exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 110 discussion

A company has an AWS account with four VPCs in the us-east-1 Region. The VPCs consist of a development VPC and three production VPCs that host various workloads.

The company has extended its on-premises data center to AWS with AWS Direct Connect by using a Direct Connect gateway. The company now wants to establish connectivity to its production VPCs and development VPC from on premises. The production VPCs are allowed to route data to each other. However, the development VPC must be isolated from the production VPCs. No data can flow between the development VPC and the production VPCs.

In preparation to implement this solution, a network engineer creates a transit gateway with a single transit gateway route table. Default route table association and default route table propagation are turned off. The network engineer attaches the production VPCs, the development VPC, and the Direct Connect gateway to the transit gateway. For each VPC route table, the network engineer adds a route to 0.0.0.0/0 with the transit gateway as the next destination.

Which combination of steps should the network engineer take next to complete this solution? (Choose three.)

  • A. Associate the production VPC attachments with the existing transit gateway route table. Propagate the routes from these attachments.
  • B. Associate all the attachments with the existing transit gateway route table. Propagate the routes from these attachments.
  • C. Associate the Direct Connect gateway attachment with the existing transit gateway route table. Propagate the Direct Connect gateway attachment to this route table.
  • D. Change the security group inbound rules on the existing transit gateway network interfaces in the development VPC to allow connections to and from the on-premises CIDR range only.
  • E. Create a new transit gateway route table. Associate the new route table with the development VPC attachment. Propagate the Direct Connect gateway and development VPC attachment to the new route table.
  • F. Create a new transit gateway with default route table association and default route table propagation turned on. Attach the Direct Connect gateway and development VPC to the new transit gateway.
Show Suggested Answer Hide Answer
Suggested Answer: ACE 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
HTFhere
Highly Voted 1 year, 5 months ago
Selected Answer: ACE
ACE are correct - Options B, D, and F don't adhere to the provided requirements. Option B would not provide the required isolation for the development VPC. Option D won't be effective as the restriction should be on the routing level, not on the security group level. Option F would create unnecessary complexity and potential overlap in connectivity.
upvoted 13 times
alejo232425
1 year ago
there is no route to development from the DX connection, hence there is no way that on prem can reach the development network.
upvoted 3 times
...
...
BasselBuzz
Most Recent 9 months, 3 weeks ago
F is also incorrect, there is no reason to create a new transit gateway at all.
upvoted 2 times
...
Isaias
10 months, 3 weeks ago
ACE, but the you need to propagate the Devop Routes on the existing RT, so DX and Devops can reach each other, between Prod and Devop cannot reach each other because there is not propagation for the Prod Routes en de new RT
upvoted 1 times
...
radiyij492
1 year ago
Selected Answer: ACF
With ACE - there is no route DX->DEV VPC for return traffic. As TGW ENIs are requestor-managed ones - Security group cannot be attached/edited. This leads us to the option "F" - create one more TGW for DX<->DEV VPC connectivity. Sounds stupid to spin up second TGW instead of one more route table, but that is limitation of the question.
upvoted 4 times
...
alejo232425
1 year ago
Selected Answer: BDE
how if ACE is correct the the DX know how to reach the Development VPC? there is no route table attached that show it.
upvoted 1 times
zendevloper
1 year ago
D is not possible. Transit gateway network interfaces do NOT have a security group!
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...