Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 83 discussion

The answer is obviously B. 100% of the people voted for B. Why does this show the correct solution as D? Why are more than half of the "correct solution", the wrong one?

Two-arm mode: As shown in figure 5b below, the firewall is deployed in two-arm mode and performs both inspection as well as NAT. Some AWS partners provide firewall with NAT functionality. GWLB integrates seamlessly in such deployment mode. You don’t need to do any additional configuration changes in the GWLB. However, the firewall networking differs – one network interface is on the private subnet and the other is on public subnet. This mode requires software support from the firewall partner. Some of the GWLB partners (Palo Alto Networks, Valtix) support this feature, however consult with an AWS partner of your choice before using this mode. Based on the above, can we blindly choose two-arm or NAT functionality within the firewall for all third party vendor appliances. Also, the cost of implementing firewall in two-arm mode for each appliance vs. cost of a single NAT gateway needs to be evaluated.

This solution meets the requirements most cost-effectively because: It uses a Gateway Load Balancer, which is free of charge for AWS services (it's just an instance of a free service provided by AWS). The firewall appliances are configured with two network interfaces: one in a private subnet and another in a public subnet. This allows the firewall appliances to inspect traffic coming from both the internet and the VPC without requiring additional NAT configurations. By using the NAT functionality on the firewall appliances, you can send traffic to the internet after inspection, meeting the requirements for both third-party firewall appliances and the need to deploy them behind a load balancer.

B is correct for applliances!

Firewall for "Traffic inspection" and "Nat capablities" ==> Two arm mode

NLB is cheaper than GLW, so D is most cost-effectively

Both A & B can be correct. Ref: https://aws.amazon.com/blogs/networking-and-content-delivery/best-practices-for-deploying-gateway-load-balancer You can either rely on NAT GW to handle the NATing, while your 3rd FW behind GWLB handle the security policy and inspection (one-arm mode) Or, you can create the FW a dual-homed appliance (two-arm mode), and let it handle both the security inspection and NATing. Both are correct, however the request is to apply the MOST cost-effective solution..then B would be the answer, since that solution will save on NAT GW costs..which are quite high. Pay attention the requirements.

I think that it's correct answer is A according to SPOTO products.

B is the most cost-effective solution as asked in the question.

B is the right answer

As study_aws1 explained. B is correct.

Also, similar from below link - https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/using-nat-gateway-and-gwlb-with-ec2.html Some third-party appliances can support SNAT and overlay routing (two-arm mode) therefore eliminating the need to create NAT gateways for saving costs. However, consult with an AWS partner of your choice before using this mode as this is dependent on vendor support and implementation. Given the above link, is it advisable to choose an option which does not fall into Best Practices but may have some lower cost, not established with all vendors.

GWLB supports two different models of firewall deployment (see figures 5a and 5b below) – one-arm with or two-arm where the firewall can also perform NAT. One-arm mode: As shown in figure 5a below, the firewall is deployed in one-arm mode just for traffic inspection whereas NAT Gateway performs translation. This is the most common deployment method, and eliminates dependency on firewall supporting NAT functionality. Also, it increases performance of the firewall by offloading NAT to NAT Gateway.

Please refer the below link and the extract given in the last part - https://aws.amazon.com/blogs/networking-and-content-delivery/best-practices-for-deploying-gateway-load-balancer/

Gateway Load balancer, use the built in NAT functionality of the firewall to save money and two network interfaces to inspect both private and public subnets

use NAT functionality within firewall appliances.

Do not think we can rely on NAT functionality in multiple third party firewall appliances individually, we do not know what that will cost & whether all appliances will support NAT functionality. Option A) looks technically more appropriate