ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 340 discussion

Exam question from Amazon's ANS-C00
Question #: 340
Topic #: 1
[All ANS-C00 Questions]

You have an application that is processing confidential data. The data is currently stored in your data center. You are moving workloads to AWS, and you need to ensure confidentiality and integrity of the data in transit to your VPC. Your company has an existing AWS Direct Connect connection.
What combination of steps should you perform to set up the most cost-effective connection between your on-premises data center and AWS? (Choose three.)

  • A. Set up a VPC with a virtual private gateway.
  • B. Set up a VPC with an Internet gateway.
  • C. Configure a public virtual interface on your Direct Connect connection.
  • D. Configure a private virtual interface to the virtual private gateway.
  • E. Set up an IPsec tunnel between your customer gateway and a software VPN on Amazon EC2 in the VPC.
  • F. Set up an IPsec tunnel between your customer gateway appliance and the virtual private gateway.
Show Suggested Answer Hide Answer
Suggested Answer: ACF 🗳️
Setting up a VPN over your Direct Connect connection will secure the data in transit. The steps to do so are: adding a VGW to the VPC; setting up a public virtual interface; and creating the IPsec tunnel between your data center and the VGW via the public virtual interface. B would send traffic over the public Internet. D is not possible because a public virtual interface is needed to announce the VGW endpoint IPs. E would not take advantage of the already existing Direct Connect connection.
by awspro2021 at March 15, 2021, 6:26 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dev62
Highly Voted 3 years, 9 months ago
Keyword is " most cost-effective connection". So ACF should be right answer.
upvoted 13 times
jithin1234
3 years, 8 months ago
why do you want to choose public VIF? in question it mentioned, "confidentiality and integrity of the data". so in my opinion, it's ADE
upvoted 1 times
walkwolf3
3 years, 8 months ago
One more proof https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-vpn.html
upvoted 2 times
...
Homosapien
3 years, 8 months ago
Both Public and Private VIF are not encrypted. You need to use a VPN tunnel to secure your connection. To use AWS VPN Site-To-Site you need to use a public VIF. If you are using a software VPN hosted on EC2 then you use a private VIF. However software VPN are more costly than using AWS Site-To-Site.
upvoted 4 times
...
wahlbergusa
3 years, 8 months ago
Cause "confidentiality and integrity" refers to an IPSEC VPN Tunnel. And if you want to setup an IPSEC VPN over Direct Connect between a VGW and CGW then it is supported only through Public VIF. => https://aws.amazon.com/premiumsupport/knowledge-center/create-vpn-direct-connect/ Having said that ADE could be an option for being cheaper however I still have doubts on "D" cause it does not explicitly mention Direct Connect in the sentence. (compared to C)
upvoted 2 times
...
...
...
arhelp
Most Recent 1 year, 5 months ago
I get that VPN travels over public internet. When you setup a site-2-site VPN, there is no option for public virtual interface. ChatGPT When AWS refers to a "public virtual interface" (VIF) in the context of AWS Direct Connect, it is referring to a connection that enables access to AWS public services across the AWS network. A public VIF is not about creating a Virtual Private Network (VPN) but rather about providing a path to reach AWS services (such as Amazon S3, DynamoDB, or any other service accessible over the public internet) without traversing the public internet.
upvoted 1 times
...
arhelp
1 year, 6 months ago
You're trying to establish a connection to your VPC. This should be a private VIF not a public VIF.
upvoted 1 times
...
joanneli77
2 years, 7 months ago
Selected Answer: ADE
A VPN goes to AWS on the public side, and does not land on a VGW. You'd need an IGW for the data to go from VPN termination into your VPC. Best solution is keep private data private - hate to use an EC2 to terminate a VPN but for migration purposes, as this question states, it is temporary. Private pathway would be CGW->DX->private-vif->VGW->EC2(terminate VPN from CGW). ADE.
upvoted 2 times
...
sapien45
3 years, 3 months ago
''need to secure the security'' ACF
upvoted 1 times
...
namirmatar
3 years, 8 months ago
There are 2 possible combinations: - ACF - since if you want to connect an AWS S2S VPN over AWS Direct Connect, it will be connected via Public VIF. - ADE - since if you want to connect an EC2-based software VPN over AWS Direct Connect, it will be connected via Private VIF. An EC2-based software VPN might be cheaper than the AWS S2S managed service VPN, so ADE might be a better solution in this case.
upvoted 2 times
hannibal1969
2 years, 6 months ago
I agree with you. ADE seems to be more unrealistic for me. If you have confidential data and want encryption in transit and have a direct connect connection would it be realistic to setup a cheaper EC2 VPN option (where you are alone when a vulnerability is inside your cheap EC2 VPN) instead a fully AWS managed VPN solution?
upvoted 1 times
...
...
ChauPhan
3 years, 9 months ago
A. Set up a VPC with a virtual private gateway. D. Configure a private virtual interface to the virtual private gateway. F. Set up an IPsec tunnel between your customer gateway appliance and the virtual private gateway.
upvoted 1 times
learnwithaniket
3 years, 7 months ago
IPSec requires Public VIF. It does not work with Private VIF
upvoted 2 times
...
...
Nimolee
3 years, 9 months ago
ADE correct in my opinion as the keyword here is "most cost-effective". Running an EC2 VPN instance is much cheaper than using managed VPN of Virtual Private Gateway. 1) instance charge is cheaper than per hour charge of managed VPN 2) traffic from EC2 Instance VPN is charged as Direct Connect out traffic but VPN GW is more expensive
upvoted 2 times
...
awspro2021
3 years, 9 months ago
A. Set up a VPC with a virtual private gateway. . Configure a public virtual interface on your Direct Connect connection. E. Set up an IPsec tunnel between your customer gateway and a software VPN on Amazon EC2 in the VPC.
upvoted 1 times
eeghai7thioyaiR4
3 years, 9 months ago
ACF Why use a custom software VPN on EC2 instance while you could use a virtual private gateway ?
upvoted 1 times
Nimolee
3 years, 9 months ago
because using EC2 instance for VPN is cheaper than managed VPN
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel