ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 36 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 36
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A network engineer needs to update a company's hybrid network to support IPv6 for the upcoming release of a new application. The application is hosted in a VPC in the AWS Cloud. The company's current AWS infrastructure includes VPCs that are connected by a transit gateway. The transit gateway is connected to the on-premises network by AWS Direct Connect and AWS Site-to-Site VPN. The company's on-premises devices have been updated to support the new IPv6 requirements.
The company has enabled IPv6 for the existing VPC by assigning a new IPv6 CIDR block to the VPC and by assigning IPv6 to the subnets for dual-stack support. The company has launched new Amazon EC2 instances for the new application in the updated subnets.
When updating the hybrid network to support IPv6 the network engineer must avoid making any changes to the current infrastructure. The network engineer also must block direct access to the instances' new IPv6 addresses from the internet. However, the network engineer must allow outbound internet access from the instances.
What is the MOST operationally efficient solution that meets these requirements?

  • A. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN connection that supports IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices
  • B. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Update the existing VPN connection to support IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices.
  • C. Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN connection that supports IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices.
  • D. Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN connection that supports IPv6 connectivity. Add a NAT gateway. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by zaazanuna at March 18, 2023, 10:35 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
study_aws1
Highly Voted 1 year, 9 months ago
https://aws.amazon.com/blogs/networking-and-content-delivery/dual-stack-ipv6-architectures-for-aws-an d-hybrid-networks/ For dual-stack connectivity on the Site-to-Site VPN connection via a Transit Gateway, you need to create two VPN connections, one for the IPv4 stack and one for the IPv6 stack. D. For AWS Direct Connect connection, reuse your existing VIFs and enable them for dual-stack support. Option A) is correct
upvoted 16 times
...
zaazanuna
Highly Voted 1 year, 9 months ago
A - correct! The MOST operationally efficient solution that meets the requirements is option A. This option updates the Direct Connect transit VIF to support IPv6 and configures BGP peering with the AWS assigned IPv6 peering address. It also creates a new VPN connection that supports IPv6 connectivity, adds an egress-only internet gateway, and updates any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices. This solution does not require any changes to the current infrastructure and effectively blocks direct access to the instances' new IPv6 addresses from the internet while allowing outbound internet access from the instances.
upvoted 10 times
WMF0187
1 year, 3 months ago
Option A also says "Create a new VPN connection that supports IPv6 connectivity" which goes against "when updating the hybrid network to support IPv6 the network engineer must avoid making any changes to the current infrastructure" so creating a new VPN connection will change current infrastructure vs updating will not. Thoughts??
upvoted 1 times
...
...
Jonalb
Most Recent 3 weeks, 1 day ago
Selected Answer: A
its A https://aws.amazon.com/blogs/networking-and-content-delivery/dual-stack-ipv6-architectures-for-aws-an d-hybrid-networks/
upvoted 1 times
...
Spaurito
1 month, 2 weeks ago
C - When looking at the requirements, this makes more sense. You can't update a VPN and adding new keeps the change separate from the existing configurations.
upvoted 1 times
...
Raphaello
8 months, 2 weeks ago
Selected Answer: C
Cannot update the Address Family in existing Transit VIF. Will have to create anew Transit VIF, selecting Address Family IPv6. C is correct.
upvoted 1 times
Raphaello
8 months, 2 weeks ago
I think A might be correct.. Here's AWS documentation says can "reuse [your] existing VIF's and enable [them] for dual-stack support. << AWS Direct Connect enables you to configure private and dedicated connectivity to your on-premises, and natively supports both IPv4 and IPv6 routing. To use your Direct Connect connection for dual-stack traffic, you need to first create one of the following virtual interfaces (VIFs): Private VIF, Public VIF or Transit VIF, or reuse your existing VIFs and enable them for dual-stack support. >> So obviously o need to create a new VIF. A is fine.
upvoted 1 times
...
...
surnila
9 months ago
A Site-to-Site VPN connection cannot support both IPv4 and IPv6 traffic and hence option A is correct
upvoted 2 times
surnila
9 months ago
https://docs.aws.amazon.com/vpn/latest/s2svpn/ipv4-ipv6.html
upvoted 1 times
...
...
kyuhuck
9 months, 2 weeks ago
Selected Answer: B
Given these considerations, Option B is the most operationally efficient solution that meets the stated requirements. It involves updating the existing Direct Connect and VPN connections to support IPv6, adding an egress-only internet gateway for controlled IPv6 internet access, and updating VPC security groups and route tables accordingly, without necessitating significant changes to the existing infrastructure.
upvoted 2 times
...
Marfee400704
10 months, 1 week ago
I think that it's correct answer is C according to SPOTO products.
upvoted 1 times
...
marfee
10 months, 2 weeks ago
I think that it's correcty answer is A.
upvoted 1 times
...
evargasbrz
1 year, 4 months ago
Selected Answer: A
I chose option A. It makes more sense to me.
upvoted 1 times
WMF0187
1 year, 3 months ago
Option A also says "Create a new VPN connection that supports IPv6 connectivity" which goes against "when updating the hybrid network to support IPv6 the network engineer must avoid making any changes to the current infrastructure" so creating a new VPN connection will change current infrastructure vs updating will not. Thoughts??
upvoted 1 times
ChinkSantana
11 months, 1 week ago
This is why you need to create a NEW tunnel for IPv6 and not update the existing one. Creating a new tunnel does not affect existing tunnel. - IPv6 addresses are only supported for the inside IP addresses of the VPN tunnels. The outside tunnel IP addresses for the AWS endpoints are IPv4 addresses, and the public IP address of your customer gateway must be an IPv4 address. -Site-to-Site VPN connections on a virtual private gateway do not support IPv6. -You cannot enable IPv6 support for an existing Site-to-Site VPN connection. - A Site-to-Site VPN connection cannot support both IPv4 and IPv6 traffic. https://docs.aws.amazon.com/vpn/latest/s2svpn/ipv4-ipv6.html
upvoted 1 times
...
...
...
Certified101
1 year, 4 months ago
Selected Answer: A
A is correct
upvoted 1 times
...
Mishranihal737
1 year, 4 months ago
Option A -> As updating transit VIF to support IPv6 will not affect the current Ipv4 connectivity. https://docs.aws.amazon.com/vpn/latest/s2svpn/ipv4-ipv6.html
upvoted 1 times
...
Fukat
1 year, 4 months ago
Selected Answer: C
option A says 'update' and not 'add' ipv6 peering on top of ipv4 so its changing current config
upvoted 3 times
...
[Removed]
1 year, 5 months ago
Selected Answer: B
Option B is the correct solution because it updates the existing VPN connection to support IPv6 connectivity. This avoids the need to create a new VPN connection that supports IPv6 connectivity as required by option A. Updating the existing VPN connection is more operationally efficient than creating a new VPN connection.
upvoted 2 times
...
prajkash
1 year, 5 months ago
vote for A
upvoted 1 times
...
Jo1992
1 year, 5 months ago
My initial answer was A but the question states "When updating the hybrid network to support IPv6 the network engineer must avoid making any changes to the current infrastructure" So the answer should be D Thoughts?
upvoted 1 times
Josh1217
1 year, 5 months ago
A is more operationally efficient. By updating the Direct Connect transit VIF, you are not really changing the infrastructure. Hence, Answer A.
upvoted 1 times
...
Jo1992
1 year, 5 months ago
I meant C not D
upvoted 1 times
...
...
dremm
1 year, 8 months ago
Selected Answer: A
A) is correct https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/hybrid-connectivity-design.html - "it is possible to retrofit IPv6 onto an existing VIF without the need to reprovision or deploy a new one." https://docs.aws.amazon.com/vpn/latest/s2svpn/ipv4-ipv6.html - "You cannot enable IPv6 support for an existing Site-to-Site VPN connection."
upvoted 5 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago