A company wants to encrypt the private network between its on-premises environment and AWS. The company also wants a consistent network experience for its employees. What should the company do to meet these requirements?
A.
Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native AWS network encryption between Availability Zones and Regions.
B.
Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresses. Create a VPN connection using the customer gateway and the virtual private gateway.
C.
Establish a VPN connection with the AWS virtual private cloud over the Internet.
D.
Establish an AWS Direct Connect connection with AWS and establish a public virtual interface. For prefixes that need to be advertised, enter the customer gateway public IP addresses. Create a VPN connection over Direct Connect using the customer gateway and the virtual private gateway.
I'm going to throw a monkey wrench into the points above. I feel that the answer is B as to the requirement is the company want's it's private network encrypted with it being stable. To me that would involve of course direct connect but instead of a public virtual interface the requirement requires a private virtual interface with VPN.
https://aws.amazon.com/premiumsupport/knowledge-center/public-private-interface-dx/
https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html
You need a PUBLIC VIF to establish site-to-site VPN over Direct Connect connection
https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-site-to-site-vpn.html
Creating a public virtual interface and advertising public IP addresses is a valid way to establish a VPN connection over Direct Connect. However, it's not the only way to establish a VPN connection over Direct Connect.
Option B suggests creating a private virtual interface and using the customer gateway private IP addresses to establish a VPN connection, which is a more secure approach as it doesn't involve public IP addresses.
In general, creating a public virtual interface and advertising public IP addresses may be more suitable for scenarios where there are no security concerns with exposing public IP addresses. However, in the context of the question you provided, it's not clear whether the company has any security concerns with exposing public IP addresses.
On 22nd June 2022, AWS announced that Private IP VPN is able to traverse Direct Connect.
https://aws.amazon.com/about-aws/whats-new/2022/06/aws-site-vpn-introduces-private-ip-security-privacy/
Therefore, both #B and #D are correct technically. When turning to the security aspect, the private range is much more ideal than the public range. So, if this question comes up in the recent exam, #B shall be more accurate than #D.
Option A, "Establish an AWS Direct Connect connection with AWS and set up a Direct Connect gateway. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native AWS network encryption between Availability Zones and Regions," is the correct answer. This option allows the company to encrypt the private network between its on-premises environment and AWS, and provides a consistent network experience for its employees.
It seems to be D from the given options, but don't you think MACsec would give even better connectivity? https://aws.amazon.com/about-aws/whats-new/2021/03/aws-direct-connect-announces-macsec-encryption-for-dedicated-10gbps-and-100gbps-connections-at-select-locations/
An AWS VPN connection over a Direct Connect connection provides consistent levels of throughput and encryption algorithms that protect your data.
https://aws.amazon.com/premiumsupport/knowledge-center/create-vpn-direct-connect/
D is wrong. D is using 'public' virtual interface.
B using DX uses 'private' virtual interface.
https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
PeppaPig
Highly Voted 3 years, 9 months agokhos77
Highly Voted 3 years, 8 months agoChinkSantana
3 years, 8 months agovbal
2 years, 9 months agoRaphaello
Most Recent 1 year, 4 months agoRaphaello
1 year, 4 months agoM2ao
1 year, 8 months agoAnto1973
1 year, 10 months agoAnto1973
1 year, 10 months agoNan001
2 years, 4 months agoTerrenceC
2 years, 6 months agoFAZ81
2 years, 6 months ago[Removed]
2 years, 6 months agonnope
2 years, 6 months agogofavad926
2 years, 12 months agolandsamboni
2 years, 7 months agomongiam
3 years, 2 months agoceros399
3 years, 3 months agoWaniru
3 years, 4 months agojayaj
3 years, 5 months agoboooliyooo
3 years, 6 months ago