ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 173 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 173
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A network engineer needs to improve the network security of an existing AWS environment by adding an AWS Network Firewall firewall to control internet-bound traffic. The AWS environment consists of five VPCs. Each VPC has an internet gateway, NAT gateways, public Application Load Balancers (ALBs), and Amazon EC2 instances. The EC2 instances are deployed in private subnets. The architecture is deployed across two Availability Zones.

The network engineer must be able to configure rules for the public IP addresses in the environment, regardless of the direction of traffic. The network engineer must add the firewall by implementing a solution that minimizes changes to the existing production environment. The solution also must ensure high availability.

Which combination of steps should the network engineer take to meet these requirements? (Choose two.)

  • A. Create a centralized inspection VPC with subnets in two Availability Zones. Deploy Network Firewall in this inspection VPC with an endpoint in each Availability Zone.
  • B. Configure new subnets in two Availability Zones in each VPC. Deploy Network Firewall in each VPC with an endpoint in each Availability Zone.
  • C. Deploy Network Firewall in each VPUse existing subnets in each of the two Availability Zones to deploy Network Firewall endpoints.
  • D. Update the route tables that are associated with the private subnets that host the EC2 instances. Add routes to the Network Firewall endpoints.
  • E. Update the route tables that are associated with the public subnets that host the NAT gateways and the ALBs. Add routes to the Network Firewall endpoints.
Show Suggested Answer Hide Answer
Suggested Answer: BE 🗳️
by backspace0900 at March 20, 2024, 12:44 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
backspace0900
Highly Voted 1 year, 1 month ago
Selected Answer: BE
BE New Firewall subnet Public subnet Routetable change
upvoted 7 times
daemon101
1 year ago
B would create 10 subnets with 10 network firewall and wouldn’t meet the requirement of minimizing changes to the existing production. I would go for A and E instead.
upvoted 1 times
JoellaLi
1 year ago
But there is no Transit Gateway now. For centralized deployment model, AWS Transit Gateway is a prerequisite. AWS Transit Gateway acts as a network hub and simplifies the connectivity between VPCs as well as on-premises networks. AWS Transit Gateway also provides inter-region peering capabilities to other Transit Gateways to establish a global network using AWS backbone. Another key characteristic of the centralized deployment is a dedicated inspection VPC. Inspection VPC consists of two subnets in each AZs. One subnet is a dedicated firewall endpoint subnet and second is dedicated to AWS Transit Gateway attachment.
upvoted 3 times
...
JoellaLi
1 year ago
I choose C and E.
upvoted 2 times
JoellaLi
1 year ago
Change to A D
upvoted 2 times
...
...
...
...
percolate792
Most Recent 1 month ago
Selected Answer: AE
Comparing this to Option A (centralized inspection VPC), which creates a single new VPC without touching the existing VPCs' structure, Option B introduces more changes to the production environment by adding new subnets to each VPC. In terms of "minimizing changes to existing production environment," Option A (centralized model) would generally be considered less intrusive than Option B (distributed model) because: It leaves the structure of existing VPCs unchanged It requires only one Network Firewall deployment instead of five It centralizes security management rather than distributing it
upvoted 1 times
...
hughnguyen
2 months, 3 weeks ago
Selected Answer: AE
It's easier to create a single VPC than it is to add 2 subnets two five VPCs
upvoted 2 times
...
MO_SAM
6 months, 2 weeks ago
Selected Answer: BE
ALL options are valid **___but___** you need to look at the requirements aka the criteria! which means min changes/interruption to the existing PROD env so definitely BE
upvoted 1 times
...
Blitz1
9 months, 1 week ago
Selected Answer: BE
It took me some time to understand the infra and what is requested. It's indeed about decentralized env because you need transit gateway for centralized one. Plus it is saying that each vpc is completely independent and we need to provide a " solution that minimizes changes". OK , so we have B until now. But were we put the routes: in private subnet or in public subnet. Here is comes the trick saying that we have ALB. So we will put route in public subnet to protect also ALB. So we have E. please read carefully: https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/
upvoted 2 times
...
acloudguru
12 months ago
Selected Answer: AE
The combination of these two steps meets the requirements of adding an AWS Network Firewall firewall to control internet-bound traffic, minimizing changes to the existing production environment, ensuring high availability, and allowing the configuration of rules for public IP addresses in both directions. Options B and C involve deploying Network Firewall in each VPC, which may not be necessary and could lead to increased complexity and management overhead. Option D alone is not sufficient, as it only covers traffic from the private EC2 instances but not the public ALBs.
upvoted 1 times
Sailor
11 months, 3 weeks ago
to choose A, you need connectivity between the new inspection VPC and the VPC either by VPC peering or transit gateway (both are not mentioned ) , so the only way to direct traffic to the network firewall is new subnet
upvoted 1 times
Spaurito
5 months, 3 weeks ago
Great point on the VPC connectivity. It does not mention if the 5 VPCs are all connected. If they were, "A" would be a definite.
upvoted 1 times
...
...
...
cerifyme85
1 year ago
Selected Answer: BE
It is not a centralised setup. It is a distributed setup. Five seperate VPCs Each VPC : ALB + NAT + EC2 Question says architecture should not be changed. So just deploy ANF endpoints in a sep subnet in each AZ. https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/#:~:text=AWS%C2%A0Network%C2%A0Firewall%20is%20deployed%20to%20protect%20traffic%20between%20a%20workload%20public%20subnet%20and%20IGW Also question is concenred about about inbound traffic so E To use centralised we need a TGW
upvoted 2 times
Spaurito
5 months, 3 weeks ago
The question states minimal changes. The central may seem to be out of line, but it meets the minimal changes to the existing environments and ensures high availability.
upvoted 1 times
...
...
[Removed]
1 year ago
I believe AE is correct, because: E is correct as we need to inspect internet-bound traffic. E already includes that we need to update route tables. With this given, A a centralized approach would make more sense than (again) updating the production environment by adding new subnets there (option B). So AE for me
upvoted 1 times
...
cerifyme85
1 year ago
Selected Answer: AD
Ans is AD
upvoted 1 times
Sailor
1 year ago
D talks about private subnets and the question says: The network engineer must be able to configure rules for the public IP addresses in the environment, regardless of the direction of traffic., so it is A, E
upvoted 1 times
...
...
xTrayusx
1 year ago
Selected Answer: AE
'The network engineer must add the firewall by implementing a solution that minimizes changes to the existing production environment'
upvoted 3 times
...
JoellaLi
1 year ago
Selected Answer: AD
The Network Firewall acts as a "filter" for traffic between the subnets and locations outside the VPC. To enable this filtering, route tables need to be modified so traffic passes through the firewall endpoints. Private subnets contain the EC2 instances, so their route tables should be updated to send outbound traffic to the firewall. The firewall then allows or denies the traffic before sending it to its final destination like internet gateway or NAT gateway. Route tables for public subnets hosting NAT/ALB do not need changes as instances are not present there. Traffic originating from private subnets is what needs inspection.
upvoted 1 times
JoellaLi
1 year ago
Filter traffic going to and from the EC2 instances in the private subnets. This will ensure traffic from the instances is directed through the Network Firewall endpoints before reaching its destination (such as the internet gateway or NAT gateway).]
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago