Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Amazon Discussions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 173 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 173
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A network engineer needs to improve the network security of an existing AWS environment by adding an AWS Network Firewall firewall to control internet-bound traffic. The AWS environment consists of five VPCs. Each VPC has an internet gateway, NAT gateways, public Application Load Balancers (ALBs), and Amazon EC2 instances. The EC2 instances are deployed in private subnets. The architecture is deployed across two Availability Zones.

The network engineer must be able to configure rules for the public IP addresses in the environment, regardless of the direction of traffic. The network engineer must add the firewall by implementing a solution that minimizes changes to the existing production environment. The solution also must ensure high availability.

Which combination of steps should the network engineer take to meet these requirements? (Choose two.)

  • A. Create a centralized inspection VPC with subnets in two Availability Zones. Deploy Network Firewall in this inspection VPC with an endpoint in each Availability Zone.
  • B. Configure new subnets in two Availability Zones in each VPC. Deploy Network Firewall in each VPC with an endpoint in each Availability Zone.
  • C. Deploy Network Firewall in each VPUse existing subnets in each of the two Availability Zones to deploy Network Firewall endpoints.
  • D. Update the route tables that are associated with the private subnets that host the EC2 instances. Add routes to the Network Firewall endpoints.
  • E. Update the route tables that are associated with the public subnets that host the NAT gateways and the ALBs. Add routes to the Network Firewall endpoints.
Show Suggested Answer Hide Answer
Suggested Answer: CE 🗳️
by backspace0900 at March 20, 2024, 12:44 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
backspace0900
Highly Voted 1 month, 2 weeks ago
Selected Answer: BE
BE New Firewall subnet Public subnet Routetable change
upvoted 5 times
daemon101
1 month, 1 week ago
B would create 10 subnets with 10 network firewall and wouldn’t meet the requirement of minimizing changes to the existing production. I would go for A and E instead.
upvoted 1 times
JoellaLi
1 month ago
But there is no Transit Gateway now. For centralized deployment model, AWS Transit Gateway is a prerequisite. AWS Transit Gateway acts as a network hub and simplifies the connectivity between VPCs as well as on-premises networks. AWS Transit Gateway also provides inter-region peering capabilities to other Transit Gateways to establish a global network using AWS backbone. Another key characteristic of the centralized deployment is a dedicated inspection VPC. Inspection VPC consists of two subnets in each AZs. One subnet is a dedicated firewall endpoint subnet and second is dedicated to AWS Transit Gateway attachment.
upvoted 3 times
...
JoellaLi
1 month ago
I choose C and E.
upvoted 1 times
JoellaLi
1 month ago
Change to A D
upvoted 2 times
...
...
...
...
acloudguru
Most Recent 4 days, 14 hours ago
Selected Answer: AE
The combination of these two steps meets the requirements of adding an AWS Network Firewall firewall to control internet-bound traffic, minimizing changes to the existing production environment, ensuring high availability, and allowing the configuration of rules for public IP addresses in both directions. Options B and C involve deploying Network Firewall in each VPC, which may not be necessary and could lead to increased complexity and management overhead. Option D alone is not sufficient, as it only covers traffic from the private EC2 instances but not the public ALBs.
upvoted 1 times
...
cerifyme85
1 week, 2 days ago
Selected Answer: BE
It is not a centralised setup. It is a distributed setup. Five seperate VPCs Each VPC : ALB + NAT + EC2 Question says architecture should not be changed. So just deploy ANF endpoints in a sep subnet in each AZ. https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/#:~:text=AWS%C2%A0Network%C2%A0Firewall%20is%20deployed%20to%20protect%20traffic%20between%20a%20workload%20public%20subnet%20and%20IGW Also question is concenred about about inbound traffic so E To use centralised we need a TGW
upvoted 1 times
...
[Removed]
2 weeks, 4 days ago
I believe AE is correct, because: E is correct as we need to inspect internet-bound traffic. E already includes that we need to update route tables. With this given, A a centralized approach would make more sense than (again) updating the production environment by adding new subnets there (option B). So AE for me
upvoted 1 times
...
cerifyme85
2 weeks, 5 days ago
Selected Answer: AD
Ans is AD
upvoted 1 times
Sailor
1 week, 2 days ago
D talks about private subnets and the question says: The network engineer must be able to configure rules for the public IP addresses in the environment, regardless of the direction of traffic., so it is A, E
upvoted 1 times
...
...
xTrayusx
1 month ago
Selected Answer: AE
'The network engineer must add the firewall by implementing a solution that minimizes changes to the existing production environment'
upvoted 2 times
...
JoellaLi
1 month ago
Selected Answer: AD
The Network Firewall acts as a "filter" for traffic between the subnets and locations outside the VPC. To enable this filtering, route tables need to be modified so traffic passes through the firewall endpoints. Private subnets contain the EC2 instances, so their route tables should be updated to send outbound traffic to the firewall. The firewall then allows or denies the traffic before sending it to its final destination like internet gateway or NAT gateway. Route tables for public subnets hosting NAT/ALB do not need changes as instances are not present there. Traffic originating from private subnets is what needs inspection.
upvoted 1 times
JoellaLi
3 weeks, 6 days ago
Filter traffic going to and from the EC2 instances in the private subnets. This will ensure traffic from the instances is directed through the Network Firewall endpoints before reaching its destination (such as the internet gateway or NAT gateway).]
upvoted 1 times
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel