Exam ANS-C00 topic 1 question 47 discussion

I think the answer is C

C A. VPC peering doesn't allow transit communication. So coporate network can't go through shared VPC to reach out to application VPCs https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html B. IPSec VPN can be built between virtual private gateway and EC2 router. https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html D. Cloudhub is to set up network between remote sites(onpremise) being routed over their AWS VPN connections instead of VPCs. https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-vpn-cloudhub.html

Correct Answer C

Answer C

To me the correct Answer is B. Look at this. Exact scenario. https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html Option-C will also work. But imagine, you will end up adding 3 VPNs and 2 VPC peering. Rather I would use Option-B which uses 3 VPNs only.

C is clearly the answer here 1 - Corp to applications VPCs will use new IPSec 2 - Application to share will use vpc peering

Cloudhub is not a feature you can enable. Also, why are you trying to make app VPC to shared VPC traffic going through the VPN tunnels to the corp network? Isn't it a better idea to use VPC peering for that?

I would go for C

D: Enable CloudHub functionality to route traffic between the three VPCs and the corporate network using dynamic BGP routing.

CloudHub enables your remote sites to communicate with each other, and not just with the VPC. It operates on a simple hub-and-spoke model that you can use with or without a VPC. This design is suitable for customers with multiple branch offices and existing internet connections who would like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices.

D for me, CloudHub allows several sources (VPCs and On-premises) to exchange route through a VGW. I would love to see the complete wording... Option C will be very labor intensive to administer.

Answer is C. A, cannot associate route table to onprem with peering. B, VPN from VGW to VGW won't work. Need EC2 VPN or Onprem VPN to initiate the connection. D, CloudHub is for one VPC to multiple onprem sites.

C. https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharing/

Ambiguous questions ; Native Network Access could imply or mean Direct/original(not going through another source). If so, we end up with a full mesh of connections , which seems reasonable. Hence C for me. To be absolutely sure we need to know what they really meant by Native network access from corp.

C is the only relevant answer. A- with VPC peering you cannot transit a VPC. B - You cannot establish between vpn gateways in 2 different VPNs.

C for me

A is wrong since it will not allow on-premise to access app VPCs due to VPC does not support transitive routing