Try 12 CompTIA CloudNetX (CNX-001) sample questions on hybrid-cloud architecture, resilience, security, governance, automation, cost control, and cloud-network troubleshooting, then use the Notify me form if you want IT Mastery updates for this route.
CompTIA CloudNetX (CNX-001) is an advanced vendor-neutral route for candidates who already understand cloud operations and need to reason through architecture, networking, security, automation, and operational control across hybrid and multi-cloud environments.
CloudNetX launched as a newer CompTIA Xpert Series cloud-networking route, so current preparation should focus on hybrid connectivity, segmentation, resilience, governance, and troubleshooting judgment. Use this page to try original IT Mastery sample questions and confirm whether CNX-001 is the route you want to hear about.
Practice option: Sample questions available
Start with the 12 sample questions on this page. Dedicated practice for CompTIA CloudNetX CNX-001 is not currently included as a full web-app practice page; enter your email to get updates when full practice becomes available or expands for this exam.
Need live practice now? See currently available IT Mastery exam pages.
| Item | Candidate-facing note |
|---|---|
| Vendor | CompTIA |
| Exam code | CNX-001 |
| Route | CloudNetX advanced cloud networking |
| Launch date shown by CompTIA | February 18, 2025 |
| Practice status here | 12 original sample questions; full CNX-001 practice is not live yet |
| Best adjacent live routes | Cloud+ CV0-004, Network+ N10-009, Security+ SY0-701, and Terraform Associate |
Before scheduling, verify the current CNX-001 objectives, delivery rules, and exam facts with CompTIA. This page is independent practice support and does not claim affiliation with CompTIA.
Topic: hybrid connectivity
A company connects two cloud providers and an on-premises data center. Latency-sensitive traffic must use private links when healthy, but fail over to encrypted internet paths if a private circuit fails. What design choice best supports this requirement?
Best answer: B
Explanation: Advanced cloud-network designs need deterministic primary paths and tested failover behavior. Dynamic routing with health-aware preference and encrypted backup links supports resilience without relying on manual intervention.
Topic: segmentation
An application has web, application, database, and administrative tiers spread across cloud accounts. Which control best limits blast radius?
Best answer: D
Explanation: Segmentation reduces lateral movement and limits exposure. Security policies should reflect tier boundaries and permit only required flows.
Topic: observability
After a new transit routing change, users report intermittent timeouts. Which evidence should be collected first?
Best answer: A
Explanation: Network troubleshooting should begin with path, policy, and change evidence. Flow logs and route state help isolate whether traffic is dropped, misrouted, or delayed.
Topic: encryption
A workload exchanges sensitive data between cloud regions. The security requirement is confidentiality in transit and documented key-management ownership. What should the architect specify?
Best answer: C
Explanation: Encryption in transit protects confidentiality, but the operational model also needs ownership for keys, rotation, access, and auditability.
Topic: cost control
A cloud network uses several NAT gateways and cross-region traffic paths. Monthly costs spike after a new analytics workload launches. What should be reviewed?
Best answer: B
Explanation: Network cost often comes from transfer, egress, NAT processing, and cross-region movement. Architecture review should identify avoidable traffic paths before changing capacity blindly.
Topic: automation
A team manually creates firewall rules during every release, and several incidents were caused by inconsistent rule names. What is the best improvement?
Best answer: D
Explanation: Infrastructure-as-code can make policy repeatable, reviewed, testable, and traceable. It reduces drift when paired with change control and validation.
Topic: resilience
A private connection to a critical cloud environment is highly available inside one facility, but the facility itself is a single point of failure. What is the main concern?
Best answer: A
Explanation: Resilience must be evaluated at multiple layers: device, circuit, facility, region, provider, and operational process. A redundant device pair in one site still leaves site-level concentration risk.
Topic: identity
An operations team wants one emergency account for all cloud environments. What is the safer pattern?
Best answer: C
Explanation: Cross-cloud operations should use identity federation, least privilege, emergency access controls, and audit trails. Shared permanent credentials weaken accountability.
Topic: governance
A business unit deploys a new cloud environment outside approved guardrails. Which control helps prevent repeat drift?
Best answer: B
Explanation: Governance should be built into the environment through standards, automated policy checks, tagging, and documented exceptions rather than relying only on after-the-fact review.
Topic: troubleshooting
An application can resolve a service name but cannot connect to the endpoint. Which layer should be checked next?
Best answer: D
Explanation: DNS resolution proves name lookup, not end-to-end reachability. The next checks are routing, policy, endpoint status, and whether the service is actually listening.
Topic: data residency
A regulated workload must keep specific records in one jurisdiction. What should the architecture include?
Best answer: A
Explanation: Residency requirements apply to primary data, backups, logs, replication, and operational access. Architecture should define and monitor where regulated data can move.
Topic: incident response
A suspected route-table change exposed an internal service to an untrusted network. What is the best first response?
Best answer: C
Explanation: The first priorities are containment and evidence preservation. A cloud-network incident should follow the incident-response process, including log review and change investigation.
flowchart LR
A["Business and compliance need"] --> B["Hybrid connectivity design"]
B --> C["Segmentation and identity controls"]
C --> D["Resilience and failover"]
D --> E["Observability and cost review"]
E --> F["Troubleshoot, tune, and document"]
Use the map when a CNX-001 item asks what to prioritize. Strong answers balance connectivity, security, resilience, cost, and operational evidence instead of choosing the most complex network option by default.
| Area | What to check | Common trap |
|---|---|---|
| Hybrid connectivity | Route preference, health checks, encryption, failover | Assuming one private circuit removes all availability risk |
| Segmentation | Tiers, identity, network policy, administrative paths | Building a flat cloud network for convenience |
| Troubleshooting | Flow logs, route tables, endpoint health, recent changes | Stopping after DNS resolution succeeds |
| Governance | Landing zones, policy-as-code, tagging, exceptions | Relying only on manual reminders |
| Cost | NAT processing, data transfer, regions, cross-cloud paths | Treating network cost as only bandwidth capacity |
Use this page to review CNX-001 sample questions and use the Notify me form for updates. The related pages below help you compare adjacent IT Mastery cloud, network, and automation practice options before choosing what to study next.
| If you need to practice… | Best page | Why |
|---|---|---|
| cloud operations and deployment | Cloud+ CV0-004 | Closest live CompTIA cloud route for architecture, operations, security, and troubleshooting. |
| networking foundations | Network+ N10-009 | Good live route before advanced routing, segmentation, and failover questions. |
| security foundations | Security+ SY0-701 | Useful live route for identity, logging, risk, and governance context. |
| infrastructure automation | Terraform Associate (004) | Helpful adjacent route for policy-as-code, repeatable network changes, and cloud automation discipline. |