ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 163 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 163
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A company is migrating critical applications to AWS. The company has multiple accounts and VPCs that are connected by a transit gateway.

A network engineer must design a solution that performs deep packet inspection for any traffic that leaves a VPC network boundary. All inspected traffic and the actions that are taken on the traffic must be logged in a central log account.

Which solution will meet these requirements with the LEAST administrative overhead?

  • A. Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an AWS Gateway Load Balancer that is backed by third-party, next-generation firewall appliances to the central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances. Create an Amazon S3 bucket in the central log account. Configure the firewall appliances to capture and save the network flow logs to the S3 bucket.
  • B. Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an AWS Application Load Balancer that is backed by third-party, next-generation firewall appliances to the central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances. Create a syslog server in the central log account. Configure the firewall appliances to capture and save the network flow logs to the syslog server.
  • C. Deploy network ACLs and security groups to each VPAttach the security groups to active network interfaces. Associate the network ACLs with VPC subnets. Create rules for the network ACLs and security groups to allow only the required traffic flows between subnets and network interfaces. Create an Amazon S3 bucket in the central log account. Configure a VPC flow log that captures and saves all traffic flows to the S3 bucket.
  • D. Create a central log VPC and an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an AWS Network Load Balancer (NLB) that is backed by third-party, next-generation intrusion detection system (IDS) security appliances to the central VPC. Activate rules on the security appliances to monitor for intrusion signatures. For each network interface, create a VPC Traffic Mirroring session that sends the traffic to the central VPC's NLB.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by ISSDoksim at July 31, 2023, 3 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Certified101
Highly Voted 1 year, 8 months ago
Selected Answer: A
A is correct as sambb said. GWLB is perfect for traffic inspection
upvoted 6 times
trap
1 year, 7 months ago
https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/
upvoted 3 times
...
...
Spaurito
Most Recent 5 months, 1 week ago
A - For high availability, we recommend that you use a Network Load Balancer or a Gateway Load Balancer endpoint as a mirror target. You might experience out-of-order delivery of mirrored packets when you use a Network Load Balancer or Gateway Load Balancer endpoint as your traffic mirror target. If your monitoring appliance can't handle out-of-order packets, we recommend using a network interface as your traffic mirror target.
upvoted 1 times
...
Blitz1
8 months, 3 weeks ago
Selected Answer: A
It's A just because of D is saying: "For each network interface, create a VPC Traffic Mirroring session that sends the traffic to the central VPC's NLB. " Mirroring each interface in "multiple accounts and VPCs" is definitly NOT the " LEAST administrative overhead".
upvoted 1 times
...
Blitz1
9 months ago
Selected Answer: A
For sure A. It cannot be D because it is saying "All inspected traffic and the actions that are taken on the traffic must be logged in a central log account." Since we are talking about mirroring there is no ACTION that can be taken on the traffic since is not INLINE but a mirror.
upvoted 1 times
...
[Removed]
12 months ago
My understanding in scenarios like this is that traffic should be inspected BEFORE the packets are allowed to leave VPC boundaries. If this understanding is true, traffic MIRRORING (option D) is the wrong approach as the decision to let the packet pass or drop would be done independently.
upvoted 1 times
...
Newbies
1 year ago
A & B GLB/ALB with FW: These options require additional configuration and policy mgmt for the FW in the central VPC, complex and time-consuming to maintain across multiple VPCs. Answer is D - no changes req on TGW config
upvoted 1 times
...
Vogd
1 year, 3 months ago
Selected Answer: A
I do not see any word "mirroring" in the question. If you route traffic through GWLB you dont need mirroring at all. Also D offers to store Logs in different VPC than Central where Firewall is deployed. It does not make sense and incur additional complication.
upvoted 1 times
...
nuzz
1 year, 3 months ago
Selected Answer: A
A is the correct answer. do not get confused between mirroring and inspection
upvoted 1 times
...
Becklang
1 year, 5 months ago
Selected Answer: D
NFGW is also a router, it drops packets when there is no route entry on its routing table, IDS will accept the packets arriving at its interface no matter what the src/dst is.
upvoted 1 times
...
Cheam
1 year, 6 months ago
Selected Answer: D
Again, people still get it wrong as to what is a valid mirror target. GWLB Endpoint is a valid mirror target, but not the GWLB itself. Ref: https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-targets.html Also, the question provides a good hint on which is the appropriate answer, "All inspected traffic... must be logged in a central log account". All the best.
upvoted 1 times
aws_god
1 year, 5 months ago
Nowhere in the question is a mirror target mentioned
upvoted 3 times
...
zendevloper
1 year, 4 months ago
It's A. D does not mention where the traffic is logged
upvoted 1 times
...
...
sambb
1 year, 8 months ago
Selected Answer: A
D asks for creating a mirroring session for each ENI, this is operationally inefficient. A provides a solution that monitors all IP traffic that reaches the transit gateway.
upvoted 1 times
Becklang
1 year, 5 months ago
No need for create mirroring session for each ENI , just create it on TGW ENI in each VPC
upvoted 2 times
...
...
ISSDoksim
1 year, 8 months ago
D - https://aws.amazon.com/blogs/networking-and-content-delivery/using-vpc-traffic-mirroring-to-monitor-and-secure-your-aws-infrastructure/
upvoted 2 times
johnconnor
1 year, 8 months ago
Agreed, deep traffic inspection and mirroring go like jelly and peanut butter
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago