remote users must connect over the WAN. If the application is sensitive to delays, latency becomes a significant issue, especially across geographically distributed regions. This is a common performance concern for centralized applications serving remote offices.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud Performance and WAN Connectivity”:

“Cloud-hosted applications accessed by remote users may suffer from latency-related performance issues. Optimization strategies may include CDN, caching, or edge deployment.”

Other options:

A. Throttling usually refers to bandwidth or rate-limiting, not general slowness.

B. Overutilization is possible, but infrastructure was said to be centralized and new.

C. Packet loss would likely cause disconnects or failures, not just slowness.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Quality of Service (QoS) ensures that latency-sensitive traffic like videoconferencing is prioritized over bandwidth-heavy but delay-tolerant tasks like report generation. Implementing QoS on network switches allows the network to differentiate traffic types and ensure sufficient bandwidth for critical applications during congestion.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Traffic Prioritization and QoS”:

“QoS enables classification and prioritization of network traffic to ensure performance of mission-critical or real-time applications such as voice and video.”

Other options:

A. Scheduling tasks outside business hours is not scalable or reliable.

B. Load balancing applies to servers, not prioritization of LAN traffic.

D. Buying higher-end switches is costly and may not resolve contention under load.

================================================