PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Alibaba Cloud Architect Professional Practice Questions

Pass your Alibaba Cloud Certified Professional - Cloud Architect (CAP-C01) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which protection plan should be used for an Internet-facing application in Mainland China that needs absorption of large-scale L3/L4 DDoS attacks while keeping the public IP unchanged?

A
B
C
D
to track
Same family resources

Explore More Alibaba Cloud Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Alibaba Cloud ACA Cloud Business

Practice Questions

Alibaba Cloud ACA Generative AI Engineer

Practice Questions

Alibaba Cloud Certified Associate (ACA) Cloud Computing

Practice Questions

Alibaba Cloud Certified Associate (ACA) Cloud Operator

Practice Questions

Alibaba Cloud Certified Professional - Cloud Computing (ACP-Cloud1)

Practice Questions

Alibaba Cloud Security Engineer (Associate)

Practice Questions
2026 Statistics

Key Facts: Alibaba Cloud Architect Professional Exam

50

Exam Questions

Alibaba Cloud (CAP-C01)

90 min

Exam Duration

Alibaba Cloud

70/100

Passing Score

Alibaba Cloud

$200

Exam Fee (USD)

Alibaba Cloud 2026

2 years

Certificate Validity

Alibaba Cloud

Pearson VUE

Delivery

Alibaba Cloud Academy

CAP-C01 has 50 questions in 90 minutes, requires 70 out of 100 to pass, costs USD $200, and is delivered via Pearson VUE (online proctored or test center). It replaces ACP Cloud Computing (ACP-Cloud1) as the professional architect certification and tests architecture trade-offs across enterprise networking (VPC, CEN, Express Connect), compute and storage (ECS, OSS, NAS, ESSD), databases (RDS, PolarDB, PolarDB-X, AnalyticDB, Hologres), HA/containers/serverless (ALB/NLB, ACK, Function Compute), edge delivery (CDN, DCDN, GA), and security (RAM, KMS, Cloud Firewall, WAF).

Sample Alibaba Cloud Architect Professional Practice Questions

Try these sample questions to test your Alibaba Cloud Architect Professional exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1An architect is designing a new VPC in the China (Hangzhou) region. Which Alibaba Cloud component is used to logically segment a VPC into smaller subnets that are bound to a specific availability zone?
A.Route table
B.vSwitch
C.Network ACL
D.Elastic Network Interface
Explanation: In Alibaba Cloud VPC, a vSwitch is the subnet-level construct. Each vSwitch belongs to exactly one zone within a VPC and is where ECS, RDS, and other resources are placed. CIDR ranges are carved out of the VPC CIDR.
2A company needs to interconnect VPCs in three different regions and an on-premises data center over a high-throughput, low-latency private backbone. Which Alibaba Cloud service should the architect choose?
A.VPC Peering Connection
B.VPN Gateway
C.Cloud Enterprise Network (CEN) with Transit Router
D.Smart Access Gateway
Explanation: Cloud Enterprise Network (CEN) with Transit Router is purpose-built to connect multiple VPCs across regions and on-premises networks over Alibaba Cloud's private backbone. It supports bandwidth packages and any-to-any connectivity at scale.
3Workloads in a private vSwitch must reach Internet endpoints to download patches but should NOT be reachable from the Internet. Which combination provides only outbound Internet access?
A.Elastic IP attached to each ECS
B.Internet-facing SLB
C.NAT Gateway with SNAT entries
D.IPv6 Gateway in dual-stack mode
Explanation: NAT Gateway with SNAT entries gives instances in a private vSwitch outbound Internet access by translating their private IPs to a shared public EIP. Inbound connections from the Internet are not possible without DNAT rules.
4An enterprise needs a dedicated 10 Gbps private circuit from its data center to Alibaba Cloud with predictable latency. Which service should be provisioned?
A.Express Connect with a Virtual Border Router (VBR)
B.VPN Gateway with IPsec tunnels
C.PrivateLink endpoint
D.Cloud Firewall with site-to-site rules
Explanation: Express Connect provides dedicated physical circuits between on-premises and Alibaba Cloud. The Virtual Border Router (VBR) terminates the circuit on the cloud side and exchanges routes with VPCs (typically through CEN).
5Which statement about Alibaba Cloud security groups is correct?
A.Security groups are stateless and require explicit return-traffic rules
B.Security groups are stateful and automatically allow return traffic for permitted connections
C.Security groups apply only to inbound traffic; outbound is governed by Network ACLs
D.Security groups can only be associated with one ENI per VPC
Explanation: Alibaba Cloud security groups are stateful: when a flow is allowed in one direction, return traffic is automatically permitted. They support both inbound and outbound rules and can be attached to multiple ENIs.
6An architect is designing a CEN topology that spans Mainland China and international regions. Which statement about CEN bandwidth packages is correct?
A.Bandwidth packages are required for any traffic between Mainland China and international regions
B.Bandwidth packages are only required for traffic within a single region
C.Bandwidth packages must be purchased per VPC peering connection
D.Bandwidth packages are free of charge between any two regions
Explanation: On CEN, cross-region traffic between attached networks must be backed by a bandwidth package that defines the source/target areas (Mainland China, Asia Pacific, Europe, etc.) and committed bandwidth. Intra-region traffic on CEN is free.
7A SaaS provider wants other Alibaba Cloud customers to consume its service privately, without traversing the public Internet and without complex peering. Which feature should it use?
A.Cloud Enterprise Network
B.PrivateLink with endpoint services
C.Anycast EIP
D.Express Connect router (ECR)
Explanation: PrivateLink lets a service provider publish an endpoint service backed by an internal NLB, and consumers create endpoint connections in their own VPCs. Traffic stays on Alibaba Cloud's private network and does not require peering or matching CIDRs.
8Which Alibaba Cloud service is purpose-built to securely connect dozens of branch offices to Alibaba Cloud over the Internet with zero-touch provisioning?
A.VPN Gateway
B.Express Connect VBR
C.Smart Access Gateway (SAG)
D.PrivateZone
Explanation: Smart Access Gateway (SAG) is a CPE-style appliance and software client that provides plug-and-play connectivity from branches to Alibaba Cloud, integrating with CEN for cloud-side routing.
9An ECS instance in a private vSwitch must be reachable from the Internet on TCP/443 only. Which design satisfies this requirement with the least exposure?
A.Attach an EIP and open 0.0.0.0/0 on TCP/443 in the security group
B.Place the instance behind an Internet-facing ALB with a TCP/443 listener and a security group that allows the ALB CIDR
C.Configure a DNAT rule on a NAT Gateway from public IP TCP/443 to the instance, with no security group changes
D.Configure VPN Gateway with split tunneling for TCP/443
Explanation: Fronting the workload with an Internet-facing ALB and only allowing the ALB's source range to reach the instance keeps the instance off the public Internet while exposing exactly TCP/443. ALB also adds TLS termination and L7 protection.
10Which Alibaba Cloud service provides authoritative DNS resolution for private domain names visible only inside specified VPCs?
A.Alibaba Cloud DNS (public)
B.PrivateZone
C.DNS Firewall
D.Global Traffic Manager
Explanation: PrivateZone hosts private DNS zones bound to one or more VPCs. Records are resolvable from inside the bound VPCs but not from the public Internet, which is ideal for internal service names.

About the Alibaba Cloud Architect Professional Exam

The Alibaba Cloud Certified Professional - Cloud Architect (CAP-C01) is the 2025-refresh professional-level certification that replaces the legacy ACP Cloud Computing (ACP-Cloud1) credential. It validates the ability to design scalable, resilient, secure, and cost-efficient solutions on Alibaba Cloud across compute (ECS), networking (VPC, CEN, Express Connect), storage (OSS, NAS, ESSD), databases (RDS, PolarDB, PolarDB-X), containers and serverless (ACK, Function Compute), content delivery (CDN, DCDN, GA), and security (RAM, KMS, Cloud Firewall, WAF, Anti-DDoS).

Questions

50 scored questions

Time Limit

90 minutes

Passing Score

70/100

Exam Fee

$200 (Alibaba Cloud (delivered via Pearson VUE))

Alibaba Cloud Architect Professional Exam Content Outline

25%

Enterprise Networking

VPC + vSwitch + route tables, NAT Gateway DNAT/SNAT, IPv6 Gateway, Express Connect Virtual Border Router (VBR), Cloud Enterprise Network (CEN) Transit Router with bandwidth packages, VPN Gateway IPsec, PrivateLink, Smart Access Gateway (SAG), PrivateZone, Flow Log, NetTrace, NPM

22%

Compute & Storage Infrastructure

ECS family selection (t6/c7/r7, ebmg/ebmgn bare metal, Dedicated Host), ESSD PL3/AutoPL, snapshots and consistency groups, Auto Scaling with lifecycle hooks, OSS lifecycle/CRR/versioning/multipart/internal endpoint/WORM, Apsara File Storage NAS, shared block storage

15%

Databases & Data Lake

ApsaraDB for RDS HA + read/write splitting + DAS, PolarDB shared-storage scaling, PolarDB-X distributed MySQL, AnalyticDB and Hologres analytics, Tablestore wide-column, Redis/Tair, MongoDB, MaxCompute + DataWorks data lake, DTS migration and CDC

18%

HA, Containers & Serverless

ALB/NLB/CLB load balancing with weighted target groups and mTLS, ACK Pro / ASK / ACK One / virtual nodes / cluster autoscaler, Function Compute with provisioned concurrency, ApsaraMQ for RocketMQ / Kafka, EventBridge, API Gateway, ROS and Terraform alicloud, multi-AZ design

7%

Content Delivery & Edge

Alibaba Cloud CDN with OSS origin, Dynamic Route for CDN (DCDN), EdgeRoutine JavaScript at the edge, Global Accelerator (GA), Anycast EIP, OSS Transfer Acceleration, GTM DNS-based regional steering

13%

Security, Identity & Compliance

RAM users/groups/roles with policy conditions (acs:SourceIp, acs:MFAPresent), instance RAM roles + STS, Resource Directory + Control Policies, KMS BYOK and Managed HSM, Secrets Manager, Cloud Firewall (Internet/Internal/Host) with IPS, WAF, Anti-DDoS Origin/Premium, ActionTrail, Cloud Config, Cloud Security Center, SSL Certificates Service, data residency in Mainland China vs international regions

How to Pass the Alibaba Cloud Architect Professional Exam

What You Need to Know

  • Passing score: 70/100
  • Exam length: 50 questions
  • Time limit: 90 minutes
  • Exam fee: $200

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Alibaba Cloud Architect Professional Study Tips from Top Performers

1Memorize the connectivity hierarchy: vSwitch (intra-zone), VPC peering (intra-region only), CEN with Transit Router (cross-region with bandwidth packages), Express Connect VBR (on-prem private), VPN Gateway (IPsec over Internet), SAG (branches)
2Drill load-balancer choice: ALB for L7 (path/header/weighted/gRPC/mTLS), NLB for L4 TCP/UDP/QUIC at high scale, CLB legacy
3Compare PolarDB vs PolarDB-X: PolarDB scales reads via shared storage (one writer, up to 100 TB); PolarDB-X shards across CN/DN nodes for hundreds of TB and high write throughput
4Lock in OSS controls end-to-end: storage classes (Standard/IA/Archive/Cold Archive), lifecycle, versioning, CRR, internal endpoint, WORM retention, multipart upload
5Know the security stack end-to-end: RAM (identity), KMS BYOK + Managed HSM (keys), Secrets Manager (rotated secrets), Cloud Firewall (IPS east-west and north-south), WAF (L7 OWASP), Anti-DDoS Origin/Premium (volumetric), Resource Directory + Control Policies (org guardrails)
6Practice DR/cost trade-offs: DTS for online cross-region replication, HBR/Cloud Backup for vault backup, GTM for DNS failover, Savings Plans for flexible commit, Spot for fault-tolerant batch

Frequently Asked Questions

What is the Alibaba Cloud Architect Professional (CAP-C01) exam?

CAP-C01 is the 2025-refresh professional-level certification for Alibaba Cloud architects. It replaces the legacy ACP Cloud Computing (ACP-Cloud1) credential and validates architecture decisions across enterprise networking, compute, storage, databases, HA/serverless, edge delivery, and security on Alibaba Cloud.

How many questions and how much time does CAP-C01 have?

CAP-C01 has 50 questions to be completed in 90 minutes. The passing score is 70 out of 100. Questions are a mix of single-answer, multiple-answer, and true/false. The exam is delivered through Pearson VUE either online proctored or at a test center, and certificates are valid for 2 years.

How does CAP-C01 differ from the legacy ACP Cloud Computing (ACP-Cloud1) exam?

CAP-C01 replaces ACP-Cloud1 as Alibaba Cloud's professional architect certification. It is shorter (50 questions in 90 minutes vs 70 questions in 110 minutes), uses Pearson VUE delivery, costs $200 (vs $300 for ACP-Cloud1), and aligns to the modernized exam preparation course covering enterprise networking, compute and storage infrastructure, database best practices, HA architectures, content delivery, and security.

What topics does CAP-C01 cover?

CAP-C01 covers enterprise networking (VPC, NAT, Express Connect VBR, CEN with Transit Router, VPN, PrivateLink, SAG, PrivateZone), compute and storage (ECS families, ESSD PL3/AutoPL, snapshots, Auto Scaling, OSS, NAS), databases (RDS, PolarDB, PolarDB-X, AnalyticDB, Hologres, Tablestore, Redis/Tair, DTS), HA/containers/serverless (ALB/NLB, ACK Pro/ASK, Function Compute, ApsaraMQ, EventBridge, API Gateway, ROS/Terraform), content delivery (CDN, DCDN, EdgeRoutine, GA, GTM), and security (RAM, KMS, Secrets Manager, Cloud Firewall, WAF, Anti-DDoS, ActionTrail, Cloud Config).

How long should I study for CAP-C01?

Most candidates spend 60-100 hours over 6-10 weeks. Holders of AWS SAA-C03 or Azure AZ-305 typically spend the time learning Alibaba Cloud-specific service names and design patterns: ApsaraDB families, Cloud Enterprise Network, Cloud Firewall vs WAF vs Anti-DDoS, ARMS, and SLS. Hands-on labs (free-tier Alibaba Cloud account) covering VPC + CEN + Transit Router, ALB with weighted target groups, PolarDB read replicas, Function Compute + EventBridge, and ACK with virtual nodes are strongly recommended.

How does CAP-C01 compare to AWS SAA-C03 or Azure AZ-305?

CAP-C01 sits between AWS SAA-C03 (associate) and Azure AZ-305 (expert) in scope. It costs USD $200 (vs SAA $150 or AZ-305 $165), has a 2-year validity, and is delivered via Pearson VUE. Depth on networking (CEN, Transit Router, VBR) and Apsara-specific services like PolarDB-X and Tair is unique to Alibaba Cloud and is the main gap for AWS or Azure architects.

Where can I take the CAP-C01 exam?

CAP-C01 is delivered through Pearson VUE either at a physical test center or online with remote proctoring. You schedule via the Alibaba Cloud Academy certification portal after registering. The exam is currently available in English. A government-issued ID and a quiet workspace are required for the online option. A 14-day wait applies between any two Alibaba Cloud professional-level exams.