Pass the CompTIA CloudNetX CNX-001 Questions and answers with CertsForce

Comprehensive and Detailed Explanation From Exact Extract:

Video surveillance (A) provides continuous monitoring and allows for real-time, remote visibility of secure locations, such as computer rooms. When integrated with analytics, video surveillance systems can detect movement after hours or unauthorized access and generate immediate alerts. These systems also maintain video logs that can be audited later.

NFC access cards (B) allow controlled access to physical areas, generating time-stamped logs for each entry attempt. When connected to an access control system, these cards can trigger alerts for unauthorized access attempts, such as the use of expired credentials or access during restricted hours.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — Security Controls and Physical Security Section:

“Security access systems using NFC or smart cards allow traceability of personnel entry through electronic logs, while surveillance systems provide visibility and support forensic investigations.”

“Video surveillance allows real-time monitoring of physical environments and helps detect unauthorized presence or access in sensitive locations.”

================================================

Comprehensive and Detailed Explanation From Exact Extract:

SD-WAN (Software-Defined Wide Area Network) enables private, encrypted connections over public internet links and supports policy-based routing for application-aware traffic steering. It offers centralized management, redundancy, and automatic path selection — all aligned with the stated requirements.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Software-Defined Networking and WAN Optimization”:

“SD-WAN uses secure tunnels over the public internet, supports dynamic path selection, and provides application-aware routing, making it ideal for multi-site enterprise connectivity without dedicated links.”

Other options:

A. MPLS requires dedicated circuits and is costly.

C. Site-to-site VPN provides security but lacks intelligent traffic steering.

D. ExpressRoute is a private connection to Azure, not suited for general internet-based multi-site connectivity.

Comprehensive and Detailed Explanation From Exact Extract:

Using an active-active deployment across two regions with at least two Availability Zones (AZs) each provides the highest level of fault tolerance and geographic redundancy. This ensures continuity even if an entire region or multiple zones become unavailable. In regulated sectors such as healthcare, this meets strict availability and disaster recovery requirements.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “High Availability and Multi-Region Design”:

“Active-active configurations across multiple regions and availability zones maximize uptime and ensure failover in the event of localized or regional failures.”

Other options:

B. Active-passive introduces delays in failover.

C. Active-active in one region offers no geographic redundancy.

D. Active-passive in two regions is slower and less efficient during failover.

Comprehensive and Detailed Explanation From Exact Extract:

In the 2.4 GHz Wi-Fi band, channels overlap due to how the frequency spectrum is divided. To prevent co-channel and adjacent-channel interference, only non-overlapping channels should be used. According to the IEEE 802.11 standard and best practices outlined in the CompTIA CloudNetX CNX-001 Study Guide under “Wireless Network Optimization,” the three non-overlapping channels in the 2.4 GHz band are:

Channel 1 (2.412 GHz)

Channel 6 (2.437 GHz)

Channel 11 (2.462 GHz)

These channels are spaced far enough apart to avoid interference, even when operating in close proximity. Using overlapping channels (as in options A, B, and D) causes signal degradation and poor performance due to increased contention and retransmissions.

Relevant Extract from CompTIA CloudNetX CNX-001:

“Wi-Fi networks operating on the 2.4 GHz band should use channels 1, 6, and 11 to ensure maximum throughput and minimal interference in environments with multiple access points.”

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Geofencing allows enforcement of access policies based on the geographic location of the user's IP address. To comply with GDPR and control access based on user region, geofencing should be implemented to restrict or permit access to resources hosted in specific regions like Europe.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Data Sovereignty and Regional Access Control”:

“Geofencing enables organizations to restrict access to data or services based on geographic IP address, aiding in GDPR and other compliance frameworks.”

Other options:

A. SASE is a broader framework, not a direct access control mechanism.

B. NSGs operate at subnet/NIC level and do not interpret geolocation.

C. CDNs cache data globally but don’t control access by region directly.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A Secure Web Gateway (SWG) provides cloud-based traffic filtering, URL filtering, SSL decryption, and content inspection without requiring traffic to be routed through an on-premises data center. It is ideal for both remote and hybrid users, enforcing security policies in a distributed environment.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud-Based Security Solutions”:

“Secure Web Gateways allow cloud-hosted decryption and inspection of web traffic, enabling policy enforcement for remote and on-campus users without backhauling traffic to the data center.”

Other options:

B. Transit gateways connect VPCs and on-prem but don’t decrypt traffic.

C. VPNs provide encrypted tunnels but don’t inspect traffic.

D. IPS inspects traffic but is usually on-prem and not cloud-hosted.

E. NAC is used for access control, not traffic inspection.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

With GitOps, all infrastructure changes are tracked as code and committed to version-controlled repositories. When the main branch is protected, changes should not be committed directly. Instead, best practices require that a new feature or change branch be created, followed by a pull request (PR) for peer review and approval before merging into the protected branch.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Infrastructure as Code and GitOps”:

“In GitOps workflows, changes are made in feature branches, reviewed via pull requests, and merged into protected branches only after validation, ensuring auditability and control over infrastructure deployments.”

Other options:

A. Direct commits to protected branches are restricted and violate GitOps practices.

C. The development branch may exist, but the question specifies main is the default, and the correct process requires a PR.

D. Rebase is for integrating histories, not submitting approved changes.

Comprehensive and Detailed Explanation From Exact Extract:

Round-robin DNS is a simplistic form of load balancing that does not perform health checks. If one of the four servers is down, DNS will still resolve its IP to 25% of users, resulting in failed connections. This matches the symptom of 25% failure rate — 1 out of 4.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Load Balancing Techniques and Availability”:

“Round-robin DNS distributes requests without regard for health status. Without external health checks, failed servers will continue to receive traffic, leading to partial service disruptions.”

Other options:

B. The percentages do not align with a 25% failure rate.

C. Least-connection algorithms usually have integrated health checks.

D. If health checks are active, the load balancer would not forward requests to a failed server.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

To meet the requirement of restricting inbound traffic and allowing outbound traffic, two components are most appropriate:

D. Firewall – A firewall enforces ingress and egress traffic policies. It can be configured to deny all inbound traffic by default and allow all outbound traffic, meeting the security policy requirement.

E. Network Security Group (NSG) – In cloud environments such as Azure, NSGs serve as virtual firewalls at the subnet or interface level. NSGs allow you to define rules that block or allow inbound and outbound traffic, and they are the preferred method for enforcing network access rules for cloud resources.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud Network Security Configuration”:

“Network security groups and firewalls are key to enforcing inbound and outbound traffic restrictions in hybrid and public cloud environments.”

“NSGs are used to define network access control policies for cloud resources at the subnet or NIC level.”

Other options:

A. Application gateway controls HTTP/S traffic at Layer 7 but does not manage full access policy.

B. IPS detects/prevents malicious behavior but is not primarily used for general traffic restriction.

C. Port security restricts MAC addresses on switch ports, applicable in LANs, not cloud.

F. A screened subnet (DMZ) can provide additional isolation but is not required for basic traffic control.

================================================