CertGrid
HashiCorp Certification

HashiCorp Consul Associate (003) Practice Exam

Validates service networking with Consul — service discovery, health checking, KV, service mesh, and security.

Practice 300 exam-style HashiCorp Consul Associate (003) questions with full answer explanations, then take timed mock exams that score like the real thing.

Start practicing free Sign in
300
Practice questions
57
On the real exam
700
Passing score
60 min
Exam length

What the HashiCorp Consul Associate (003) exam covers

Free HashiCorp Consul Associate (003) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 300.

  1. Question 1Consul Architecture

    What is HashiCorp Consul primarily used for?

    • AService discovery, health checking, a distributed KV store, and service meshCorrect
    • BEncrypting disks only
    • CAssigning IPs via DHCP
    • DRunning containers
    ✓ Correct answer: A

    Consul is a complete service mesh platform providing service discovery, health checking, distributed state management, and encrypted inter-service communication. The architecture separates concerns into agents (client and server), gossip protocol for membership, and sidecar proxies for traffic management. Understanding how these components interact—particularly Consul's eventual consistency model, token-based security, and multi-datacenter federation—is essential for operating Consul at scale.

    Why the other options are wrong
    • BEncrypting disks only is incorrect because Consul encryption applies to inter-agent communication via gossip and to service mesh mTLS, not disk-level encryption.
    • CAssigning IPs via DHCP is incorrect because Consul uses DNS and HTTP APIs for service discovery, not DHCP.
    • DRunning containers is incorrect because Consul is a service mesh and service discovery platform, not a container orchestration system.
  2. Question 2Consul KV and Configuration

    Which tool can render application config from Consul KV (and Vault) and reload services on change?

    • ACoreDNS
    • Bconsul-templateCorrect
    • CNotepad
    • DBitLocker
    ✓ Correct answer: B

    Consul security is layered: agents authenticate via tokens (agent, service, and session tokens), mTLS encrypts inter-service communication, and ACLs control access to services and data. Understanding token types, ACL scopes, and how they interact with service registration and discovery is critical for securing Consul deployments.

    Why the other options are wrong
    • ACoreDNS is incorrect because this option does not provide the technical solution described in the correct answer.
    • CNotepad is incorrect because this option does not provide the technical solution described in the correct answer.
    • DBitLocker is incorrect because this option does not provide the technical solution described in the correct answer.
  3. Question 3Service Discovery

    To reduce read load on Consul servers and improve discovery latency, which DNS feature lets client agents answer service queries from local cache instead of always reaching the leader?

    • AForcing all queries through a single server
    • BSetting DNS TTL to zero on every record
    • Cstale reads (allow_stale), so any server/agent can serve slightly-stale results without contacting the leaderCorrect
    • DDisabling health checks entirely
    ✓ Correct answer: C

    Consul uses a gossip-based protocol for cluster membership and service state propagation, providing high availability and resilience through distributed eventual consistency.

    Why the other options are wrong
    • AServers persist state while clients maintain local state through gossip synchronization, enabling fast local queries without requiring central storage. Forcing all queries through a single server is incorrect because this option does not provide the technical solution described in the correct answer.
    • BSetting DNS TTL to zero on every record is incorrect because this option does not provide the technical solution described in the correct answer.
    • DDisabling health checks entirely is incorrect because this option does not provide the technical solution described in the correct answer.
  4. Question 4Consul Architecture

    Which command starts a single-node Consul agent in development mode with the built-in UI?

    • Aconsul server -dev -web
    • Bconsul agent -dev -uiCorrect
    • Cconsul run -dev -gui
    • Dconsul start --dev-ui
    ✓ Correct answer: B

    Consul's service mesh capabilities enable automatic mTLS encryption, service-to-service authentication, traffic routing policies, and circuit breaking without requiring application code changes. The sidecar proxy architecture intercepts and manages all inter-service traffic, enforcing security policies and routing rules at the network layer.

    Why the other options are wrong
    • Aconsul server -dev -web is incorrect because this option does not provide the technical solution described in the correct answer.
    • Cconsul run -dev -gui is incorrect because this option does not provide the technical solution described in the correct answer.
    • Dconsul start --dev-ui is incorrect because this option does not provide the technical solution described in the correct answer.
  5. Question 5Consul Architecture

    You are sizing a production Consul server cluster that must tolerate the loss of one server while keeping quorum. Which server count is the recommended best practice?

    • A1 server with frequent snapshots
    • B2 servers, tolerating 1 failure
    • C3 servers, tolerating 1 failureCorrect
    • D4 servers, tolerating 2 failures
    ✓ Correct answer: C

    Consul uses a gossip-based protocol for cluster membership and service state propagation, providing high availability and resilience through distributed eventual consistency. Servers persist state while clients maintain local state through gossip synchronization, enabling fast local queries without requiring central storage.

    Why the other options are wrong
    • A1 server with frequent snapshots is incorrect because this option does not provide the technical solution described in the correct answer.
    • B2 servers, tolerating 1 failure is incorrect because this option does not provide the technical solution described in the correct answer.
    • D4 servers, tolerating 2 failures is incorrect because this option does not provide the technical solution described in the correct answer.
  6. Question 6Consul Architecture

    In a 5-server Consul cluster using Raft, how many server failures can the cluster tolerate while still maintaining quorum?

    • A0 (all 5 must be available)
    • B3 (a quorum of 2 must remain)
    • C2 (a quorum of 3 must remain)Correct
    • D4 (only 1 server is required)
    ✓ Correct answer: C

    Consul security is layered: agents authenticate via tokens (agent, service, and session tokens), mTLS encrypts inter-service communication, and ACLs control access to services and data. Understanding token types, ACL scopes, and how they interact with service registration and discovery is critical for securing Consul deployments.

    Why the other options are wrong
    • A0 (all 5 must be available) is incorrect because this option does not provide the technical solution described in the correct answer.
    • B3 (a quorum of 2 must remain) is incorrect because this option does not provide the technical solution described in the correct answer.
    • D4 (only 1 server is required) is incorrect because this option does not provide the technical solution described in the correct answer.
  7. Question 7Consul Architecture

    Which Consul agent endpoint exposes runtime telemetry metrics in a pull-based format that Prometheus can scrape?

    • A/v1/status/metrics
    • B/v1/kv/metrics
    • C/v1/catalog/metrics
    • D/v1/agent/metrics?format=prometheusCorrect
    ✓ Correct answer: D

    Consul security is layered: agents authenticate via tokens (agent, service, and session tokens), mTLS encrypts inter-service communication, and ACLs control access to services and data. Understanding token types, ACL scopes, and how they interact with service registration and discovery is critical for securing Consul deployments.

    Why the other options are wrong
    • A/v1/status/metrics is incorrect because this option does not provide the technical solution described in the correct answer.
    • B/v1/kv/metrics is incorrect because this option does not provide the technical solution described in the correct answer.
    • C/v1/catalog/metrics is incorrect because this option does not provide the technical solution described in the correct answer.
  8. Question 8Service Discovery

    During a migration from a static load balancer to Consul service discovery, which approach lets legacy clients that cannot use the HTTP API resolve service addresses with minimal code change?

    • Apoint the clients' DNS resolver at the Consul DNS interface and use <service>.service.consul namesCorrect
    • BRequire every client to embed the Consul Go SDK
    • CHardcode the new instance IPs into each client
    • DDisable health checks so all instances always resolve
    ✓ Correct answer: A

    Consul security is layered: agents authenticate via tokens (agent, service, and session tokens), mTLS encrypts inter-service communication, and ACLs control access to services and data. Understanding token types, ACL scopes, and how they interact with service registration and discovery is critical for securing Consul deployments.

    Why the other options are wrong
    • BRequire every client to embed the Consul Go SDK is incorrect because this option does not provide the technical solution described in the correct answer.
    • CHardcode the new instance IPs into each client is incorrect because this option does not provide the technical solution described in the correct answer.
    • DDisable health checks so all instances always resolve is incorrect because this option does not provide the technical solution described in the correct answer.
  9. Question 9Consul Architecture

    Your 5-server Consul cluster spans two datacenters; 3 servers are in DC-A and 2 in DC-B. A network partition isolates DC-B. What happens?

    • ABoth sides keep electing leaders and writes succeed everywhere
    • BThe whole cluster shuts down to prevent split-brain
    • CDC-B servers lose quorum and cannot commit writes while DC-A retains its leader; this is a misconfiguration since each datacenter should be its own quorumCorrect
    • DConsul automatically rebalances servers across the partition
    ✓ Correct answer: C

    Consul security is layered: agents authenticate via tokens (agent, service, and session tokens), mTLS encrypts inter-service communication, and ACLs control access to services and data. Understanding token types, ACL scopes, and how they interact with service registration and discovery is critical for securing Consul deployments.

    Why the other options are wrong
    • ABoth sides keep electing leaders and writes succeed everywhere is incorrect because this option does not provide the technical solution described in the correct answer.
    • BThe whole cluster shuts down to prevent split-brain is incorrect because this option does not provide the technical solution described in the correct answer.
    • DConsul automatically rebalances servers across the partition is incorrect because this option does not provide the technical solution described in the correct answer.
  10. Question 10Security and Architecture

    After bootstrapping the ACL system, which token must you protect because it has unrestricted privileges over the entire cluster?

    • AThe anonymous token
    • BThe agent's gossip key
    • CThe bootstrap/management token (global-management policy)Correct
    • DThe default DNS token
    ✓ Correct answer: C

    Consul uses a gossip-based protocol for cluster membership and service state propagation, providing high availability and resilience through distributed eventual consistency. Servers persist state while clients maintain local state through gossip synchronization, enabling fast local queries without requiring central storage.

    Why the other options are wrong
    • AThe anonymous token is incorrect because this option does not provide the technical solution described in the correct answer.
    • BThe agent's gossip key is incorrect because this option does not provide the technical solution described in the correct answer.
    • DThe default DNS token is incorrect because this option does not provide the technical solution described in the correct answer.
Unlock all 300 HashiCorp Consul Associate (003) questions

HashiCorp Consul Associate (003) practice exam FAQ

How many questions are in the HashiCorp Consul Associate (003) practice exam on CertGrid?

CertGrid has 300 practice questions for HashiCorp Consul Associate (003), covering 5 exam domains. The real HashiCorp Consul Associate (003) exam has about 57 questions.

What is the passing score for HashiCorp Consul Associate (003)?

The HashiCorp Consul Associate (003) exam passing score is 700, and you have about 60 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official HashiCorp Consul Associate (003) exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of HashiCorp Consul Associate (003), with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice HashiCorp Consul Associate (003) for free?

Yes. You can start practicing HashiCorp Consul Associate (003) for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.