ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 404 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 404
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A hybrid network architecture must be used during a company's multi-year data center migration from multiple private data centers to AWS. The current data centers are linked together with private fiber. Due to unique legacy applications, NAT cannot be used. During the migration period, many applications will need access to other applications in both the data centers and AWS.
Which option offers a hybrid network architecture that is secure and highly available, that allows for high bandwidth and a multi-region deployment post-migration?

  • A. Use AWS Direct Connect to each data center from different ISPs, and configure routing to failover to the other data center's Direct Connect if one fails. Ensure that no VPC CIDR blocks overlap one another or the on-premises network.
  • B. Use multiple hardware VPN connections to AWS from the on-premises data center. Route different subnet traffic through different VPN connections. Ensure that no VPC CIDR blocks overlap one another or the on-premises network.
  • C. Use a software VPN with clustering both in AWS and the on-premises data center, and route traffic through the cluster. Ensure that no VPC CIDR blocks overlap one another or the on-premises network.
  • D. Use AWS Direct Connect and a VPN as backup, and configure both to use the same virtual private gateway and BGP. Ensure that no VPC CIDR blocks overlap one another or the on-premises network.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Huy at Aug. 26, 2019, 3:47 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Joeylee
Highly Voted 3 years, 8 months ago
Due to unique legacy applications, NAT cannot be used Means outbound connection to internet is not possible, so VPN is not possible. Correct answer has to be A
upvoted 67 times
LunchTime
3 years, 8 months ago
Great point.
upvoted 1 times
...
rb39
3 years, 6 months ago
A is correct - reliable with high bandwith means failover to another DX, VPN as secondary would reduce it
upvoted 1 times
...
rcher
3 years, 7 months ago
This have to be upvoted more. D will not be possible with VPN as a backup that required an internet interface (IPSec)
upvoted 1 times
...
macshild
3 years, 7 months ago
A VPN connection between AWS and on prem networks doesn't utiize the NAT gate it done through Transit Gateway with VPN extentions or Virtual Private Gateway, but then again your answer is correct just letting the masses no NAT gateway is not involved in VPN on the AWS side
upvoted 3 times
...
Load full discussion...
...
donathon
Highly Voted 3 years, 8 months ago
A https://aws.amazon.com/answers/networking/aws-multiple-data-center-ha-network-connectivity/ A: This is the best way for HA and high bandwidth. B\C: VPN even if it is redundant does not allow high bandwidth where it has a limit of 1.25Gbps. https://aws.amazon.com/vpn/faqs/ D: This is not multi-region and not as highly available. Remember VPN has only 1.25Gbps.
upvoted 13 times
...
janvandermerwer
Most Recent 2 years, 7 months ago
Selected Answer: A
A - seems to be the "best" option. Unable to use NAT i.e VPN- So that rules out B, C, D
upvoted 1 times
...
Ni_yot
2 years, 7 months ago
Selected Answer: A
A good choice here. if you cant use NAT then Direct connect is the best solution.
upvoted 1 times
...
JayF88
2 years, 8 months ago
Selected Answer: A
A makes more sense, VPN solution on D not possible
upvoted 1 times
...
jujumomma
2 years, 9 months ago
Ans: A D is wrong. https://aws.amazon.com/directconnect/faqs/?nc1=h_ls Q: Can I use AWS Site-to-Site VPN as a backup for my AWS Direct Connect link to an AWS Local Zone? No. Unlike connectivity to a Region, you cannot use an AWS Site-to-Site VPN as a backup to your AWS Direct Connect connection to an AWS Local Zone. For redundancy, you must use two or more AWS Direct Connect connections.
upvoted 1 times
hollie
2 years, 5 months ago
This answer is to AWS Local Zone. But this question does not mention AWS local zone at all.
upvoted 2 times
...
...
bihani
2 years, 9 months ago
Selected Answer: A
I agree on option A. There is no mention of cost reduction in the question so using a secondary connect direct connection will be better
upvoted 1 times
...
Serial_X25
2 years, 11 months ago
Selected Answer: A
A is correct - reliable with high bandwidth means failover to another DX, VPN as secondary would reduce it.
upvoted 1 times
...
[Removed]
3 years, 5 months ago
D is incorrect, you cannot attach a direct connect to a Virtual Private Gateway, you need a Direct Connect Gateway. A is the only viable option
upvoted 1 times
...
cldy
3 years, 5 months ago
A: CORRECT
upvoted 1 times
...
backfringe
3 years, 6 months ago
I'd with A cause the question says multi region
upvoted 1 times
...
acloudguru
3 years, 6 months ago
Selected Answer: A
Due to unique legacy applications, NAT cannot be used Means outbound connection to internet is not possible, so VPN is not possible. Correct answer has to be A
upvoted 1 times
...
andylogan
3 years, 7 months ago
It's A
upvoted 1 times
...
StelSen
3 years, 7 months ago
Requirement is: Secure, Highly available, High bandwidth and a multi-region deployment post-migration Option-A: Fulfils last 3 req Option-B: Partial security, Less bandwidth, Not HA, Can meet Multi-Region. So, I will go with A
upvoted 2 times
...
denccc
3 years, 7 months ago
It's A, are linked together with private fiber points to DX
upvoted 2 times
...
FERIN_01
3 years, 7 months ago
D. Make more sense as it is multi region deployment you need Virtual private Gateway to connect with multiple VPC of different region at AWS side
upvoted 1 times
...
student2020
3 years, 7 months ago
A and D mention using DX which is not secure, traffic in DX is not encrypted. Option C is better as it ticks all the requirements. VPN is secure, it uses instances so the throughput is limited by the instance type (not 1.25mbps for AWS VPN). It can also scale to different regions by just creating a new EC2 VPN cluster in the new region
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel