/cache/temp/ exclude; ReplicateKeyVersions: All
/cache/temp/
Answer: D
Explanation: Updating CRR with Encryption Type SSE-KMS, Rotation Yearly, and Prefix filter excluding /cache/temp/ ensures key versions sync across Singapore-Tokyo, supporting annual rotation for CDN metadata DR without temp data overhead. PutBucketEncryption complements this. Options A and D lack rotation specificity, B isn't API-based.
A content delivery network operator stores edge-cached metadata in OSS with ZRS in Singapore, CRR to Tokyo for failover. Server-side encryption with rotation keys fails sync due to key version desync. Which CRR key management setting, via console or PutBucketEncryption API, rotates and replicates KMS keys annually while ignoring /cache/temp/*?
Which encryption methods does Alibaba Cloud support to secure data stored in OSS?
Client-side encryption before upload
Server-side encryption with Alibaba Cloud KMS keys
Use of third-party encryption services only
No encryption by default to save cost
Answer: A,B
Which Alibaba Cloud ACK feature helps in optimizing the deployment of microservices by limiting the rate of requests handled by each microservice, thus preventing resource exhaustion?
Answer: A
Explanation: Alibaba Cloud service mesh includes Sentinel-based microservice rate limiting, which prevents overload by controlling the traffic to microservices. Horizontal Pod Autoscaler manages pod counts, but does not limit request rates per service. Load balancer session persistence and ECS vertical scaling do not provide rate limiting for microservices.
Explanation: OSS supports server-side encryption managed by KMS and client- side encryption by users. Encryption is not disabled by default. Third-party encryption is an option but not mandatory.
Gaming studio's dev VPC uses PrivateZone for 'test.game.internal', caching external CDN queries. To mitigate dev DDoS tests (simulated 100 Gbps), use Anti-DDoS Origin with CreateDdosEvent for simulation, clear cache post-test,
and CLI for event creation. What simulation and clear?
No sim.
Simulate via CLI, set policy; call aliyun ddoso CreateDdosEvent --Resource 'dev-vpc-eip' --Protocol UDP --Pps 100000000 --Duration 300s; aliyun pvtz ClearCache --ZoneName 'test.game.internal' --Type A --RR 'cdn.*';
'udp_flood' --Size 100G; aliyun pvtz FlushCache --ZoneId 'pz-test-001';
Answer: B
Explanation: CreateDdosEvent simulates 100 Gbps UDP for testing Origin policy. ClearCache post-test restores CDN cache. This validates dev resilience, with logs for tuning.
During a cross-region failover test for ApsaraDB for Redis cluster (DRAM- based, 64 shards), a network partition isolates the primary proxy nodes, causing 30% slot unavailability. To achieve self-healing without manual intervention, what Tair-specific parameter in the instance config, combined with 'CLUSTER FAILOVER' command, restores quorum in under 60 seconds?
aliyun ddoso CreateDdosEvent --InstanceId 'origin-dev' --AttackType
Enable 'tair.cluster.auto-healing=true' with 'proxy-timeout=10000'; use 'CLUSTER MEET ' to rejoin partitioned shards
Configure 'cluster-require-full-coverage=no' and 'replication-timeout=30000'; trigger 'CLUSTER FORGET ' post-partition
Answer: A
clustering updates, minimizing downtime in streaming scenarios without data
loss, verified via 'CLUSTER INFO' metrics.
OSS/ECS in hybrid via Cloud Enterprise Network encrypt with HSM-backed KMS. What kms HSM create, oss SSE-HSM, ecs disk, cen encrypt?
Answer: B
Explanation: HSM: aliyun kms CreateKey --KeySpec "RSA_4096" -- ProtectionMode HSM --KeyId "hsm-gov". OSS: aliyun oss PutBucketEncryption
--SSEAlgorithm "aws:kms" --KMSKeyId "hsm-gov". ECS: aliyun ecs CreateDisk --KMSKeyId "hsm-gov" --Encrypted true. CEN: aliyun cen Update --
Explanation: In Tair's DRAM-based clusters, 'cluster-node-timeout=5000' detects partitions quickly, while 'cluster-migration-barrier=2' ensures replicas migrate slots only after majority quorum, preventing split-brain. The 'CLUSTER FAILOVER TAKEOVER' command on a replica promotes it if it holds >50% slots, restoring availability in <60s via gossip protocol. This self-healing leverages Tair's advanced proxy for load balancing, as documented in 2026
EncryptTransit true. HSM FIPS 140-2 ensures quantum-resistant encryption.
A multinational e-commerce company operates ECS instances across three VPCs
Answer: A
Explanation: In Alibaba Cloud CEN, attaching multiple VPCs from different regions to a single transit router enables full-mesh connectivity with automatic route propagation, ensuring low-latency transitive routing across global networks. The error likely stems from overlapping CIDR blocks, which CEN rejects; verifying and adjusting non-overlapping ranges (e.g., ensuring Tokyo's 10.1.0.0/ 16 does not conflict with Beijing's 10.0.0.0/16) resolves this. Enabling automatic propagation advertises all attached network routes dynamically via BGP, eliminating manual configurations and supporting hybrid scenarios with VPN
in the China (Beijing), China (Shanghai), and Singapore regions, each with CIDR blocks of 10.0.0.0/16, 172.16.0.0/16, and 192.168.0.0/16 respectively. To enable low-latency communication between these VPCs while integrating an on- premises data center in Tokyo with CIDR 10.1.0.0/16 via a VPN Gateway, the architect must configure CEN. During setup, the CEN instance reports an error due to route advertisement conflicts. What is the most effective resolution to ensure transitive routing without manual route table modifications?
Gateways, as per CEN's latest multi-region hybrid cloud best practices for scalable enterprise networks.
A company is integrating Alibaba Cloud with its existing identity provider (IdP) for single sign-on (SSO). What is the first step they should take to establish this integration?
Enable MFA for all users
Create a service-linked role in Alibaba Cloud
Answer: C
Explanation: The first step in integrating Alibaba Cloud with an existing identity provider for single sign-on is to configure the IdP to trust Alibaba Cloud as a service provider. This trust relationship is essential for enabling SSO functionality and ensuring secure access to resources.
Which Alibaba Cloud feature allows the compliance team to respond quickly to suspicious activity detected in audit logs?
Configure the IdP to trust Alibaba Cloud as a service provider
Answer: D
Explanation: ActionTrail with Log Service provides real-time analytics, and CloudMonitor can generate alerts on suspicious events, enabling rapid response to compliance or security incidents.
You have created a custom metric in CloudMonitor to track the number of user logins to your application. What is the best practice for ensuring the accuracy of this metric?
Answer: A
Explanation: The best practice for ensuring the accuracy of a custom metric tracking user logins in CloudMonitor is to push the login data to the metric in real-time. This approach ensures that the metric reflects the most current data, allowing for accurate monitoring and analysis.
For secure code deployment, a DevSecOps team requires RAM roles for CodePipeline to assume "codeup:MergeRequest" with conditions on branch "main-2026" and MFA, plus tag inheritance for audit. What session tag condition propagates tags?
Push the login data to the metric in real-time.
Permission policy: "Effect": "Allow", "Condition": {"ExternalId": "BranchMain"}
Trust policy: "Condition": {"ForAnyValue:StringEquals": {"codeup:Tag/ Branch": "main-2026"}} without tags.
In assume-role, use --tags Key=AuditTrail,Value=Deploy2026; session policy: "Condition": {"StringEquals": {"sts:TransitiveTagKeys": "AuditTrail"}}
Answer: D
This ensures traceable deployments. Option B misses tags; C uses external ID
wrongly; D inverts MFA.
A network engineer wants to monitor traffic performance between VPCs connected through CEN. What Alibaba Cloud service should be used?
Answer: B
Explanation: CloudMonitor integrated with CEN flow logs can track traffic flows, performance, and detect anomalies between VPCs connected via CEN. VPN Gateway logs focus on VPN traffic. NAT Gateway and security group logs monitor different scopes.
Explanation: To propagate audit tags in RAM assumed roles for CodePipeline, pass --tags during "sts:AssumeRole" (e.g., Key=AuditTrail,Value=Deploy2026), and include in session policy "StringEquals": {"sts:TransitiveTagKeys": "AuditTrail"} to allow inheritance, combined with branch condition "ForAnyValue:StringEquals": {"codeup:Tag/Branch": "main-2026"} and MFA.
A development team is using ACK to manage their containerized applications. They want to ensure efficient resource utilization. What practices should they
adopt?
Implement Horizontal Pod Autoscaler (HPA)
Use a single node pool for all workloads
Regularly monitor resource usage with CloudMonitor
Answer: A,C,D
Explanation: Defining resource requests and limits ensures that containers receive the resources they need without over-provisioning. HPA allows for dynamic scaling based on demand, and regular monitoring with CloudMonitor helps identify inefficiencies. Using a single node pool can lead to resource contention and should be avoided.
How does Alibaba Cloud's auto-scaling improve cost efficiency for applications behind a CDN?
Define resource requests and limits for each container
Answer: D
Explanation: Auto-scaling adjusts resources dynamically according to traffic, optimizing cost by avoiding idle resources while maintaining performance.
A retail company is using Alibaba Cloud for its e-commerce platform. They want to ensure that their data is protected against accidental deletions. What strategy should they implement?
Answer: C
Explanation: Enabling versioning in OSS protects against accidental deletions by retaining previous versions of objects. This feature allows for easy recovery of data that may have been mistakenly deleted.
Which features are essential when configuring Alibaba Cloud Function Compute for edge computing with CDN?
Rely on manual backups only
Answer: C,D
Explanation: Function Compute enables serverless code at CDN edges to reduce latency. RAM roles provide granular access control. Static IPs are not mandatory, and Anti-DDoS Pro is a network-level defense.
Answer: D
Explanation: NLB's Layer 4 prowess handles 50,000 IoT connections with native TCP/UDP support via hybrid listeners, using Proxy protocol to preserve device IPs for auditing in logs, addressing the loss issue. Least connections scheduling evens load on port 1883, reducing 15% failures, with 2s checks for proactive removal. This leverages 2026 NLB auto-scaling for IoT surges, surpassing CLB's LVS limits (max ~10k connections) and ALB's Layer 7 overhead unsuitable for raw MQTT/UDP.
An IoT platform balances MQTT over TCP at Layer 4 using CLB, with 10,000 devices connecting via UDP fallback. Backend ECS show 15% health check failures from port 1883 overload, and client IPs are lost in logs. Configuration lacks Proxy and uses round-robin. To support 50,000 connections with IP preservation and UDP/TCP hybrid, what SLB migration and tuning is advised?
You are tasked with aggregating logs from multiple Alibaba Cloud services for centralized analysis. Which of the following configurations would best utilize Simple Log Service (SLS) for this requirement?
Set up SLS to collect logs from each service separately and analyze them individually.
Use SLS to stream logs to a third-party analysis tool directly.
Configure log collection from multiple services into a single SLS project for unified access.
Answer: C
Explanation: Simple Log Service (SLS) is designed to aggregate logs from various Alibaba Cloud services into a single project. This configuration allows for centralized access and analysis of logs, making it easier to identify trends, troubleshoot issues, and maintain compliance across services.
A content platform with 2 PB OSS data in us-east-1 needs DR to ap-northeast-1 with RPO=0, integrating CMS alerts for sync failures. Which monitoring and DR setup?
Disable log collection for all services to reduce costs.
Integrate SLS with CMS for log-based alerts on replication errors.
Answer: B,E
Explanation: CMS alerts on CRR lag metrics provide real-time visibility, with dashboards tracking progress for zero RPO enforcement. SLS integration correlates replication logs with CMS for detailed error alerting. RDS active-active
suits writes but content is OSS; same-region CRR is intra; HBR snapshots are periodic, not continuous.
ensures that all API call records are available nearly in real-time for security monitoring?
Answer: B
Explanation: Integration of ActionTrail with Log Service streaming enables near real-time processing of API call logs, and CloudMonitor alerts enable immediate attention to security or compliance events, essential for proactive monitoring.
A gaming studio migrates Unity servers (100 VMs, Ubuntu, 50 TB) from AWS to ECS SMC quick, public multi-thread16, incremental, ESS with hook for Unity
When configuring Alibaba Cloud ActionTrail for compliance, what setting
build verify, scale on player count >10k. Which quick thread and player rule?
MigQuick --16thread AWS --50TB; Hook verify; PlayerRule>10k add3
StartQuick --Thread16 Public Inc50TB; Lifecycle buildtest; Scale >10k
Quick --AWS U16t Pub50TB Inc; Hook UnityVerify; Rule Players10k +4
QuickMigration --AWS --Ubuntu --Threads16 --Public --50TB --Incremental;
CreateLifecycleHook --VerifyUnityBuild --ScalingGroupId asg-game; CreateScalingRule --PlayerCount>10000 add5
Answer: D
A company is concerned about unauthorized access to its resources and wants to implement a policy that automatically revokes access after a period of inactivity. What should they do?
Answer: B
Explanation: Implementing a policy with session timeout settings allows the company to automatically revoke access after a period of inactivity. This proactive approach enhances security by minimizing the risk of unauthorized access due to forgotten or unattended sessions.
Explanation: Quick for AWS Ubuntu, 16 threads public incremental 50 TB. Hook verifies Unity build, rule adds 5 on >10k players.
A insurance under Solvency II is using Alibaba Cloud's eu-central-1 for risk modeling on PAI. Audits model inputs. 2026 ESG factors. Which?
Single.
PAI-trails.
Batch.
Regional ActionTrail for PAI, SLS with ESG-tagged queries; KMS for inputs.
Answer: D
You are implementing a data migration strategy from RDS for MySQL to ApsaraDB for MongoDB. Which method would be most efficient for handling schema differences?
B. Utilize a schema conversion tool before migration
Answer: B
Explanation: Utilizing a schema conversion tool before migration is the most efficient method for handling schema differences between RDS for MySQL and ApsaraDB for MongoDB. This tool can help automate the conversion process, ensuring that the data is structured correctly in the target database and minimizing manual adjustments.
Explanation: Solvency II audits models. ActionTrail captures, SLS tags ESG, KMS secures.
In an ACK dedicated cluster (discontinued post-Aug 2024, but legacy), with 3 master nodes for HA, you integrate ASM for multi-cluster traffic (m1c1, m1c2 in
same VPC). To expose a unified ingress for bookinfo app across clusters using serverless gateway, while enforcing JWT auth on /productpage with custom ext- authz gRPC service, what IstioGateway CRD and AuthorizationPolicy ensures secure cross-cluster access?
Apply policy: apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy
metadata: name: jwt-auth spec: rules: - from: - source: requestPrincipals: ["*"] to:
- operation: paths: ["/productpage"] when: - key: request.auth.claims[iss] values: ["https://example.com"]
Answer: B
Explanation: ASM's serverless ingress gateway provides a unified entry for multi- cluster (m1c1, m1c2) bookinfo exposure via console creation, routing
/productpage to port 9080. Deploying ext-authz as gRPC on 9000 enables custom JWT validation, referenced in AuthorizationPolicy with CUSTOM action for granular path enforcement, ensuring secure cross-VPC traffic without redirect configs or peer auth that doesn't handle JWT claims. This leverages ASM v1.18+
for managed HA, avoiding deprecated dedicated cluster pitfalls.
Consider a VPC with overlapping CIDR blocks between the VPC (192.168.1.0/
What is the recommended solution to enable successful hybrid communication?
Answer: B
Explanation: Overlapping CIDR conflicts cause routing issues. Changing the VPC CIDR to a unique, non-overlapping address space is the proper solution to avoid routing conflicts. NAT over VPN (B) is complex and not standard practice in Alibaba Cloud hybrid architectures. Express Connect (C) does not solve CIDR conflicts. Security groups cannot resolve IP addressing conflicts (D).
24) and a connected on-premises network (192.168.1.0/24) via VPN Gateway.