ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 124 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 124
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A company has users who work from home. The company wants to move these users to Amazon WorkSpaces for additional security visibility.

The company has deployed WorkSpaces in its own AWS account in VPC A. A network engineer decides to provide the security visibility by using two firewall appliances behind a Gateway Load Balancer (GWLB). The network engineer provisions another VPC, VPC B, in a separate account and deploys the two firewall appliances in separate Availability Zones.

What should the network engineer do to configure the network connectivity for this solution?

  • A. Create a GWLB in VPC A with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the VPC endpoint.
  • B. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the GWLB endpoint.
  • C. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the WorkSpaces subnet to the VPC endpoint.
  • D. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the account that contains the firewall appliances to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the VPC endpoint.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by takecoffe at June 9, 2023, 3:54 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
troopie22
Highly Voted 1 year, 3 months ago
Selected Answer: B
Since the users are at home, default route must point to GWLB endpoint
upvoted 7 times
Rollizo
1 month, 3 weeks ago
cannot be B, VPCA has to create a endpoint in AWS account referencing GLWB. But when you create the route from VPCA in AWS A, you have to reference that endpoint, no the GLWB endpoint directly
upvoted 1 times
...
...
Balasmaniam
Highly Voted 1 year, 4 months ago
b: CORRECT ANS https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/gateway-load-balancer-inspection-east-west-ra.pdf
upvoted 5 times
Rollizo
1 month, 3 weeks ago
this scenario is for all the VPCs in the same AWS account
upvoted 1 times
...
...
PRASAD180
Most Recent 1 month, 3 weeks ago
Selected Answer: B
B is correct
upvoted 1 times
...
acloudguru
6 months ago
Selected Answer: C
claud 3 told me the answer is C,Modify the route tables of VPC A to point the WorkSpaces subnet to the VPC endpoint: By updating the route tables in VPC A, you ensure that traffic from the WorkSpaces subnet is routed through the VPC endpoint, which then forwards the traffic to the GWLB endpoint and the firewall appliances in VPC B
upvoted 1 times
...
Newbies
6 months, 4 weeks ago
B - Routing all traffic from VPCA to the VPC endpoint is unnecessary and potentially risky. Only the WS subnet needs the route to the VPC endpoint for comms with the firewall appliance
upvoted 2 times
...
mrt261
7 months, 2 weeks ago
Selected Answer: C
Regarding the option B, Modifying the route tables of VPC A to point the default route to the GWLB endpoint is incorrect because the GWLB is not directly accessible from VPC A. The route tables should be modified to route traffic destined for the WorkSpaces subnet to the appropriate endpoint that facilitates connectivity to the GWLB.
upvoted 1 times
...
Marfee400704
8 months, 2 weeks ago
I think that it's correct answer is A according to SPOTO products.
upvoted 1 times
...
Arad
11 months, 3 weeks ago
Selected Answer: B
B is the correct answer.
upvoted 2 times
...
Balasmaniam
1 year, 4 months ago
Important to know: • Using AWS PrivateLink, GWLB Endpoint routes traffic to GWLB. Traffic is routed securely over Amazon network without any additional configuration. B: correct
upvoted 4 times
...
Balasmaniam
1 year, 4 months ago
Traffic from IP 10.0.1.10 wants to reach IP 10.1.2.20 in the App2 virtual private cloud (VPC). The subnet’s route table routes it to the TGW via the default route (0.0.0.0/0).
upvoted 3 times
...
takecoffe
1 year, 4 months ago
Selected Answer: C
VPC A need to be modified to direct the traffic from the WorkSpaces subnet to the VPC endpoint
upvoted 2 times
Balasmaniam
1 year, 4 months ago
i think workspace subnet will be used to point to local vpc communication. default route can be used for inspection vpc communication other than more specific route. 10.1.0.0 ---> local 0.0.0.0/0 ---> GWLBE
upvoted 4 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago