Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free F5-402 Practice Questions

Pass your F5 Certified Solution Expert - Cloud (Exam 402: Cloud Solutions) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
F5 does not publish official pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A multi-cloud deployment has BIG-IP VE in AWS, Azure, and GCP. The security team wants ONE place to author WAF policies and push them everywhere. Which approach is MOST aligned with this requirement?

A
B
C
D
to track
Same family resources

Explore More F5 Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

F5 201 TMOS Administration

Practice Questions

F5 301B BIG-IP LTM Specialist Maintain & Troubleshoot

Practice Questions

F5 401 Security Solutions Expert

Practice Questions

F5 Certified! BIG-IP Administrator (F5-CA, exam 201)

Practice Questions

F5 Certified! Solution Expert (F5-CSE)

Practice Questions

F5 Certified! Technical Professional (F5-CTP)

Practice Questions
2026 Statistics

Key Facts: F5-402 Exam

70

Exam Questions

Multiple-choice

105 min

Time Limit

Pearson VUE / Certiverse

245/350

Passing Score

About 70%

$180

Exam Fee

F5 official

F5-CTS

Prerequisite

LTM, DNS, ASM, or APM

2 years

Validity

F5 recertification cycle

F5 402 Cloud Solutions is the Cloud Solution Expert exam in F5's Solution Expert track. The exam has 70 questions in 105 minutes, requires a 245/350 (~70%) passing score, and costs $180 USD via Pearson VUE / Certiverse. Candidates must hold an active F5-CTS credential in LTM, DNS, ASM, or APM. The blueprint covers cloud architecture (BIG-IP VE on AWS/Azure/GCP, F5 Distributed Cloud), application delivery (BIG-IP DNS, HTTP profiles, OneConnect), cloud security (Advanced WAF, XC WAAP, ACME, KMS), automation (AS3, DO, TS, Terraform, Ansible), and operations (Telemetry Streaming, Auto Scaling, lifecycle). The credential is valid for 2 years.

Sample F5-402 Practice Questions

Try these sample questions to test your F5-402 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1According to NIST SP 800-145, which of the five essential cloud characteristics describes the ability of a tenant to unilaterally provision compute, storage, and network capacity automatically without human interaction with the provider?
A.Broad network access
B.On-demand self-service
C.Rapid elasticity
D.Measured service
Explanation: NIST 800-145 defines five essential cloud characteristics. On-demand self-service is the ability of a consumer to unilaterally provision computing capabilities, such as server time and storage, automatically without requiring human interaction with each service's provider. Broad network access addresses ubiquitous client connectivity, rapid elasticity covers scaling, and measured service covers metering and billing.
2A customer wants the cloud provider to manage the operating system, middleware, and runtime, but still wants to deploy and manage their own application code. Which NIST 800-145 cloud service model best fits this requirement?
A.IaaS
B.PaaS
C.SaaS
D.FaaS
Explanation: In NIST 800-145, Platform as a Service (PaaS) gives the consumer the capability to deploy onto the cloud infrastructure consumer-created or acquired applications using programming languages, libraries, services, and tools supported by the provider. The provider manages the underlying network, servers, OS, and storage; the consumer controls the deployed applications and possibly configuration settings.
3Which NIST 800-145 deployment model describes infrastructure shared by several organizations supporting a specific community with shared concerns such as mission, security requirements, and compliance considerations?
A.Public cloud
B.Private cloud
C.Community cloud
D.Hybrid cloud
Explanation: NIST 800-145 lists four deployment models: private, community, public, and hybrid. The community cloud is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination.
4An architect needs the BIG-IP Virtual Edition (VE) to span multiple AWS Availability Zones for high availability. Which F5 component is specifically designed to handle the cross-AZ failover by manipulating AWS API constructs (route tables, EIPs, ENI secondary addresses)?
A.BIG-IP DNS Sync Group
B.F5 Cloud Failover Extension (CFE)
C.F5 Telemetry Streaming
D.F5 iApp v1 Templates
Explanation: F5 Cloud Failover Extension (CFE) is the iControl LX extension that performs cloud-aware failover for BIG-IP VE in AWS, Azure, and GCP. On failover it updates AWS route table entries, reassigns Elastic IP addresses, and moves secondary IPs across ENIs so traffic redirects from the failed unit to the healthy peer. Traditional gratuitous-ARP-based failover does not work across cloud subnets.
5A BIG-IP VE is being launched on AWS. Which licensing model bundles the F5 software cost into an hourly EC2 instance price billed by AWS?
A.BYOL (Bring Your Own License)
B.Hourly / PAYG (Pay-As-You-Go) from the AWS Marketplace
C.Volume Subscription License
D.ELA Enterprise License Agreement
Explanation: On the AWS Marketplace, F5 BIG-IP VE is offered with both BYOL and Hourly / PAYG (Pay-As-You-Go) license models. PAYG bundles the F5 license cost into the hourly EC2 charge, so the customer is billed by AWS and no separate F5 license token is required. BYOL requires a registration key purchased from F5 to be applied to the running VE.
6Which AWS construct provides the Layer 2-equivalent network attachment for a BIG-IP VE so it can present management and data interfaces with discrete IP addresses and security groups?
A.IAM role
B.Elastic Network Interface (ENI)
C.S3 bucket
D.Route 53 hosted zone
Explanation: In AWS, each network attachment for an EC2 instance is an Elastic Network Interface (ENI). BIG-IP VE typically has multiple ENIs - one for management, one or more for data plane (external/internal/HA) - each in its own subnet with its own security group. Cloud Failover Extension manipulates secondary IP addresses on ENIs during failover.
7In an AWS sandwich design pattern, what is the BIG-IP VE positioned BETWEEN?
A.Two regions
B.An external (front-end) load balancer (such as an AWS NLB or ELB) and a back-end pool of application servers
C.Two AWS accounts
D.A VPN gateway and a NAT gateway
Explanation: The sandwich design places BIG-IP VEs between a cloud-native L4 load balancer (commonly the AWS Network Load Balancer in front for AZ-aware ingress and stateless distribution) and the back-end application servers. The cloud LB distributes flows to a fleet of BIG-IP VEs, and each VE applies the advanced ADC services (WAF, persistence, iRules, SSL) before sending to the application pool.
8Which AWS service is most commonly used to template a complete BIG-IP VE deployment (VPC, subnets, route tables, BIG-IP instances, IAM roles) as code?
A.AWS Config
B.AWS CloudFormation
C.AWS Trusted Advisor
D.AWS Backup
Explanation: F5 publishes maintained AWS CloudFormation templates that build standalone, HA pair, and Auto Scale BIG-IP VE topologies. CloudFormation declaratively provisions the VPC, subnets, route tables, BIG-IP instances, IAM roles, and the AS3/DO/CFE bootstrap. AWS Config monitors compliance, Trusted Advisor advises on best practices, and AWS Backup handles backups - none deploy infrastructure as code.
9Which AWS-native HA mechanism does NOT work for BIG-IP VE failover across Availability Zones?
A.F5 Cloud Failover Extension that moves EIPs and updates route tables
B.Standard gratuitous ARP on a shared Layer 2 VLAN between active and standby
C.Across-network failover using AWS API calls
D.DNS-based failover with BIG-IP DNS / Route 53
Explanation: AWS subnets are Layer 3 constructs, and Availability Zones do not share a Layer 2 broadcast domain. Gratuitous ARP cannot cross the AZ boundary, so traditional GARP-based BIG-IP failover does not work in AWS. CFE addresses this by using AWS API calls (route table updates, EIP reassignment, ENI secondary IP moves) to redirect traffic. DNS-based failover via BIG-IP DNS or Route 53 is also valid.
10A customer plans to deploy BIG-IP VE in Microsoft Azure with HA across Availability Zones. Which Azure resource is typically used in front of an Active/Active BIG-IP VE pair to provide AZ-aware fronting and a single zone-redundant frontend IP?
A.Azure Application Gateway
B.Azure Standard Load Balancer (Standard SKU, zone-redundant)
C.Azure Front Door
D.Azure ExpressRoute
Explanation: F5's reference architecture for BIG-IP VE in Azure recommends fronting the BIG-IP cluster with the Azure Standard Load Balancer (Standard SKU) configured with a zone-redundant frontend IP. The Standard LB provides AZ awareness and stateless L4 distribution to BIG-IP VEs deployed in different Availability Zones. Azure Application Gateway and Front Door are full Layer 7 services and would conflict with BIG-IP advanced ADC services.

About the F5-402 Exam

The F5 402 Cloud Solutions exam is the Cloud Solution Expert level certification in the F5 Certified Solution Expert track. It validates expert-level skill in designing and operating F5 application delivery and security on AWS, Azure, GCP, and F5 Distributed Cloud Services (XC). The blueprint covers cloud architecture and deployment models (~25%), application delivery in the cloud (~20%), security in cloud environments (~20%), automation and orchestration (~20%), and operations and optimization (~15%). Candidates must hold an F5 Certified Technology Specialist (F5-CTS) credential in LTM, DNS, ASM, or APM.

Assessment

70 multiple-choice questions covering cloud architecture and deployment models, application delivery in the cloud, cloud security, automation and orchestration, and operations and optimization for F5 BIG-IP VE and F5 Distributed Cloud.

Time Limit

105 minutes

Passing Score

245/350 (~70%)

Exam Fee

$180 (F5 / Pearson VUE / Certiverse)

F5-402 Exam Content Outline

25%

Cloud Architecture and Deployment Models

NIST 800-145 service and deployment models, public/private/hybrid/community cloud, BIG-IP VE on AWS/Azure/GCP, CloudFormation/ARM/Cloud Deployment Manager, sandwich and edge ADC patterns, F5 Distributed Cloud Customer Edge / Regional Edge, App Stack

20%

Application Delivery in the Cloud

BIG-IP DNS (Wide IPs, Listeners, Topology, DNS Express, DNSSEC), HTTP/HTTPS profiles, FastL4, FastHTTP, OneConnect, RAM Cache / Web Acceleration, TCP profile tuning (LAN vs WAN), HTTP/2, F5 XC HTTP LB and CDN

20%

Security in Cloud Environments

BIG-IP Advanced WAF (auto Policy Builder, OWASP Top 10), F5 XC WAAP, Bot Defense, DDoS (AFM, DHD, XC), API Discovery and Security, SSL/TLS, ACME / Let's Encrypt, AWS ACM, Azure Key Vault, multi-cloud KMS/HSM, data residency, IAM least privilege, SSL Orchestrator, FIPS

20%

Automation and Orchestration

F5 Automation Toolchain - AS3 (declarative app services), DO (declarative onboarding), TS (telemetry streaming), FAST (templates) - plus iControl REST, the F5 Terraform provider (bigip_as3, bigip_ltm_*), the f5networks.f5_modules Ansible collection, GitOps and CI/CD with Jenkins / GitLab / GitHub Actions, drift management, F5 XC Terraform provider

15%

Operations and Optimization

Monitoring with AVR and iStats, Telemetry Streaming to Splunk/ELK/Datadog/AWS CloudWatch/Azure Log Analytics, Auto Scaling triggers (TMM CPU, active connections), right-sizing, Reserved Instances/Savings Plans vs PAYG vs BYOL trade-offs, software lifecycle (LTS vs CD), blue/green upgrades, BIG-IQ fleet management

How to Pass the F5-402 Exam

What You Need to Know

  • Passing score: 245/350 (~70%)
  • Assessment: 70 multiple-choice questions covering cloud architecture and deployment models, application delivery in the cloud, cloud security, automation and orchestration, and operations and optimization for F5 BIG-IP VE and F5 Distributed Cloud.
  • Time limit: 105 minutes
  • Exam fee: $180

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

F5-402 Study Tips from Top Performers

1Build BIG-IP VE labs in AWS, Azure, and GCP - cross-cloud differences (CFE, ARM, Cloud Deployment Manager) are heavily tested
2Memorize the F5 Automation Toolchain split: DO for system setup, AS3 for app services, TS for telemetry, FAST for self-service templates
3Practice writing AS3 JSON declarations from scratch (Tenant -> Application -> Service_HTTPS -> Pool) so the schema is muscle memory
4Know F5 Distributed Cloud terminology cold: Customer Edge (CE), Regional Edge (RE), HTTP LB, Origin Pool, App Stack, MCN, WAAP
5Understand cloud HA patterns - gratuitous ARP does NOT work across AWS AZs; Cloud Failover Extension manipulates route tables and EIPs
6Practice the GitOps deployment flow: Git -> CI validates -> CD applies AS3 to BIG-IP VE in dev -> staging -> prod

Frequently Asked Questions

What is the F5 402 Cloud Solutions exam?

F5 402 is the Cloud Solution Expert exam in F5's Certified Solution Expert track. It validates expert-level skill in designing and operating F5 application delivery and security on AWS, Azure, GCP, and F5 Distributed Cloud. The exam has 70 questions in 105 minutes with a 245/350 (~70%) passing score, costs $180, and is delivered through Pearson VUE / Certiverse.

What are the prerequisites for F5 402?

Candidates must hold an active F5 Certified Technology Specialist (F5-CTS) credential in LTM (301A/301B), DNS (302), ASM (303), or APM (304) before they can earn the F5-CSE Cloud credential. Without an active F5-CTS, a 402 pass will not count toward certification even if you pass the test.

How hard is the F5 402 exam?

F5 402 is an expert-level exam. The blueprint emphasizes architecture-level decisions across multiple clouds: when to use a sandwich pattern in AWS vs an edge ADC pattern, how to design BIG-IP VE HA across Availability Zones, when to use F5 Distributed Cloud vs BIG-IP VE, and how to drive everything through AS3/DO/TS in CI/CD. Plan 100-150 hours of study with hands-on cloud lab time.

What clouds does the F5 402 exam cover?

The F5 402 blueprint covers all three major public clouds: AWS (CloudFormation, Marketplace AMI BYOL/PAYG, Cloud Failover Extension across AZs, Auto Scaling), Azure (ARM templates, Standard Load Balancer with zone-redundant frontend, Availability Zones, Key Vault), and GCP (Cloud Deployment Manager, Internal TCP/UDP Load Balancer, BIG-IP on Compute Engine). It also covers hybrid and multi-cloud designs with F5 Distributed Cloud Services.

Which automation tools are tested on F5 402?

F5 402 tests the full F5 Automation Toolchain: AS3 (Application Services 3 - declarative application services), DO (Declarative Onboarding - system setup), TS (Telemetry Streaming - metrics export), and FAST (F5 Application Services Templates). It also tests the F5 Terraform provider (F5Networks/bigip), the f5networks.f5_modules Ansible collection, iControl REST, and GitOps / CI/CD patterns using Jenkins, GitLab, and GitHub Actions.

How much does the F5 402 exam cost?

The F5 402 exam costs $180 USD per attempt and is delivered through Pearson VUE / Certiverse, in-person or online proctored. F5 charges a 15-day waiting period between attempts. Some F5 partner organizations and training providers may offer vouchers or discounted bundles.

How should I prepare for F5 402?

Build hands-on labs in at least two public clouds (AWS and Azure are the most heavily tested), deploy BIG-IP VE via the marketplace and Cloud Failover Extension, configure AS3 and DO declarations, set up Telemetry Streaming to a SIEM, and walk through the F5 Distributed Cloud console. Pair the official 402 blueprint with F5 DevCentral articles, this practice test, and a 10-14 week study plan totaling 100-150 hours.