Exam ANS-C00 topic 1 question 84 discussion

A. Nope. BGP in use. B. Nope. VGW not in use. C. I thought it was this but deep dive made this the wrong answer. The private VIF connects to the VGW - this is mandatory - its how it functions. VGW uses gateway route tables, which inherently come the limitation that it only advertises out it local VPC CIDR. C will only send the local central VPC CIDR. You cannot force the VGW to send any more routes. Answer is D. The only way to get the advertisement of the routes from App VPC > centeral VPC > VGW > Private VIF > DX Link > LAN/DC is via IPSEC VPN from LAN/DC to Centeral VPC and BGP routing. This bypasses the whole VGW limitation and life is fun again. Answer is D.

D. That was how my company was set up before moved to TGW. on-prem establishes VPN to the Cisco CSR in the transit VPC. Cisco CSR establishes VPNs with application VPCs on their VGWs. On-prem advertise corp prefixes to Cisco CSR via BGP, then advertised to VGWs in the other VPCs natrually. All the other solution either makes many assumptions or incomplete.

I think it is D. https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html

answer:D Huntkey's explanation below

C seems to be the most appropriate

Answer is D , I have configured it with Checkpoint for a client

Watch “AWS re:Invent 2017: Networking Many VPCs” https://www.youtube.com/watch?v=KGKrVO9xlqI They create two VPNs between on premises routers and software VPN instances. On-premises look just like another spoke. Answer D then.

I think A would do the trick. Lets say on-prem CIDR is 10.0.0.0/8. You create a static route on Application VPCs pointing traffic destined for 10.0.0.0/8 to the software VPN tunnel. Traffic gets to the instance running VPN software where the traffic is source Nat'd to the IP address of the VPN instance. Traffic is then sent to on-prem from VPN instance using a subnet route table which has an entry to 10.0.0.0/8 via the VGW which came from the DX BGP router.

"This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF." This rules out D so C looks like the right answer

I would go for D, because question doesn't state that there is non-attached VGW, which is mandatory for option C.

it's C, the VGW is not directly attached to the VPC => https://docs.aws.amazon.com/solutions/latest/cisco-based-transit-vpc/appendix-d.html

The question states that the Central VPC doesn't have a VGW but only has EC2 instances running VPN software. C cannot be right because you dont need a VPG in this case. Best option is to also have an iBGP/eBGP connection from the the on-prem router which can exchange routes to the applucation VPCs.

why D cant able option. BGP advertisement will take care of end to end route propogation https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/transit-vpc.html

Ans is C

C. To leverage the dynamic routing already in place

Its C Vpcs have already dynamic routing enabled, routing to onprem has to be established

A. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-onprem.html