exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 769 discussion

A company is running a line-of-business (LOB) application on AWS to support its users. The application runs in one VPC, with a backup copy in a second VPC in a different AWS Region for disaster recovery. The company has a single AWS Direct Connect connection between its on-premises network and AWS. The connection terminates at a Direct Connect gateway.
All access to the application must originate from the company's on-premises network and traffic must be encrypted in transit through the use of IPsec. The company is routing traffic through a VPN tunnel over the Direct Connect connection to provide the required encryption.
A business continuity audit determines that the Direct Connect connection represents a potential single point of failure for access to the application. The company needs to remediate this issue as quickly as possible.
Which approach will meet these requirements?

  • A. Order a second Direct Connect connection to a different Direct Connect location. Terminate the second Direct Connect connection at the same Direct Connect gateway.
  • B. Configure an AWS Site-to-Site VPN connection over the internet. Terminate the VPN connection at a virtual private gateway in the secondary Region.
  • C. Create a transit gateway. Attach the VPCs to the transit gateway, and connect the transit gateway to the Direct Connect gateway. Configure an AWS Site-to- Site VPN connection, and terminate it at the transit gateway.
  • D. Create a transit gateway. Attach the VPCs to the transit gateway, and connect the transit gateway to the Direct Connect gateway. Order a second Direct Connect connection, and terminate it at the transit gateway.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Viper57
Highly Voted 3 years, 1 month ago
I think the answer is B. A - Wrong, because this is too slow. B - Only option that works and does not take too long C - Wrong. Looks good at first, but a transit gateway can't be associated with multiple VPCs in different regions, only the same region. This only works if the transit gateway is peered with another gateway in a different region, which is not stated in the question. D - Wrong, because this is too slow. A transit gateway is a regional construct, not global. See - https://aws.amazon.com/blogs/networking-and-content-delivery/building-a-global-network-using-aws-transit-gateway-inter-region-peering/. A
upvoted 11 times
Gaurav_GGG
2 years, 11 months ago
TG supports InterRegion VPC Peering- https://aws.amazon.com/about-aws/whats-new/2019/12/aws-transit-gateway-supports-inter-region-peering/
upvoted 3 times
aandc
2 years, 5 months ago
you need two TG https://aws.amazon.com/blogs/networking-and-content-delivery/building-a-global-network-using-aws-transit-gateway-inter-region-peering/
upvoted 2 times
...
...
...
Rmukh
Highly Voted 3 years, 2 months ago
I agree with C , as of D it will take more time plus it will require additional VPN tunneling for encryption which is not mentioned in D.
upvoted 8 times
sergioandreslq
3 years, 2 months ago
TGW is required to receive the Site To Site VPN and the DX Gateway is required to reach the DR in secondary region. (Transit VIF is required to connect DX GW to TGW). Site to Site VPN comply with encryption, the answer D doesn't comply with encryption requirement using only DX
upvoted 2 times
...
...
rodrod
Most Recent 1 year, 2 months ago
Selected Answer: B
How can it be so controversial? They want to eliminate the single point of failure of DC. There are only 2 options either by creating a second DX or by adding a s2s vpn connection. The latter is cheaper and quicker to implement but less performant. In the given senario time is key so we need the VPN option to fulfill that requirement.. It will only switch to the slow S2S failure in case of disaster which is acceptable based on the given senario It's B
upvoted 1 times
...
SkyZeroZx
1 year, 5 months ago
Selected Answer: B
I think the answer is B. A - Wrong, because this is too slow. B - Only option that works and does not take too long C - Wrong. Looks good at first, but a transit gateway can't be associated with multiple VPCs in different regions, only the same region. This only works if the transit gateway is peered with another gateway in a different region, which is not stated in the question. D - Wrong, because this is too slow. A transit gateway is a regional construct, not global. See - https://aws.amazon.com/blogs/networking-and-content-delivery/building-a-global-network-using-aws-transit-gateway-inter-region-peering/. A
upvoted 2 times
...
F_Eldin
1 year, 6 months ago
Selected Answer: B
It cannot be C or D. Transit Gateway is regional. For A to work we need peered transit gatways in each region https://docs.aws.amazon.com/pdfs/whitepapers/latest/hybrid-connectivity/hybrid-connectivity.pdf
upvoted 2 times
...
[Removed]
1 year, 9 months ago
Selected Answer: B
I think B is the only one that satisfies the criteria. A: second direct connection does not encrypt the traffic, C: Creating a transit gateway doesnt remove single point of failure, points for using the vpn to encrypt but still a single point of failure. D: Pretty sure you need TGW in both regions, where is the encryption?
upvoted 2 times
...
evargasbrz
1 year, 11 months ago
Selected Answer: B
I'll go with B
upvoted 1 times
...
Relaxeasy
2 years ago
Selected Answer: B
B sounds right
upvoted 1 times
...
dmscountera
2 years, 1 month ago
https://aws.amazon.com/premiumsupport/knowledge-center/dx-configure-dx-and-vpn-failover-tgw/ C
upvoted 2 times
...
dcdcdc3
2 years, 2 months ago
Selected Answer: B
I would choose B for its simplicity and not having to order a second DX https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html A requires another DX GW if DX terminates in another location C and D are an overkill in comparison (if they were adding a redundant WAN/DX link) also D is not adding encryption in this wording
upvoted 1 times
...
kadev
2 years, 3 months ago
B Many people confuse between B and C, key point is resolving "single point as quickly as posible" => B write, VPN is secondary when DX conection goes down C "Create a transit gateway. Attach the VPCs to the transit gateway" , Do you see "a TG" => VPCs in diffirent regions, so can not attach VPC in this region to TG in another region
upvoted 2 times
kadev
2 years, 3 months ago
And add TG not resolve "single point", because is still using the same DX connection
upvoted 2 times
...
...
foureye2004
2 years, 4 months ago
Selected Answer: A
https://aws.amazon.com/directconnect/resiliency-recommendation/ A is the best solution because 1 DX is a point of failure, we have to address it by order the second
upvoted 2 times
dethblow
2 years, 3 months ago
C https://aws.amazon.com/about-aws/whats-new/2019/12/aws-transit-gateway-supports-inter-region-peering/
upvoted 1 times
...
kadev
2 years, 3 months ago
"remediate this issue as quickly as possible" you will fail exam if not read Q carefully
upvoted 2 times
...
...
cen007
2 years, 4 months ago
Selected Answer: C
Ans is C. The question is about resiliency of connection. The connection goes from 2 VPC > Transit Gateway > DXGateway > VPN+DX connection (on-premise). B is just a disaster recovery site to store copy of the primary site. Also terminating the VPN to a private gateway will not help the primary region.
upvoted 6 times
...
Enigmaaaaaa
2 years, 4 months ago
I will go with B A - will take a lot of time+ Incorrect configuration C- you cant attach VPCs from different regions to the same transit GW - need to create two TGWs with inter-region D- you cant attach VPCs from different regions to the same transit GW + will take a lot of time B - can it address immediately = Add extra VPN from on-prem
upvoted 1 times
...
aandc
2 years, 5 months ago
Selected Answer: B
Vote for B, C D are wrong, two VPC are in different regional, a transit gateway is not enough
upvoted 1 times
cen007
2 years, 4 months ago
Ans is C. The question is about resiliency of connection. The connection goes from 2 VPC > Transit Gateway > DXGateway > VPN+DX connection (on-premise). B is just a disaster recovery site to store copy of the primary site. Also terminating the VPN to a private gateway will not help the primary region.
upvoted 1 times
...
...
JonJon03
2 years, 5 months ago
Selected Answer: C
Secondary region is for disaster recovery. We're not associating the TGW with multiple regions, we are increasing the resiliency of the primary connection via a TGW/DXW/S2S VPN
upvoted 3 times
sb333
2 years, 1 month ago
Answer C specifically says to connect the "VPCs" to the TGW. That is completely wrong - can't do it. There are only two VPCs in the solution. One in the primary region and one in the secondary (DR) region. So with the creation of only one TGW, this is invalid. You would need a TGW in both Regions for this to work.
upvoted 2 times
...
...
riched99
2 years, 8 months ago
C: each VPC would need a TGW and there is no mention of a Transit VIF, the correct answer is B
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...