Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 196 discussion

Option B meets all of the requirements with least operational overhead: It uses a transit gateway and a transit VIF on the Direct Connect connection. Associating the transit VIF with a Direct Connect gateway ensures that communication between the Direct Connect connection and the AWS infrastructure is secure. The transit gateway can be associated with a new transit gateway, which allows data to flow between sites while maintaining security and meeting requirements. It sets up an AWS Site-to-Site VPN private IP VPN connection to the transit gateway.

https://docs.aws.amazon.com/vpn/latest/s2svpn/private-ip-dx.html

C is the correct answer. Establishing IPsec is only permitted over the Public VIF, but this doesn't mean traffic is transmitted over the public Internet as all traffic will be sent and received between the on-prem and AWS across the DX line which is considered as a private link.

Option B is the most operationally efficient solution that meets all requirements: Encrypted Communication: The AWS Site-to-Site VPN connection provides encryption. Private IP Addresses: The transit VIF and Direct Connect gateway ensure private IP connectivity. Least Operational Overhead: By using the transit gateway and Direct Connect's transit VIF, the solution simplifies network management and minimizes operational complexity.

A - you cannot have s2s vpn with private vif. You need public -> A fail C - can you can have 2s2 vpn with public vif but you cannot have in the same time trasit vif(because is mentioning transit gateway) and public vif associated with direct connect gateway -> C fail D - third party vpn -> not LEAST operational overhead -> D fail

To build Site-to-Site VPN over Direct Connect to Amazon VPC, use a public virtual interface. To build Site-to-Site VPN between on-premises equipment and AWS Transit Gateway, choose a public or a transit virtual interface. It should be B with Transit Gateway and Private IP VPN

Site-to-site VPN have to be created over public VIF

Private VIFs are used to establish private connectivity between your on-premises network and your VPCs in AWS without traversing the public internet. They are typically used for scenarios where you need dedicated, private communication between your on-premises infrastructure and your AWS resources. However, to establish a Site-to-Site VPN connection, you need to configure a virtual private gateway (VGW) in your VPC. The VGW acts as the VPN endpoint in the AWS cloud. Site-to-Site VPN connections are established between the VGW and your on-premises VPN device or network. Option B is correct

Agree, A is least overhead to implement.

Least operational overhead. No need for a transit gateway since just 1 vpc. Use Site-to-site to make sure encryption. No public VIF.