- (Topic 3)
A security team is conducting an audit of the security group configurations for the Linux servers that are hosted in a public laaS. The team identifies the following rule as a potential

A cloud administrator, who is working remotely, logs in to the cloud management console and modifies the rule to set the source to "My IR" Shortly after deploying the rule, an internal developer receives the following error message when attempting to log in to the server using SSH: Network error: connection timed out. However, the administrator is able to connect successfully to the same server using SSH. Which of the following is the BEST option for both the developer and the administrator to access the
server from their locations?

1. A. Modify the outbound rule to allow the company's external IP address as a source.
2. B. Add an inbound rule to use the IP address for the company's main office as a source.
3. C. Modify the inbound rule to allow the company's external IP address as a source.
4. D. Delete the inbound rule to allow the company's external IP address as a source.

Correct Answer: C
The inbound rule that the security team identified as a potential vulnerability is the one that allows SSH access (port 22) from any source (0.0.0.0/0). This means that anyone on the internet can try to connect to the Linux servers using SSH, which poses a risk of unauthorized access or brute-force attacks. The cloud administrator, who is working remotely, logs in to the cloud management console and modifies the rule to set the source to “My IP”. This means that only the administrator’s IP address can connect to the Linux servers using SSH, which improves the security of the servers. However, this also prevents other authorized users, such as the internal developer, from accessing the servers using SSH, as they have different IP addresses than the administrator. Therefore, the administrator needs to modify the rule again to allow more sources for SSH access.
The best option for both the developer and the administrator to access the server from their locations is to modify the inbound rule to allow the company’s external IP address as a source. This means that only the IP addresses that belong to the company’s network can connect to the Linux servers using SSH, which reduces the attack surface and ensures that only authorized users can access the servers. The company’s external IP address can be obtained by using a web service such as [What Is My IP Address?] or [IP Location]. The administrator can then enter this IP address or its CIDR notation in the source field of the inbound rule.

- (Topic 3)
A cloud administrator is monitoring a database system and notices an unusual increase in the read operations, which is causing a heavy load in the system. The system is using a relational database and is running in a VM. Which of the following should the administrator do to resolve the issue with minimal architectural changes?

1. A. Migrate the relational database to a NoSQL database.
2. B. Use a cache system to store reading operations.
3. C. Create a secondary standby database instance.
4. D. Implement the database system using a DBaaS.

Correct Answer: B
The best way to resolve the issue of an unusual increase in the read operations that is causing a heavy load in the system that is using a relational database and is running in a VM is to use a cache system to store reading operations. A cache system is a type of storage system that temporarily stores frequently accessed or recently used data in memory for faster retrieval. A cache system can reduce the load on the database system by serving the read requests from the cache instead of querying the database every time. Reference: [CompTIA Cloud+ Certification Exam Objectives], Domain 4.0 Troubleshooting, Objective 4.3 Given a scenario, troubleshoot capacity issues within a cloud environment.

- (Topic 1)
A systems administrator is troubleshooting performance issues with a Windows VDI environment. Users have reported that VDI performance is very slow at the start of the workday, but the performance is fine during the rest of the day. Which of the following is the MOST likely cause of the issue? (Choose two.)

1. A. Disk I/O limits
2. B. Affinity rule
3. C. CPU oversubscription
4. D. RAM usage
5. E. Insufficient GPU resources
6. F. License issues

Correct Answer: AC
Disk I/O limits are restrictions or controls that limit the amount of disk input/output operations per second (IOPS) that a VM can perform on a storage device or system. CPU oversubscription is a situation where more CPU resources are allocated to VMs than are physically available on the host or server. Disk I/O limits and CPU oversubscription are most likely to cause VDI performance being very slow at the start of the workday, but fine during the rest of the day, as they can create bottlenecks or contention for disk and CPU resources when multiple users log in or launch their VDI sessions at the same time, resulting in increased latency or reduced throughput for VDI operations. References: CompTIA Cloud+ Certification Exam Objectives, page 9, section 1.4

- (Topic 4)
A new development team requires workstations hosted in a PaaS to develop a new website. Members of the team also require remote access to the workstations using their corporate email addresses. Which of the following solutions will BEST meet these requirements? (Select TWO).

1. A. Deploy new virtual machines.
2. B. Configure email account replication.
3. C. Integrate identity services.
4. D. Implement a VDI solution.
5. E. Migrate local VHD workstations.
6. F. Create a new directory service.

Correct Answer: AC
A Platform-as-a-Service (PaaS) is a cloud computing model that provides customers a complete cloud platform—hardware, software, and infrastructure—for developing, running, and managing applications without the cost, complexity, and inflexibility that often comes with building and maintaining that platform on-premises1.
To develop a new website using a PaaS, the development team needs to deploy new virtual machines (VMs) on the cloud platform. VMs are software emulations of physical computers that can run different operating systems and applications. By deploying new VMs, the development team can create a scalable and flexible environment for their website project, without having to invest in or manage physical hardware2.
To enable remote access to the workstations using their corporate email addresses, the development team needs to integrate identity services on the cloud platform. Identity services are services that provide authentication, authorization, and identity management for users and devices accessing cloud resources. By integrating identity services, the development team can use their corporate email addresses as single sign-on (SSO) credentials to access their workstations from any device and location, while ensuring security and compliance3.
The other options are not the best solutions for these requirements:
✑ Configuring email account replication is not necessary for remote access to the workstations. Email account replication is a process of synchronizing email accounts across different servers or locations. It can provide backup and redundancy for email services, but it does not provide authentication or identity management for remote access4.
✑ Implementing a Virtual Desktop Infrastructure (VDI) solution is not a PaaS solution.
VDI is a technology that allows users to access virtual desktops hosted on a centralized server. VDI can provide remote access to desktop environments, but it requires additional hardware, software, and management costs that are not included in a PaaS model5.
✑ Migrating local VHD workstations is not a PaaS solution. VHD stands for Virtual Hard Disk, which is a file format that represents a virtual hard disk drive. Migrating local VHD workstations means moving the virtual hard disk files from local storage to cloud storage. This can provide backup and portability for the workstations, but it does not provide a complete cloud platform for developing and running applications6.
✑ Creating a new directory service is not necessary for remote access to the workstations. A directory service is a service that stores and organizes information about users, devices, and resources on a network. Creating a new directory service means setting up a new database and schema for storing this information. This can provide identity management and access control for the network, but it does not provide authentication or SSO for remote access.

- (Topic 4)
A VDI administrator is enhancing the existing environment with a feature to allow users to connect devices to virtual workstations. Which of the following types of devices are most likely to be allowed in the upgrade? (Select two).

1. A. Display monitors
2. B. USB devices
3. C. SATA devices
4. D. PCIe devices
5. E. PCI devices
6. F. Printers

Correct Answer: BF
B. USB devices and F. Printers are most likely to be allowed in the upgrade. USB devices are common peripherals that users may want to connect to their virtual workstations, such as flash drives, keyboards, mice, webcams, etc. Printers are also useful devices that users may need to print documents from their virtual desktops. VDI software can support USB redirection and printer redirection to enable these devices to work with virtual workstations12.
Display monitors, SATA devices, PCIe devices, and PCI devices are less likely to be allowed in the upgrade, as they are either part of the physical hardware of the end device or the server, or they require direct access to the host system. VDI software typically does not support these types of devices, as they are not compatible with the virtualization layer or the remote display protocol34.
1: What is VDI? | Virtual Desktop Infrastructure | VMware 2: What Is Virtual Desktop Infrastructure (VDI)? | Microsoft Azure 3: What Is Virtual Desktop Infrastructure (VDI)? - Cisco 4: Best Virtual Desktop Infrastructure (VDI) Software in 2023 | G2