ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 98 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 98
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A company's existing AWS environment contains public application servers that run on Amazon EC2 instances. The application servers run in a VPC subnet. Each server is associated with an Elastic IP address.

The company has a new requirement for firewall inspection of all traffic from the internet before the traffic reaches any EC2 instances. A security engineer has deployed and configured a Gateway Load Balancer (GLB) in a standalone VPC with a fleet of third-party firewalls.

How should a network engineer update the environment to ensure that the traffic travels across the fleet of firewalls?

  • A. Deploy a transit gateway. Attach a GLB endpoint to the transit gateway. Attach the application VPC to the transit gateway. Update the application subnet route table's default route destination to be the GLB endpoint. Ensure that the EC2 instances' security group allows traffic from the GLB endpoint.
  • B. Update the application subnet route table to have a default route to the GLOn the standalone VPC that contains the firewall fleet, add a route in the route table for the application VPC's CIDR block with the GLB endpoint as the destination. Update the EC2 instances' security group to allow traffic from the GLB.
  • C. Provision a GLB endpoint in the application VPC in a new subnet. Create a gateway route table with a route that specifies the application subnet CIDR block as the destination and the GLB endpoint as the target. Associate the gateway route table with the internet gateway in the application VPUpdate the application subnet route table's default route destination to be the GLB endpoint.
  • D. Instruct the security engineer to move the GLB into the application VPC. Create a gateway route table. Associate the gateway route table with the application subnet. Add a default route to the gateway route table with the GLB as its destination. Update the route table on the GLB to direct traffic from the internet gateway to the application servers. Ensure that the EC2 instances' security group allows traffic from the GLB.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Balasmaniam at June 8, 2023, 2:26 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
lygf
Highly Voted 1 year, 9 months ago
Selected Answer: C
A is ridiculous -> attach a GWLB endpoint to transit gateway??? B is incorrect - need to inspect all traffic FROM the Internet, not the other way D. is incorrect -> IGW needs a route to re-direct traffic to GWLB, you can't do that from GWLB's route table.
upvoted 13 times
albertkr
1 year, 9 months ago
why A is not possible? This reference architecture outlines that it is how it is supposed to be designed: https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/ my only confusion about A is the application vpc sets the default route to GLB endpoint. My understanding as of the reference above, the default route should be targeted to TGW, not GLB endpoint.
upvoted 3 times
JoellaLi
1 year ago
yes seems that this sentence is wrong
upvoted 1 times
...
...
Balasmaniam
1 year, 9 months ago
Since GWLB Endpoints are a routable target, you can route traffic moving to and from Transit Gateway to the fleet of virtual appliances that are configured as targets behind a GWLB. https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/
upvoted 3 times
...
trap
1 year, 9 months ago
That's correct: https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/getting-started.html GWLB endpoint in A answer doesn't make any sense.
upvoted 1 times
...
...
Balasmaniam
Highly Voted 1 year, 10 months ago
Selected Answer: A
https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/using-gwlb-with-tg-for-cns.html
upvoted 6 times
...
Spaurito
Most Recent 5 months, 1 week ago
C - as per AI "No, you cannot directly attach a gateway endpoint to a Transit Gateway in AWS; a Transit Gateway is designed to connect entire VPCs, not specific endpoints within a VPC, so you would attach the entire VPC containing the gateway endpoint to the Transit Gateway instead."
upvoted 1 times
...
Arad
1 year, 5 months ago
Selected Answer: C
C is the correct answer.
upvoted 2 times
...
luisfsm_111
1 year, 7 months ago
Selected Answer: A
Really hard to choose between A and C, but by this design it looks like A because of the "Provision a GLB endpoint in the application VPC in a new subnet" part: https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer
upvoted 2 times
...
[Removed]
1 year, 8 months ago
Selected Answer: A
Do we need to create a new subnet for the GLB endpoint in the application VPC as option C suggest?
upvoted 1 times
...
JosMo
1 year, 9 months ago
Selected Answer: C
should be C
upvoted 2 times
...
AJ7428
1 year, 9 months ago
Selected Answer: C
Should be C. We need a ingress route table associated with IGW for traffic coming from Internet and routed towards F/W subnet.
upvoted 5 times
...
tcp22
1 year, 9 months ago
The only issue I have with A is no sign of appliance mode, I go with C.
upvoted 4 times
...
scrawnyfeel
1 year, 9 months ago
Should be C.
upvoted 2 times
...
papercuts23
1 year, 10 months ago
"Attach a GLB endpoint to the transit gateway". Is that possible?
upvoted 4 times
[Removed]
1 year, 8 months ago
Yes it's possible. https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/using-gwlb-with-tg-for-cns.html
upvoted 2 times
KobDragoon
11 months, 3 weeks ago
No it's not, you don't attach a GLB endpoint to the transit gateway. that's not a thing. You can have Transit gateway VPC attachements,VPN attachments, Peering connection attachments or Connect attachments. But not GWLB endpoints attachments.
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago