Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 150 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 150
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A network engineer needs to deploy an AWS Network Firewall firewall into an existing AWS environment. The environment consists of the following:

• A transit gateway with all VPCs attached to it
• Several hundred application VPCs
• A centralized egress internet VPC with a NAT gateway and an internet gateway
• A centralized ingress internet VPC that hosts public Application Load Balancers
• On-premises connectivity through an AWS Direct Connect gateway attachment

The application VPCs have workloads deployed across multiple Availability Zones in private subnets with the VPC route table s default route (0.0.0.0/0) pointing to the transit gateway. The Network Firewall firewall needs to inspect east-west (VPC-to-VPC) traffic and north-south (internet-bound and on-premises network) traffic by using Suricata compatible rules.

The network engineer must deploy the firewall by using a solution that requires the least possible architectural changes to the existing production environment.

Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

  • A. Deploy Network Firewall in all Availability Zones in each application VPC.
  • B. Deploy Network Firewall in all Availability Zones in a centralized inspection VPC.
  • C. Update the HOME_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.
  • D. Update the EXTERNAL_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.
  • E. Configure a single transit gateway route table. Associate all application VPCs and the centralized inspection VPC with this route table.
  • F. Configure two transit gateway route tables. Associate all application VPCs with one transit gateway route table. Associate the centralized inspection VPC with the other transit gateway route table.
Show Suggested Answer Hide Answer
Suggested Answer: BCF 🗳️
by Neo00 at July 25, 2023, 7:23 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Certified101
Highly Voted 1 year, 3 months ago
Selected Answer: BCF
Option B: A centralized inspection VPC approach would lead to a minimal architectural change and efficiently use Network Firewall resources. Option C: HOME_NET is usually defined as your local network. In this case, it would include all your VPCs and on-premises networks. Option F: Configuring two transit gateway route tables, one associated with all the application VPCs and another with the inspection VPC, will help route traffic effectively for inspection. All outbound traffic from application VPCs would be routed to the inspection VPC for firewall checks, and then the inspected traffic would be routed to its destination (internet or another VPC).
upvoted 9 times
...
ISSDoksim
Most Recent 1 year, 3 months ago
https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/
upvoted 1 times
...
Neo00
1 year, 3 months ago
Selected Answer: BCE
Doesn't make sense separate inspection VPC and other VPC into two TGW RT, if do so, no traffic will be able to send/receive between these
upvoted 1 times
Neo00
1 year, 3 months ago
change to B,C,F https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/
upvoted 9 times
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel