100+ Free ACE Professional Practice Questions

Pass your Aviatrix Certified Engineer (ACE) — Multicloud Network Professional exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

What Aviatrix CoPilot feature helps network engineers understand which on-premises routes are being advertised to cloud Spokes and verify route propagation is working correctly?

CoPilot FlowIQ Source/Destination IP filter

CoPilot Topology link labels showing CIDR annotations

CoPilot Cloud Routes BGP table view showing learned prefixes per gateway

CoPilot Anomaly Detection route anomaly alert

to track

Same family resources

Explore More Aviatrix Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Aviatrix Certified Engineer (ACE) — Multicloud Network Associate

Practice Questions100 questions

2026 Statistics

Key Facts: ACE Professional Exam

3 years

Cert Validity

Aviatrix

3 days

Training Duration

Aviatrix

4 clouds

AWS/Azure/GCP/OCI

Aviatrix

10–30 Gbps

Insane Mode HPE

Aviatrix Docs

200

Max Network Domains

Aviatrix Docs

ACE Assoc.

Required Prereq

Aviatrix

The Aviatrix Certified Engineer (ACE) Professional is the advanced tier of the Aviatrix certification program, targeting network and cloud engineers who architect and operate enterprise multicloud networks. Delivered as an intensive 3-day instructor-led course with hands-on labs, ACE Professional covers proven design patterns from hundreds of real-world Aviatrix deployments across AWS, Azure, GCP, and OCI. Topics include ActiveMesh 2.0 high availability, FireNet with NGFW integration, Distributed Cloud Firewall, CoPilot Day-2 operations, and Terraform automation for network-as-code workflows.

Sample ACE Professional Practice Questions

Try these sample questions to test your ACE Professional exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In Aviatrix ActiveMesh 2.0, what is the default behavior when a Transit Gateway has two Spoke Gateways attached and one Spoke Gateway fails?

A.Traffic routes through the remaining active Spoke Gateway automatically

B.All traffic to that VPC drops until manual intervention

C.The Controller re-launches a replacement gateway in the same AZ

D.Traffic falls back to native cloud provider routing

Explanation: Aviatrix ActiveMesh 2.0 uses active-active gateway pairs. When one gateway in a Spoke HA pair fails, the Controller detects the failure and automatically re-programs routes so all traffic is forwarded through the surviving gateway. This happens without manual intervention, providing sub-minute failover. Native cloud provider routing is never used as a fallback in a fully Aviatrix-managed transit design.

2A network architect needs encrypted transit peering between AWS and Azure with throughput exceeding 10 Gbps. Which Aviatrix feature should be enabled on both Transit Gateways?

A.BGP route dampening

B.High Performance Encryption (Insane Mode)

C.FQDN egress filtering

D.ActiveMesh 1.0 with ECMP

Explanation: Aviatrix High Performance Encryption (HPE), also known as Insane Mode, uses multi-core packet processing and builds multiple parallel IPsec tunnels to achieve 10 Gbps and beyond between gateways, including cross-cloud transit peering. Standard gateway encryption tops out around 1–2 Gbps. HPE must be enabled at gateway creation time on both the source and destination Transit Gateways.

3What is the minimum number of network domains required to implement a basic Aviatrix transit segmentation design that keeps Production and Development environments fully isolated?

A.One network domain with an ACL

B.Two network domains with no connection policy between them

C.Two network domains with a bidirectional connection policy

D.Three network domains and one hub domain

Explanation: In Aviatrix transit network segmentation, a Network Domain (formerly called Security Domain) groups Spoke VPCs that can communicate with each other. To keep Production and Development isolated, you create two separate network domains — one for each environment — and intentionally do not add a connection policy between them. Without a connection policy, traffic between the two domains is blocked. A single domain cannot segment two environments, and a bidirectional connection policy would defeat the isolation goal.

4In Aviatrix FireNet, which inspection traffic pattern requires enabling 'Egress Inspection' on the Spoke attachment rather than using only East-West inspection rules?

A.VPC-to-VPC traffic across the same Transit Gateway

B.On-premises to Spoke VPC (North-South inbound)

C.Spoke VPC internet-bound traffic (Egress)

D.Transit Gateway peering traffic between two clouds

Explanation: Aviatrix FireNet supports three traffic inspection modes: East-West (VPC-to-VPC), North-South (on-prem to cloud), and Egress (outbound internet). For Egress inspection, the 'Egress Inspection' flag must be enabled on the Spoke attachment or through the FireNet policy so that outbound internet traffic is steered through the firewall instances. This is a distinct configuration from East-West, which is controlled at the Transit FireNet policy level.

5Which Aviatrix CoPilot tool provides an end-to-end path analysis between two cloud instances showing security group rules, route tables, and latency at each hop?

A.FlowIQ

B.AppIQ (FlightPath)

C.Topology Replay

D.Cloud Routes Diagnostics

Explanation: AppIQ, accessed via CoPilot > Diagnostics > AppIQ > FlightPath, performs a path trace between any two cloud instances connected through the Aviatrix transit network. It analyzes security groups, network ACLs, route table configurations, and actual traffic flow at each hop, providing a report that identifies connectivity issues and latency. FlowIQ is for NetFlow traffic analysis, Topology Replay shows historical topology changes, and Cloud Routes Diagnostics checks routing tables.

6When configuring Aviatrix Site2Cloud for a branch office with an overlapping IP address space (e.g., 10.0.0.0/24 on both sides), which feature resolves the conflict?

A.BGP route preference adjustment

B.DNAT and SNAT on the gateway

C.Network Address Translation (NAT) via Mapped or Virtual IP

D.Creating a new VPC with non-overlapping CIDR

Explanation: Aviatrix Site2Cloud supports overlapping CIDR resolution using Mapped or Virtual IP NAT. In this mode, you configure virtual IP subnets that are unique on each side; the Aviatrix Gateway translates the real IPs to virtual IPs in each direction. This allows two sites with identical IP ranges (e.g., 10.0.0.0/24) to communicate without re-IP-addressing. This is distinct from standard DNAT/SNAT, which does not handle the bidirectional mapping required for fully overlapping subnets.

7In an Aviatrix multicloud transit design, a Spoke VPC in AWS needs to reach a Spoke VNet in Azure. Which component facilitates the cross-cloud data-plane forwarding?

A.AWS Transit Gateway attachment with Azure Virtual WAN peering

B.Aviatrix Transit Gateway peering over the internet between AWS and Azure Transit Gateways

C.Native AWS VPC Peering extended to Azure via Global Reach

D.Azure VPN Gateway with BGP peering to AWS Direct Connect

Explanation: In Aviatrix multicloud architecture, cross-cloud connectivity is achieved by peering the Aviatrix Transit Gateway in AWS with the Aviatrix Transit Gateway in Azure. This peering is built over the public internet (or optionally over ExpressRoute/Direct Connect) using encrypted IPsec tunnels. Spokes in each cloud attach to their local Transit Gateway, and the inter-cloud transit peering forwards traffic between them. Native AWS/Azure constructs like VPC Peering or Virtual WAN do not span cross-cloud natively without Aviatrix.

8What is the purpose of the Aviatrix 'Shared Services' network domain in a segmented transit network?

A.To provide internet breakout for all Spokes

B.To host centralized services (DNS, Active Directory, monitoring) accessible by multiple isolated domains

C.To enforce east-west firewall inspection for all domains

D.To aggregate BGP routes from on-premises toward all Spoke VPCs

Explanation: A Shared Services network domain is a design pattern where centralized infrastructure services such as DNS resolvers, Active Directory, patch management, or monitoring tools are placed in a dedicated VPC attached to its own network domain. Connection policies are then created between the Shared Services domain and all other domains (Production, Development, etc.) that need access. This avoids duplicating services across domains while maintaining isolation between non-shared domains.

9Aviatrix FQDN Egress Filtering operates at which layer, and what is its primary advantage over IP-based egress ACLs?

A.Layer 3 — it blocks entire IP subnets assigned to untrusted ASNs

B.Layer 7 — it inspects DNS queries and TLS SNI to allow/deny traffic by domain name, surviving CDN IP changes

C.Layer 4 — it matches TCP/UDP port ranges regardless of destination hostname

D.Layer 2 — it filters based on destination MAC address prefix

Explanation: Aviatrix FQDN Egress Filtering is a Layer 7 feature. The Aviatrix Gateway intercepts DNS queries and tracks the resolved IPs for allowed FQDNs, and it also inspects TLS SNI headers for HTTPS connections. Because it uses the domain name rather than IP address, it remains accurate even when content delivery networks (CDNs) rotate IP addresses frequently. IP-based ACLs break as CDN IPs change, while FQDN filtering adapts automatically.

10Which Aviatrix Terraform resource is used to define a network domain (formerly security domain) in the Aviatrix provider?

A.aviatrix_vpc_peer

B.aviatrix_segmentation_network_domain

C.aviatrix_transit_gateway_route_domain

D.aviatrix_network_policy_group

Explanation: The Aviatrix Terraform provider resource `aviatrix_segmentation_network_domain` creates a network domain (previously called a security domain) on a Transit Gateway. A companion resource `aviatrix_segmentation_network_domain_connection_policy` creates the connection policy between two domains. This naming reflects the evolution from the older 'security domain' to the current 'network domain' terminology in the Aviatrix platform.

About the ACE Professional Exam

The Aviatrix ACE Professional certification validates advanced expertise in multicloud network architecture and operations using the Aviatrix platform, covering Transit Gateway design patterns, FireNet security service insertion, High Performance Encryption (Insane Mode), network segmentation, CoPilot observability, and Terraform-based IaC automation across AWS, Azure, GCP, and OCI.

Questions

100 scored questions

Time Limit

Administered as part of 3-day training

Passing Score

Not publicly disclosed

Exam Fee

Included with 3-day training course (Aviatrix)

ACE Professional Exam Content Outline

25%

Multicloud Transit Architecture & Design Patterns

Transit Gateway design, ActiveMesh 2.0, multi-tier transit, connected transit, network domain segmentation, and cross-cloud peering

20%

FireNet & Security Services

FireNet East-West/Egress/North-South inspection, GWLB/ILB, service chaining, Distributed Cloud Firewall, SmartGroups

20%

High Availability & High Performance Encryption

ActiveMesh HA, Insane Mode parallel IPsec tunnels, gateway resizing, Controller HA, and failover design

15%

Hybrid Connectivity

Site2Cloud IKEv2 with mapped NAT, BGP over Direct Connect/ExpressRoute, CloudN, Aviatrix Edge, transitive routing

12%

CoPilot Operations & Observability

AppIQ/FlightPath, FlowIQ NetFlow, Topology Replay, Cloud Routes, anomaly detection, and Network Insight API

Infrastructure as Code & Automation

Aviatrix Terraform provider resources, cloud_type values, lifecycle management, CI/CD pipeline integration

How to Pass the ACE Professional Exam

What You Need to Know

Passing score: Not publicly disclosed
Exam length: 100 questions
Time limit: Administered as part of 3-day training
Exam fee: Included with 3-day training course

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

ACE Professional Study Tips from Top Performers

1Master ActiveMesh 2.0 active-active topology — understand how many tunnels are built between a Transit HA pair and Spoke HA pairs (8 tunnels for 2 Spokes each with HA)

2Know the three FireNet traffic inspection modes (East-West, Egress, North-South) and which configuration enables each, including GWLB in AWS and ILB in Azure

3Understand the difference between network domains (formerly security domains) and connection policies — domains isolate, policies selectively connect, and the Default domain is the implicit placement

4Practice writing Aviatrix Terraform: know cloud_type values (AWS=1, GCP=4, Azure=8, OCI=16), key resource names (aviatrix_transit_gateway, aviatrix_segmentation_network_domain, aviatrix_transit_gateway_peering)

5For CoPilot: know which tool answers which question — AppIQ/FlightPath for path analysis, FlowIQ for traffic trends, Cloud Routes for routing table verification, Topology for visual state and diagnostics

Frequently Asked Questions

What is the prerequisite for the Aviatrix ACE Professional certification?

Completion of the ACE Associate certification is mandatory before attending ACE Professional training. The Associate course covers foundational Aviatrix concepts. ACE Professional builds on that foundation with advanced design patterns, FireNet, CoPilot operations, and Terraform automation for multicloud networks.

What format is the ACE Professional exam?

The ACE Professional exam is scenario-based and administered as part of the 3-day instructor-led training course. Unlike the ACE Associate (which is a self-paced online assessment), the Professional exam is tied to the live training and covers practical multicloud design decisions based on real-world reference architectures.

How long is the ACE Professional certification valid?

The Aviatrix ACE Professional certification is valid for 3 years. After 3 years, certified professionals must complete the current version of the ACE Professional training and pass the exam again to maintain their certification status and stay current with Aviatrix platform updates.

What cloud providers does the ACE Professional course cover?

ACE Professional covers advanced multicloud networking across AWS, Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI). The course focuses on proven design patterns that work consistently across all four providers using the Aviatrix platform as a cloud-agnostic abstraction layer.

What is Aviatrix High Performance Encryption (Insane Mode)?

Aviatrix Insane Mode (High Performance Encryption, HPE) builds multiple parallel IPsec tunnels between gateway pairs and distributes traffic across all tunnels using ECMP. Each tunnel is processed by a separate CPU core, enabling 10–30+ Gbps of encrypted throughput on c5n or equivalent instances. Insane Mode must be enabled at gateway creation time and requires appropriately sized instances.