[HNA] HashiCorp Networking Automation Certification
Exam Guide
**Question 1.** Which of the following best describes the primary purpose of
Consul‑Terraform‑Sync (CTS) in a networking automation workflow?
A) To replace Terraform as the main IaC engine
B) To provide a DNS service for service discovery
C) To bridge Consul service events with Terraform executions
D) To store secrets for network devices
Answer: C
Explanation: CTS monitors Consul for service changes and triggers corresponding Terraform
runs, acting as the bridge between service catalog events and infrastructure provisioning.
**Question 2.** In an event‑driven networking model, what distinguishes a reactive
automation approach from a polling‑based approach?
A) Reactive automation runs on a fixed schedule
B) Reactive automation initiates actions immediately when a change is detected
C) Polling requires a third‑party message bus
D) Polling can only be used with static IP addresses
Answer: B
Explanation: Reactive automation listens for events (e.g., health check failures) and acts
instantly, whereas polling repeatedly checks state at intervals.
**Question 3.** Which Consul component acts as the “source of truth” for the network
topology in a HashiCorp Networking Automation deployment?
A) Consul Connect
B) Consul KV store
C) Consul Service Catalog
, [HNA] HashiCorp Networking Automation Certification
Exam Guide
D) Consul UI
Answer: C
Explanation: The Service Catalog records all registered services, their metadata, and health,
representing the authoritative view of network state.
**Question 4.** When configuring a Consul watch to trigger a CTS task, which of the following
watch types is most appropriate for monitoring a specific service’s health?
A) key
B) node
C) service
D) checks
Answer: C
Explanation: A “service” watch fires when the set of instances for a given service changes,
making it ideal for CTS to react to service health events.
**Question 5.** In Consul Connect, what is the role of a sidecar proxy?
A) To store encrypted secrets for services
B) To route traffic between services according to intentions
C) To provide DNS resolution for external domains
D) To generate Terraform state files
Answer: B
Explanation: The sidecar proxy mediates inbound and outbound traffic for a service, enforcing
security intentions defined in Consul Connect.
, [HNA] HashiCorp Networking Automation Certification
Exam Guide
**Question 6.** Which Terraform provider would you select to manage security groups in an
AWS VPC as part of network automation?
A) hashicorp/aws
B) hashicorp/azure
C) hashicorp/google
D) hashicorp/vsphere
Answer: A
Explanation: The AWS provider includes resources for VPC, subnets, and security groups,
enabling network policy automation in AWS.
**Question 7.** How does Terraform’s “data source” feature aid dynamic configuration when
integrated with Consul?
A) It creates new resources automatically
B) It reads existing Consul KV values to feed module inputs
C) It encrypts Terraform state files
D) It disables remote backend storage
Answer: B
Explanation: Data sources allow Terraform to query external systems (e.g., Consul KV) at plan
time, providing live data for variables and module inputs.
**Question 8.** Which of the following is a recommended practice for handling Terraform state
files in an automated CTS environment?
A) Store state locally on each CTS node
B) Use a remote backend with versioning and locking (e.g., Terraform Cloud)
C) Delete the state file after each run
, [HNA] HashiCorp Networking Automation Certification
Exam Guide
D) Embed the state file in the CTS binary
Answer: B
Explanation: Remote backends provide state locking, versioning, and collaboration safety,
essential for concurrent CTS executions.
**Question 9.** In a CTS HCL configuration, the **source** block defines which of the
following?
A) The Terraform provider version to use
B) The Consul service name and optional tag filters to watch
C) The location of the Terraform state file
D) The ACL token for Vault integration
Answer: B
Explanation: The source block tells CTS which Consul services to monitor and which
tags/attributes to filter on for task triggering.
**Question 10.** What is the purpose of the **task** block in a CTS configuration file?
A) To schedule periodic health checks
B) To map Consul service data to a specific Terraform module
C) To define Vault secret paths
D) To configure DNS forwarding
Answer: B
Explanation: The task block links a Consul service (or KV change) to a Terraform module,
specifying how service attributes become module inputs.
Exam Guide
**Question 1.** Which of the following best describes the primary purpose of
Consul‑Terraform‑Sync (CTS) in a networking automation workflow?
A) To replace Terraform as the main IaC engine
B) To provide a DNS service for service discovery
C) To bridge Consul service events with Terraform executions
D) To store secrets for network devices
Answer: C
Explanation: CTS monitors Consul for service changes and triggers corresponding Terraform
runs, acting as the bridge between service catalog events and infrastructure provisioning.
**Question 2.** In an event‑driven networking model, what distinguishes a reactive
automation approach from a polling‑based approach?
A) Reactive automation runs on a fixed schedule
B) Reactive automation initiates actions immediately when a change is detected
C) Polling requires a third‑party message bus
D) Polling can only be used with static IP addresses
Answer: B
Explanation: Reactive automation listens for events (e.g., health check failures) and acts
instantly, whereas polling repeatedly checks state at intervals.
**Question 3.** Which Consul component acts as the “source of truth” for the network
topology in a HashiCorp Networking Automation deployment?
A) Consul Connect
B) Consul KV store
C) Consul Service Catalog
, [HNA] HashiCorp Networking Automation Certification
Exam Guide
D) Consul UI
Answer: C
Explanation: The Service Catalog records all registered services, their metadata, and health,
representing the authoritative view of network state.
**Question 4.** When configuring a Consul watch to trigger a CTS task, which of the following
watch types is most appropriate for monitoring a specific service’s health?
A) key
B) node
C) service
D) checks
Answer: C
Explanation: A “service” watch fires when the set of instances for a given service changes,
making it ideal for CTS to react to service health events.
**Question 5.** In Consul Connect, what is the role of a sidecar proxy?
A) To store encrypted secrets for services
B) To route traffic between services according to intentions
C) To provide DNS resolution for external domains
D) To generate Terraform state files
Answer: B
Explanation: The sidecar proxy mediates inbound and outbound traffic for a service, enforcing
security intentions defined in Consul Connect.
, [HNA] HashiCorp Networking Automation Certification
Exam Guide
**Question 6.** Which Terraform provider would you select to manage security groups in an
AWS VPC as part of network automation?
A) hashicorp/aws
B) hashicorp/azure
C) hashicorp/google
D) hashicorp/vsphere
Answer: A
Explanation: The AWS provider includes resources for VPC, subnets, and security groups,
enabling network policy automation in AWS.
**Question 7.** How does Terraform’s “data source” feature aid dynamic configuration when
integrated with Consul?
A) It creates new resources automatically
B) It reads existing Consul KV values to feed module inputs
C) It encrypts Terraform state files
D) It disables remote backend storage
Answer: B
Explanation: Data sources allow Terraform to query external systems (e.g., Consul KV) at plan
time, providing live data for variables and module inputs.
**Question 8.** Which of the following is a recommended practice for handling Terraform state
files in an automated CTS environment?
A) Store state locally on each CTS node
B) Use a remote backend with versioning and locking (e.g., Terraform Cloud)
C) Delete the state file after each run
, [HNA] HashiCorp Networking Automation Certification
Exam Guide
D) Embed the state file in the CTS binary
Answer: B
Explanation: Remote backends provide state locking, versioning, and collaboration safety,
essential for concurrent CTS executions.
**Question 9.** In a CTS HCL configuration, the **source** block defines which of the
following?
A) The Terraform provider version to use
B) The Consul service name and optional tag filters to watch
C) The location of the Terraform state file
D) The ACL token for Vault integration
Answer: B
Explanation: The source block tells CTS which Consul services to monitor and which
tags/attributes to filter on for task triggering.
**Question 10.** What is the purpose of the **task** block in a CTS configuration file?
A) To schedule periodic health checks
B) To map Consul service data to a specific Terraform module
C) To define Vault secret paths
D) To configure DNS forwarding
Answer: B
Explanation: The task block links a Consul service (or KV change) to a Terraform module,
specifying how service attributes become module inputs.
