ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 126 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 126
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A company needs to temporarily scale out capacity for an on-premises application and wants to deploy new servers on Amazon EC2 instances. A network engineer must design the networking solution for the connectivity and for the application on AWS.

The EC2 instances need to share data with the existing servers in the on-premises data center. The servers must not be accessible from the internet. All traffic to the internet must route through the firewall in the on-premises data center. The servers must be able to access a third-party web application.

Which configuration will meet these requirements?

  • A. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a NAT gateway in a public subnet. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add a default route to the NAT gateway. Add routes for the data center subnets to the virtual private gateway. Deploy the application to the private subnets.
  • B. Create a VPC that has private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the private subnets with the route table. Add a default route to the virtual private gateway. Deploy the application to the private subnets.
  • C. Create a VPC that has public subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Add routes for the on-premises data center subnets to the virtual private gateway. Deploy the application to the public subnets.
  • D. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add routes for the on-premises data center subnets to the virtual private gateway. Deploy the application to the private subnets.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Awadhesh at June 7, 2023, 12:25 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ryluis
Highly Voted 1 year, 7 months ago
Selected Answer: B
note this requirement : The servers must not be accessible from the internet. All traffic to the internet must route through the firewall in the on-premises data center. So why do we use NAT GW here, if the requirement said ' All traffic to the internet must route through the firewall in the on-premises data center'
upvoted 10 times
...
hkh2
Most Recent 6 months ago
Nat Gateway required as question asked for access to third party application
upvoted 1 times
...
cerifyme85
9 months, 2 weeks ago
Selected Answer: B
B.. this is correct, the other options say "default gateway through IGW" which would not hit the on prem firewall... B is the only plausible answer.. Just always thought we need the IGW to establish public access, but it seems VPG takes care of that
upvoted 2 times
...
cerifyme85
9 months, 2 weeks ago
Answer is D.. How do u establish public connectivity first? U need to have a connectivity to the firewall, either using an existing DX connection or setu connection using the public subnet
upvoted 2 times
[Removed]
9 months, 2 weeks ago
Deploy the application servers to the private subnets. They can access the data center over the VPN connection but are not exposed to the internet.
upvoted 2 times
cerifyme85
9 months, 2 weeks ago
Yep.. this is correct, the other options say "default gateway through IGW" which would not hit the on prem firewall... B is the only plausible answer.. Just always thought we need the IGW to establish public access, but it seems VPG takes care of that
upvoted 1 times
...
...
...
Marfee400704
11 months, 2 weeks ago
I think that it's correct answer is D according to SPOTO products.
upvoted 1 times
...
Arad
1 year, 2 months ago
Selected Answer: B
B is the correct answer.
upvoted 1 times
...
ojy
1 year, 4 months ago
Selected Answer: D
Must be D. Direct Connect is required to set up a Private IP Site-to-Site VPN. If there is no Direct Connect, a VPN connection is required through a public subnet.
upvoted 2 times
[Removed]
1 year, 3 months ago
False. It's not a requirement to have a direct connect before you a site2site vpn. I think you were referring to private IP S2s tunnel. This one is normal site 2 site tunnel with public IP but without internet gateway
upvoted 1 times
...
...
evargasbrz
1 year, 5 months ago
Selected Answer: B
B is the right. An Internet gateway is not required to establish a Site-to-Site VPN connection. Please, take a look on this: https://aws.amazon.com/vpn/faqs/ Q: How does an AWS Site-to-Site VPN connection work with Amazon VPC? A: An AWS Site-to-Site VPN connection connects your VPC to your datacenter. Amazon supports Internet Protocol security (IPsec) VPN connections. Data transferred between your VPC and datacenter routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit. An Internet gateway is not required to establish a Site-to-Site VPN connection.
upvoted 3 times
...
Neo00
1 year, 6 months ago
Selected Answer: D
Must be D. Customer GW and Virtual Private Gateway won't work if your VPC doesn't have Public Subnet. In order to establishing S2S VPN, B is wrong.
upvoted 1 times
Cheam
1 year, 5 months ago
"Customer GW and Virtual Private Gateway won't work if your VPC doesn't have Public Subnet." - This is completely false. The creation of the VPG/CGW is tied to your VPC not to the subnet in the VPC. Please refer to this reference guide on how to setup a VPN tunnel to a VPC. https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html All the best.
upvoted 2 times
...
...
tcp22
1 year, 7 months ago
B, you want the default route to point to VGW
upvoted 2 times
...
devilman222
1 year, 7 months ago
Answer should be B. You don't need to a private subnet as you should only be able to get to the instances from on prem, also you don't need a public subnet with a nat gateway as internet traffic goes through on prem firewall. They should fix "the show answer" to be correct at least 50% of the time. You would be lost going by there answers as they are terrible.
upvoted 4 times
...
papercuts23
1 year, 7 months ago
Selected Answer: B
i agree with B
upvoted 4 times
...
takecoffe
1 year, 7 months ago
Selected Answer: B
Why do we need public subnet..
upvoted 2 times
takecoffe
1 year, 7 months ago
changing this to Answer A .. for site -site vpn public subnet is required
upvoted 3 times
...
...
Awadhesh
1 year, 7 months ago
Answer should be B. Internet connection must be through firewall at on-prem. No need of public subnet in the VPC.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago