Question 20

Domain 3: Infrastructure Security

A company wants to encrypt the private network between its orvpremises environment and AWS. The company also wants a consistent network experience for its employees. What should the company do to meet these requirements?

A. Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native AWS network encryption between Availability Zones and Regions. B. Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway. C. Establish a VPN connection with the AWS virtual private cloud over the internet. D. Establish an AWS Direct Connect connection with AWS and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

Correct answer: D

Explanation

AWS Direct Connect provides a dedicated network path for a "consistent network experience" between on-premises and AWS. To encrypt traffic, the company can "create a VPN connection over Direct Connect" using the customer gateway and virtual private gateway, which adds IPsec encryption while keeping the private circuit.

Why each option is right or wrong

Direct Connect does not become encrypted just by enabling gateway settings; VPN/IPsec provides the encryption layer.

B. Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway.

A private virtual interface is for private AWS resources, not the typical path used to reach VPN public endpoints.

C. Establish a VPN connection with the AWS virtual private cloud over the internet.

Internet VPN encrypts traffic but does not provide the dedicated, consistent connectivity of Direct Connect.

D. Establish an AWS Direct Connect connection with AWS and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.

AWS Direct Connect is the service that provides a dedicated, predictable network path to AWS, which is why it fits the requirement for a consistent network experience; AWS documents that a public virtual interface is used to reach public AWS services and to advertise customer prefixes over the Direct Connect link. To add encryption, the VPN is then built over that Direct Connect path using the customer gateway and virtual private gateway, which applies IPsec/IKE protection to the traffic while preserving the dedicated circuit.

Previous Next