Knowledge Check - Networking and Connectivity
Test your understanding of the key concepts from Module 3. Select the best answer for each question, then submit to see your results. You need to score at least 60% to pass.
FinCorp is designing a three-tier VDC: a public web tier, a private application tier, and a private data tier. The security team wants the data tier reachable only from the application tier, and assumes the managed Network Load Balancer in front of the data tier can be locked down with an IP allowlist. What should the architect tell them?
NIC firewalls and Network Security Groups bind to server NICs and the VDC, not to the managed ALB/NLB or the Kubernetes cluster abstraction. The correct posture is to isolate the data tier by topology (private LAN) and filter on the targets themselves; expecting the managed load balancer to do source filtering is the boundary error the platform explicitly does not support.
A self-managed network firewall appliance must present a single stable public IP and fail over to a standby instance if the active one is lost. The team will run their own HA software inside the appliance. Which IONOS construct fits, and what must they understand about it?
IP failover is exactly the self-managed active-passive pattern: it provisions one reserved public IP across redundant NICs and lets the guest HA software decide when to fail over, because the platform does not monitor service health. A managed load balancer cannot share a LAN with IP failover and is meant for elastic tiers; NAT Gateway is for outbound egress; DNS failover steers names, not a single shared IP on one LAN.
FinCorp must connect its on-premises data centre to a VDC over an encrypted site-to-site link during migration. The on-premises device is currently configured for IKEv1 with BGP-based dynamic routing. What does the architect need to plan for on the IONOS VPN Gateway?
The IONOS VPN Gateway supports IKEv2 and WireGuard but not IKEv1, and routing is static via the cloud-network and peer-network CIDR lists; there is no BGP. The legacy peer must be reconfigured, and the routed subnets declared explicitly. NAT Gateway and DNAT are unrelated to this requirement.
Private application servers in a VDC must download OS patches and reach an external SaaS API, but must never be reachable from the internet and must hold no public IP. The architect provisions a NAT Gateway with a reserved public IP and a SNAT rule, but the servers still cannot reach the internet. What is the most likely cause?
A NAT Gateway is SNAT-only and forwards traffic only once the private VMs route internet-bound traffic to it; the routing change (default route to the gateway, or per-target routes) is the step most often missed. A DNAT rule does not exist on this product, and assigning public IPs would defeat the private-egress goal.
An architect needs a low-latency private link to exchange data between two of FinCorp's own VDCs. The two VDCs are in different regions and, for billing isolation, under different contracts. Which option is viable?
Private Cross-Connect is categorically limited to VDCs in the same region and under the same contract, sharing one IP range; it cannot span regions or contracts. The cross-region, cross-contract requirement rules it out, so the architect must use a different connectivity model. NAT Gateway provides outbound internet egress, not VDC-to-VDC private interconnect.
FinCorp needs automated failover for a public service when its primary-region endpoint fails, redirecting clients to a secondary-region endpoint. There is no managed failover product. How should the architect design this, and what is the dominant lever on recovery time?
With no managed failover product, the native pattern is customer-orchestrated DNS failover: an external health check (for example from the load-balancer plane) drives re-pointing the Cloud DNS record to a healthy endpoint, and the record TTL bounds how quickly redirected clients pick up the change, making it the dominant RTO lever. Cloud DNS itself is not health-aware. Because DNS steers only new connections, the fronted tier must be stateless. IP failover is region-bound to one LAN, and NAT/load-balancer levers do not address cross-region endpoint failover.