Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 23 discussion

correction - BC - correct.

B and C https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/introduction.html https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/using-gwlb-with-tg-for-cns.html

The critical issue with D is that it does not propagate the application VPC attachments into the inspection route table. Without this propagation, the inspection VPC will not know how to route traffic back to the originating application VPCs after it has been inspected.

BC are the correct answers. We need to used GWLB to load-balance the traffic to a target group of inspection appliance. Routes toward Applications VPCs need to be propagated and being reachable through their respective TGW attachment. Enable appliance mode to avoid asymmetric routing due to zone affinity.

When application VPC wants to reach other app VPC via TGW, there should be default route pointed to inspection TGW attchement and when traffic traffic comes back to TGW after inspection/GWLB, TGW needs specific routes to app VPC CIDRs.

I think that it's correct answer is BD according to SPOTO products.

why A is wrong can anyone comment ?

I think that it's correcty answer is B & C.

Just B & C make sense, the rest are all wrong.

you can create a multi-account environment with multiple VPCs for a customer by using AWS Transit Gateway. A transit gateway enables you to attach VPCs and VPN connections in the same Region and route traffic between them. A transit gateway works across AWS accounts, and you can use AWS RAM to share your transit gateway with other accounts 1. To meet the network security policy that requires all traffic between any two VPCs to be transparently inspected by a third-party appliance, you can deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. You can connect the inspection VPC to the transit gateway by using a VPC attachment. Then create a target group and register the appliances with the target group. After that, you can create a Network Load Balancer (NLB) and set it up to forward to the newly created target group. Finally, configure a default route in the inspection VPCs transit gateway subnet toward the NLB

vote for BC

B - as an GWLB is more appropriate for monitoring appliances C - as D and E would allow the VPCs to communicate together directly,

vote for BC

B & C, GLB better for 3rd party appliance, TGW RT associated to APP VPCs has a single route to the Inspection VPC and second TGW RT for the inspection VPC has all APP VPC CIDRs propagated to it.

NLB:To increase the fault tolerance of your applications, you can enable multiple Availability Zones for your load balancer and ensure that each target group has at least one target in each enabled Availability Zone. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html GLB: Third party appliance https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/#:~:text=Gateway%20Load%20Balancer%20helps%20you,or%20down%2C%20based%20on%20demand. Answers A) B)

B and C

B and C.