Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 44 discussion

It is option C)

C is correct.

C is the correct answer. Appliance mode needs to be enabled on the shared VPC where the stateful inspection appliance resides.

the answer is C - The reason is that the appliance mode will avoid having asymmetric flows. With asymmetric flows the firewall will drop the traffic

Enabling transit gateway appliance mode on the VPC attachment in VPC A and VPC B allows the traffic between the Availability Zones to be processed by the firewall appliance. This mode is specifically designed to handle scenarios where traffic needs to be inspected by a security appliance before being routed to its final destination. It provides a straightforward solution without the need for additional VPNs or VPC peering connections. Option A involves replacing the VPC attachment with a VPN attachment and creating a VPN tunnel, which introduces additional complexity. Option C involves enabling appliance mode only on the shared VPC attachment, which might not address the specific issue related to traffic between Availability Zones. Option D suggests using VPC peering connections, which may not be the most efficient solution for this scenario.

I think that it's correcty answer is B.

Correct answer is C.

Following this document: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html the appliance mode must be enabled to keep the traffic in the same firewall appliance, regardless of the AZ where are the source and destination. When appliance mode is not enabled, a transit gateway attempts to keep traffic routed between VPC attachments in the originating Availability Zone until it reaches its destination.

To fix the issue of dropped traffic between two Availability Zones when routing traffic between VPC A and VPC B through the firewall appliance for inspection, the network engineer should enable transit gateway appliance mode on the VPC attachment in the shared VPC (Option C). Enabling transit gateway appliance mode ensures that all traffic passing through the transit gateway is inspected by the stateful firewall appliance. This helps in meeting the security regulation requirements without the need for complex changes such as replacing VPC attachments with VPN attachments or configuring VPC peering connections. Enabling transit gateway appliance mode on the VPC attachment in the shared VPC is the solution that requires the least management overhead and directly addresses the issue of dropped traffic between Availability Zones.

Ans is B: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html For each VPC attachment, specify a subnet in each Availability Zone. For the shared services VPC, these are the subnets where traffic is routed to the VPC from the transit gateway. In the preceding example, these are subnets A and C. For the VPC attachment for VPC C, enable appliance mode support so that response traffic is routed to the same Availability Zone in VPC C as the source traffic. The Amazon VPC console supports appliance mode. You can also use the Amazon VPC API, an AWS SDK, the AWS CLI to enable appliance mode, or AWS CloudFormation. For example, add --options ApplianceModeSupport=enable to the create-transit-gateway-vpc-attachment or modify-transit-gateway-vpc-attachment command.

C! Appliance mode is on the attachment towards the 3rd party FW VPC

C is the right answer.

C. Appliance mode always enabled in the "shared" VPC

C - https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html

BBBBBBBBBBB

B - correct. Option B is the correct answer as enabling appliance mode on the VPC attachment in VPC A and VPC B will allow the transit gateway to forward all traffic between Availability Zones to the stateful firewall appliance. This will fulfill the requirement of inspecting all traffic between production VPCs while keeping the management overhead low. The other options are not necessary or will add additional complexity to the network design. Option A suggests using VPNs, which can add additional overhead and complexity compared to transit gateway attachments. Option C suggests enabling appliance mode on the VPC attachment in the shared VPC, which would not address the issue of traffic being dropped between Availability Zones. Option D suggests using VPC peering connections, which would not enable the traffic to be inspected by the stateful firewall appliance.