ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 90 discussion

Exam question from Amazon's ANS-C00
Question #: 90
Topic #: 1
[All ANS-C00 Questions]

A company is connecting to a VPC over an AWS Direct Connect using a private VIF, and a dynamic VPN connection as a backup. The company's Reliability
Engineering team has been running failover and resiliency tests on the network and the existing VPC by simulating an outage situation on the Direct Connect connection. During the resiliency tests, traffic failed to switch over to the backup VPN connection.
How can this failure be troubleshot?

  • A. Ensure that Bidirectional Forwarding Detection is enabled on the Direct Connect connection
  • B. Confirm that the same routes are being advertised over both the VPN and Direct Connect.
  • C. Reconfigure the Direct Connect session from static routes to Border Gateway Protocol (BGP) peering.
  • D. Configure a virtual private gateway for the VPN and another virtual private gateway for Direct Connect.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Reference:
https://aws.amazon.com/answers/networking/aws-single-data-center-ha-network-connectivity/
by LexyA at May 8, 2020, 5:36 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
lunt
Highly Voted 3 years, 7 months ago
Question is a lot simpler when broken down. A. Nope. BFD gives use quicker detection time, if the same routes are not being advertised then this makes no difference. There will be no routes in the routing table so there will be no routing. C. Nope. Cannot configure DX with static routes. D. Nope. You need to nail DX + VPN to same VGW for failover to work. B. Yes. Same routes being advertised, DX will always be preferred. When DX link goes down, BGP state machine kicks in, eventually the VPN routes should be installed in routing table. Answer is B.
upvoted 24 times
Kentik
3 years, 7 months ago
i would agree with you, BFD will make it sub-second but to troubleshoot this the best way to to make sure that the routes are being advertise to AWS on both links (DX , VPN) since this are two different BGP sessions is possible that the engineer is only advertising the router over the DX
upvoted 1 times
...
...
RaghuRajm
Highly Voted 3 years, 7 months ago
B is the answer. BFD is automatically enabled for VIFs. If BFD is configured on customer end will help in faster failover to backup connections. If not configured, still failover will happen but as per BGP neighbor's keepalive/hold-down timer. DX connections support only BGP for routing information exchange. No support for static routing. One VGW can only be associated with a VPC at a time. So, both the DX connection and VPN connection are to be terminated on the same VGW. The only thing left over here is, same routes are being advertised over DX and VPN connection. DX routes are preferred over VPN routes at VGW. Hence DX will be preferred path with VPN as backup.
upvoted 7 times
...
clooudy
Most Recent 3 years ago
Selected Answer: B
Answer B
upvoted 1 times
...
scottkerker
3 years, 3 months ago
To configure the hardware VPN as a backup for your Direct Connect connection: - Be sure that you use the same virtual private gateway for both Direct Connect and the VPN connection to the VPC. - If you are configuring a Border Gateway Protocol (BGP) VPN, advertise the same prefix for Direct Connect and the VPN. - If you are configuring a static VPN, add the same static prefixes to the VPN connection that you are announcing with the Direct Connect virtual interface. - If you are advertising the same routes toward the AWS VPC, the Direct Connect path is always be preferred, regardless of AS path prepending.
upvoted 1 times
...
SilverT
3 years, 7 months ago
A- for me. In the scenario the traffic is failed to switch over and the question is how to troubleshoot. First to ensure BFD is enabled.
upvoted 1 times
certificatores
3 years, 7 months ago
I see where you are coming from and you are right but the way AWS certificate questions tell me that this answer will be B even the wording on the question leads us to answer A. They have really weird structure of question wording.
upvoted 1 times
...
...
kvirk
3 years, 8 months ago
I would go with B
upvoted 1 times
...
exmjame
3 years, 8 months ago
A. BFD can detect a link fail fast but can't do failover/failback B. same address must be adverrises over both VPN and DX - this is a good one C. DX is never static route - out of scope D. both VPN and DX must use the same VGW for backup primary/secondary to work https://aws.amazon.com/premiumsupport/knowledge-center/configure-vpn-backup-dx/
upvoted 4 times
...
Averageguy
3 years, 8 months ago
B - Need same routes for Direct Connect / VPN HA setup
upvoted 1 times
...
dirk_gentley
3 years, 8 months ago
A - https://aws.amazon.com/premiumsupport/knowledge-center/enable-bfd-direct-connect/ It's a best practice to enable BFD for fast link failure detection and failover when connecting to AWS services over DX connections and AWS VPNs.
upvoted 2 times
...
LexyA
3 years, 8 months ago
B is the answer https://aws.amazon.com/premiumsupport/knowledge-center/configure-vpn-backup-dx/
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel