Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CloudNetX Practice Questions

Pass your CompTIA CloudNetX (CNX-001) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A compliance team requires that all network changes in their cloud environment are immutable, tracked in version control, and deployed only through approved CI/CD pipelines with no manual console access. Which infrastructure governance model describes this?

A
B
C
D
to track
Same family resources

Explore More CompTIA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CompTIA A+

Practice QuestionsStudy GuideCheat SheetFlashcards1 video4 blogs

CompTIA Security+

Practice QuestionsStudy GuideCheat SheetFlashcards2 videos4 blogs

CompTIA Network+

Practice QuestionsStudy GuideCheat SheetFlashcards1 video2 blogs

CompTIA CySA+

Practice QuestionsStudy GuideCheat SheetFlashcards1 blog

CompTIA Cloud+

Practice Questions1 blog

CompTIA PenTest+

Practice Questions1 blog

More From This Family

Videos and articles for deeper review.

VideoBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnetVideoCompTIA A+ Core 1 vs Core 2: Which Is Harder? (2026)VideoFREE Cisco CCST Cybersecurity (100-160) Exam Guide 2026: Pass First TryVideoSecurity+ SY0-701 Domain Weights & Percentages (2026)ArticleBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnet14 min readArticleBest Electronics Repair Toolkits for CompTIA A+ Exam Candidates: Complete 2026 Buying Guide14 min readArticleBest Network Cable Crimping Tool Kits in 2026: Hands-On Prep for CompTIA A+ and Network+14 min readArticleBest Raspberry Pi 5 Starter Kits for CompTIA A+ and Linux+ Hands-On Lab Practice in 202615 min read
2026 Statistics

Key Facts: CloudNetX Exam

CNX-001

Exam Code

CompTIA Xpert Series

Pass/Fail

Scoring

CompTIA (no scaled score)

165 min

Exam Duration

CompTIA

$525

Exam Fee

CompTIA (USD)

~90

Questions

CompTIA

3 years

Certification Validity

CompTIA CE program

CompTIA CloudNetX (CNX-001) is a new expert cloud and network certification launched as part of the CompTIA Xpert series. It covers four domains: Cloud Architecture (~30%), Network Design (~25%), Operations (~25%), and Security and Governance (~20%). The exam has approximately 90 questions in 165 minutes with pass/fail scoring. Exam fee is $525. Recommended experience: 5-7 years of cloud and network engineering.

Sample CloudNetX Practice Questions

Try these sample questions to test your CloudNetX exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A network architect is designing multi-cloud connectivity linking AWS, Azure, and GCP to on-premises data centers. Which approach provides the most consistent latency SLAs while avoiding the public internet?
A.Deploy site-to-site IPsec VPN tunnels over the public internet to each cloud provider
B.Procure dedicated private circuits (AWS Direct Connect, Azure ExpressRoute, GCP Interconnect) through a colocation exchange
C.Use SD-WAN overlays running entirely over broadband internet with QoS markings
D.Configure BGP peering between on-premises routers and cloud virtual gateways over public IPs
Explanation: Dedicated private circuits bypass the public internet and offer contractual latency and bandwidth SLAs unavailable with internet-based solutions. A colocation exchange aggregates these into a single physical presence.
2An enterprise runs BGP between its on-premises ASN 65001 and AWS Direct Connect. The team wants to prefer on-premises-originated prefixes over cloud-originated ones for traffic returning to the data center. Which BGP attribute achieves this with least configuration overhead?
A.Increase the MED value on prefixes advertised from on-premises to AWS
B.Set a higher LOCAL_PREF on prefixes learned from on-premises on the on-premises routers
C.Prepend the on-premises ASN multiple times on prefixes advertised toward AWS
D.Configure a higher BGP weight on the AWS VGW sessions pointing to the on-premises router
Explanation: LOCAL_PREF is an iBGP attribute controlling outbound path selection within an AS. By setting a higher LOCAL_PREF on prefixes learned from on-premises, the enterprise ensures those paths are preferred for traffic exiting the on-premises network toward the data center.
3A company must connect 150 branch offices to three AWS VPCs and its on-premises data center with a hub-and-spoke topology. Managing individual VPN connections is becoming unmanageable. Which AWS service is architecturally designed for this scale?
A.AWS Virtual Private Gateway with static routing on each VPC
B.AWS Transit Gateway with route tables segregating spoke associations
C.AWS CloudHub using a single VGW for all branch connections
D.AWS Direct Connect with a private VIF to each VPC independently
Explanation: AWS Transit Gateway acts as a regional network hub allowing thousands of VPC and VPN attachments, with route tables enabling segmentation. It eliminates the full-mesh peering problem and scales to hundreds of connections without per-VPC VPN management.
4Azure Virtual WAN is deployed in Standard tier. An architect wants branch offices to communicate directly with each other without hairpinning through the hub. Which feature enables this?
A.VNet peering between branch VNets through the Virtual WAN hub
B.Any-to-any routing policy with branch-to-branch connectivity enabled in Virtual WAN
C.ExpressRoute Global Reach configured between each branch circuit
D.User-defined routes propagated via BGP from a third-party NVA in the hub
Explanation: Azure Virtual WAN Standard tier supports branch-to-branch connectivity, allowing SD-WAN and VPN sites attached to the same hub to exchange routes and communicate directly through the hub fabric.
5A Kubernetes cluster uses Cilium as its CNI. A security team needs to enforce Layer 7 HTTP policies restricting which microservices can call a payment API by HTTP method and path, without adding a sidecar proxy. Which Cilium feature satisfies this requirement?
A.Cilium NetworkPolicy with podSelector and namespaceSelector fields
B.CiliumNetworkPolicy with HTTP rules specifying method and path match
C.Kubernetes NetworkPolicy with egress rules using ipBlock CIDR ranges
D.Istio AuthorizationPolicy applied after disabling the Cilium CNI
Explanation: CiliumNetworkPolicy extends standard Kubernetes NetworkPolicy with Layer 7 awareness via eBPF-based proxying. HTTP rules can match on method, path, and headers natively without injecting sidecar proxies.
6An enterprise requires sub-50ms failover between two MPLS paths from its PE routers to a CE site. BGP convergence alone takes 90 seconds. Which technology provides the required fast reroute without modifying BGP timers?
A.Reduce BGP hold-down timers to 1 second and keepalive to 333ms
B.Deploy MPLS Fast Reroute with pre-computed backup Label Switched Paths
C.Use static floating routes with a lower administrative distance as fallback
D.Enable BFD between PE and CE routers linked to BGP session tracking
Explanation: MPLS Fast Reroute uses pre-computed backup LSPs that activate in under 50ms upon failure detection, bypassing slow BGP reconvergence. Traffic is locally repaired at the point of failure.
7A company deploys NSX-T to provide micro-segmentation across its vSphere environment. A security audit finds East-West traffic between VMs in the same logical segment is not being inspected. What is the correct remediation?
A.Insert a physical firewall between the ToR switches and the ESXi hosts
B.Enable the NSX-T Distributed Firewall and apply security groups with firewall rules
C.Create VLANs to isolate each VM on its own broadcast domain at the physical layer
D.Deploy an NSX-T Edge cluster and route all intra-segment traffic through it
Explanation: NSX-T's Distributed Firewall runs as a kernel module on each ESXi host, enforcing policy on the vNIC of every VM. This inspects East-West traffic inline before it traverses the logical segment, providing true micro-segmentation.
8An eBPF-based observability tool is tracing kernel network events on Linux hosts running containerized workloads. Engineers notice it captures TCP connection events even for short-lived connections that end before userspace tools detect them. Why?
A.eBPF programs run in userspace with elevated privileges giving them earlier access to socket buffers
B.eBPF programs attach to kernel tracepoints and kprobes executing synchronously in kernel context before events complete
C.eBPF relies on netfilter hooks which process packets before the kernel TCP stack
D.eBPF uses DPDK to bypass the kernel entirely and observe raw NIC queues
Explanation: eBPF programs are loaded into the kernel and execute at tracepoints, kprobes, or socket filter hooks synchronously within kernel context. TCP connect/close events are captured at the moment they occur in the kernel, before any userspace notification.
9A company uses AWS Direct Connect with two dedicated connections in active/passive mode. During a failover test, traffic does not switch to the passive connection for 8 minutes. Which mechanism best reduces failover time to under 30 seconds?
A.Reduce the BGP hold timer on the Virtual Interface to 3 seconds with keepalive at 1 second
B.Enable BFD on the Direct Connect Virtual Interface with a 300ms interval and 3x multiplier
C.Increase the BGP MRAI to speed up prefix withdrawal
D.Configure static routes on the VGW to bypass BGP entirely
Explanation: BFD provides sub-second link failure detection independent of BGP timers. With a 300ms interval and 3x multiplier, failure is detected in ~900ms, triggering BGP session teardown and route failover within seconds. AWS Direct Connect supports BFD on Virtual Interfaces.
10An architect is designing hybrid DNS resolution so on-premises hosts can resolve AWS private hosted zone names and AWS workloads can resolve on-premises internal names. What is the recommended AWS-native approach?
A.Deploy a BIND server on an EC2 instance in each VPC and configure conditional forwarding zones
B.Use Route 53 Resolver inbound and outbound endpoints with forwarding rules
C.Peer the on-premises DNS servers with Route 53 Resolver using BGP for dynamic zone exchange
D.Configure Route 53 public hosted zones as a proxy layer between on-premises and AWS private zones
Explanation: Route 53 Resolver Inbound Endpoints accept DNS queries from on-premises forwarded over Direct Connect or VPN. Outbound Endpoints forward queries from VPCs to on-premises DNS servers via resolver rules. This AWS-native solution requires no additional EC2 infrastructure.

About the CloudNetX Exam

CompTIA CloudNetX (CNX-001) is an expert-level certification in CompTIA's new Xpert series that validates advanced skills in designing, implementing, and managing complex cloud and network infrastructure. It covers multi-cloud connectivity, hybrid network design, cloud-native security, infrastructure-as-code, and operational excellence across AWS, Azure, and GCP environments.

Questions

90 scored questions

Time Limit

165 minutes

Passing Score

Pass/Fail

Exam Fee

$525 (Pearson VUE)

CloudNetX Exam Content Outline

~30%

Cloud Architecture

Multi-cloud interconnects (Direct Connect, ExpressRoute, Cloud Interconnect), cloud exchange providers, Transit Gateway hub-spoke, anycast global load balancing, managed Kubernetes, SDN, high-availability SLO design, and disaster recovery

~25%

Network Design

BGP/OSPF route redistribution, AS path prepending, QoS DSCP marking, NAT gateway patterns, IPv6 dual-stack, private endpoint/Private Link design, GSLB with health checks, and cloud WAN architecture

~25%

Operations

GitOps IaC workflows, Terraform idempotency and drift detection, VPC flow log analysis, synthetic monitoring, autoscaling strategy selection, CDN cache hit ratio, chaos engineering, and cloud cost optimization

~20%

Security and Governance

ZTNA vs. VPN, mTLS service mesh (Istio/SPIFFE), DDoS protection (L3/L4 Shield + L7 WAF), DNS security (split-horizon, RPZ, rebinding prevention), CSPM CIS Benchmarks, Kubernetes NetworkPolicy, data residency, NAC with MAB profiling

How to Pass the CloudNetX Exam

What You Need to Know

  • Passing score: Pass/Fail
  • Exam length: 90 questions
  • Time limit: 165 minutes
  • Exam fee: $525

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CloudNetX Study Tips from Top Performers

1Master BGP path selection attributes — AS path prepending (inbound influence), Local Preference (outbound preference), and MED — these appear frequently in network design scenarios
2Understand Transit Gateway hub-spoke vs. full-mesh VPC peering tradeoffs — know why TGW scales better and when peering is appropriate
3Know the SLI/SLO/SLA definitions precisely — these appear in design scenario questions about availability requirements
4Practice reading VPC flow log fields — understand ACCEPT vs. REJECT entries and how they diagnose security group and routing issues
5Understand the difference between ZTNA (application-level per-request access) and traditional VPN (broad network-level access) for remote access design
6Know DSCP marking values — EF (46) for voice, AF classes for guaranteed bandwidth, CS1 for scavenger — common in QoS design questions
7Study the centralized egress inspection VPC pattern — transit gateway + inspection VPC + NGFW for east-west and north-south traffic control

Frequently Asked Questions

What is CompTIA CloudNetX CNX-001?

CompTIA CloudNetX (CNX-001) is an expert-level certification in CompTIA's Xpert series validating advanced cloud and network design skills. It covers multi-cloud architecture, hybrid network design (BGP, Direct Connect), cloud-native security, IaC/GitOps, and operational excellence across AWS, Azure, and GCP. It targets senior cloud and network engineers with 5-7 years of experience.

What is the CloudNetX CNX-001 exam format?

CNX-001 has approximately 90 questions (multiple choice and performance-based) in 165 minutes. Scoring is pass/fail with no published scaled score. The exam fee is $525 USD, administered by Pearson VUE at test centers and online via OnVUE.

What are the four CloudNetX CNX-001 domains?

CNX-001 covers: Cloud Architecture (~30%) — multi-cloud interconnects, Transit Gateway, SDN, HA design; Network Design (~25%) — BGP/OSPF, QoS, NAT, IPv6, Private Link; Operations (~25%) — IaC GitOps, drift detection, observability, autoscaling, chaos engineering; Security and Governance (~20%) — ZTNA, mTLS, DDoS, DNS security, CSPM, data residency.

How is CloudNetX different from CompTIA Cloud+?

Cloud+ is an associate-level certification covering cloud infrastructure operations fundamentals. CloudNetX is expert-level, focusing on complex multi-cloud network architecture, advanced BGP/routing designs, cloud-native security patterns, and operational engineering at scale. CloudNetX candidates are expected to have 5-7 years of hands-on experience with multiple cloud providers.

What experience is recommended for CloudNetX?

CompTIA recommends 5-7 years of cloud and network engineering experience with hands-on practice in at least two major cloud providers (AWS, Azure, or GCP). Familiarity with Kubernetes, BGP, Terraform, and cloud-native security patterns is strongly recommended. Cloud+ and Network+ knowledge provides a useful foundation.

How should I study for CloudNetX?

Plan 200-300 hours over 6-12 months. Build hands-on experience with Transit Gateway, Direct Connect, Terraform GitOps, and Kubernetes NetworkPolicy. Study SASE vs. SD-WAN tradeoffs, BGP path selection attributes, VPC flow log analysis, and cloud-native DDoS protection architectures. Aim for 80%+ on practice questions before scheduling.