Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 91 discussion

You need public VIF in order to create a Site-to-Site VPN connection.

This solution combines the benefits of the end-to-end secure IPsec connection with low latency and increased bandwidth of the AWS Direct Connect to provide a more consistent network experience than internet-based VPN connections. A BGP connection session is established between AWS Direct Connect and your router on the public VIF. Another BGP session or a static route will be established between the virtual private gateway and your router on the IPsec VPN tunnels.

The company needs: 1️⃣ A dedicated bandwidth connection → This means they need AWS Direct Connect (DX). 2️⃣ Encryption for data in transit → DX alone does not provide encryption, so they need AWS Site-to-Site VPN over DX. 3️⃣ A connection established with an APN Partner → This suggests a hosted Direct Connect connection, since APN partners provide those.

ACF , because you cannot create a S2S VPN on the Private VIF. You can either do it on Public VIF because it provides you with Public vpn endpoints or on Transit vif because you assign a TGW CIDR and then get the Private VPN IP from that CIDR

A. Request a hosted connection from the APN Partner. • Reason: • A hosted connection provides dedicated bandwidth from the APN Partner. This satisfies the requirement for dedicated bandwidth. • APN Partners offer AWS Direct Connect hosted connections to simplify setup. • Correct. C. Create an AWS Site-to-Site VPN connection. • Reason: • A Site-to-Site VPN adds encryption to the traffic that flows over the Direct Connect connection. This satisfies the requirement for encryption in transit. • AWS Direct Connect alone does not provide encryption, so a VPN is necessary. • Correct. E. Create a private VIF. • Reason: • A private VIF connects the Direct Connect connection to a VPC. This enables private communication between the VPC and the on-premises environment. • Public VIFs are not suitable for this scenario because they expose public AWS endpoints. • Correct.

ACE Why not the other options? B. Request a hosted public VIF from the APN Partner: A public VIF is used to access AWS public services such as S3 and Systems Manager, not for private communication with a VPC. D. Create an AWS Client VPN connection: Client VPN is for remote user access, not for site-to-site connectivity. F. Create a public VIF: A public VIF does not support private communication with VPCs. It is used to access public AWS endpoints.

ACE - Private VIF for the connection with Private IP VPN as per https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/

Correct Answer : ACE. Option F is wrong. Private VIF (Virtual Interface) is the appropriate type of VIF for connecting to a VPC, as opposed to a public VIF which is used for accessing public AWS services.

The PRIVATE VIF as a distractor is so bad :D

I think that it's correct answer is ACE according to SPOTO products.

Private IP VPN is deployed on top of Transit VIFs, so it allows you to use AWS Transit Gateway for centralized management of customers’ Virtual Private Clouds (VPCs) and connections to the on-premises networks in a more secured, private and scalable manner.

U need a public VIF because traditionally the VPN tunnels in S2S VPN use public IPs. However, since last year it is possible to use private IPs as well with a transit VIF. https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/

ACF is the right option here. If we had a TGW, we could consider the following: Private IP VPN is deployed on top of Transit VIFs, so it allows you to use AWS Transit Gateway for centralized management of customers’ Virtual Private Clouds (VPCs) and connections to the on-premises networks in a more secured, private and scalable manner." so, you must use a public VIF in order to create a Site-to-Site VPN connection

ACF is correct. You need transit VIF for private VPN.

IPsec on DX is either on Transit VIF or Public VIF

you don't need a public VIF for this, so F is wrong

A Private IP VPN connection requires a Direct Connect gateway and a Transit VIF as the underlying transport. https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/