Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 91 discussion

You need public VIF in order to create a Site-to-Site VPN connection.

The company needs: 1️⃣ A dedicated bandwidth connection → This means they need AWS Direct Connect (DX). 2️⃣ Encryption for data in transit → DX alone does not provide encryption, so they need AWS Site-to-Site VPN over DX. 3️⃣ A connection established with an APN Partner → This suggests a hosted Direct Connect connection, since APN partners provide those.

ACF , because you cannot create a S2S VPN on the Private VIF. You can either do it on Public VIF because it provides you with Public vpn endpoints or on Transit vif because you assign a TGW CIDR and then get the Private VPN IP from that CIDR

A. Request a hosted connection from the APN Partner. • Reason: • A hosted connection provides dedicated bandwidth from the APN Partner. This satisfies the requirement for dedicated bandwidth. • APN Partners offer AWS Direct Connect hosted connections to simplify setup. • Correct. C. Create an AWS Site-to-Site VPN connection. • Reason: • A Site-to-Site VPN adds encryption to the traffic that flows over the Direct Connect connection. This satisfies the requirement for encryption in transit. • AWS Direct Connect alone does not provide encryption, so a VPN is necessary. • Correct. E. Create a private VIF. • Reason: • A private VIF connects the Direct Connect connection to a VPC. This enables private communication between the VPC and the on-premises environment. • Public VIFs are not suitable for this scenario because they expose public AWS endpoints. • Correct.

ACE Why not the other options? B. Request a hosted public VIF from the APN Partner: A public VIF is used to access AWS public services such as S3 and Systems Manager, not for private communication with a VPC. D. Create an AWS Client VPN connection: Client VPN is for remote user access, not for site-to-site connectivity. F. Create a public VIF: A public VIF does not support private communication with VPCs. It is used to access public AWS endpoints.

ACE - Private VIF for the connection with Private IP VPN as per https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/

Correct Answer : ACE. Option F is wrong. Private VIF (Virtual Interface) is the appropriate type of VIF for connecting to a VPC, as opposed to a public VIF which is used for accessing public AWS services.

The PRIVATE VIF as a distractor is so bad :D

I think that it's correct answer is ACE according to SPOTO products.

Private IP VPN is deployed on top of Transit VIFs, so it allows you to use AWS Transit Gateway for centralized management of customers’ Virtual Private Clouds (VPCs) and connections to the on-premises networks in a more secured, private and scalable manner.

U need a public VIF because traditionally the VPN tunnels in S2S VPN use public IPs. However, since last year it is possible to use private IPs as well with a transit VIF. https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/

ACF is the right option here. If we had a TGW, we could consider the following: Private IP VPN is deployed on top of Transit VIFs, so it allows you to use AWS Transit Gateway for centralized management of customers’ Virtual Private Clouds (VPCs) and connections to the on-premises networks in a more secured, private and scalable manner." so, you must use a public VIF in order to create a Site-to-Site VPN connection

ACF is correct. You need transit VIF for private VPN.

IPsec on DX is either on Transit VIF or Public VIF

you don't need a public VIF for this, so F is wrong

A Private IP VPN connection requires a Direct Connect gateway and a Transit VIF as the underlying transport. https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/

ou can now create AWS Site-to-Site VPN connections on top of a Direct Connect connection using private IPs. Previously, customers had to use Public VIFs to achieve this traffic encryption, and therefore were forced to use public IP addresses for VPN endpoints. The usage of public IPs increases the probability of external attacks compelling customers to deploy additional security equipment for network protection. The Private IP VPN feature provides end-to-end private connectivity in addition to traffic encryption, improving the overall security posture.