Exam ANS-C00 topic 1 question 5 discussion

It is C. Once Amazon allocates a network range for your DX, that becomes your range and Amazon will not re-advertise your range to other customers. However all Amazon owned addresses can reach you. For eg: EC2, NAT GW etc

"C" is the right answer.

I think it is A. If AWS assign AWS-owned IP address it will fall into one of the Aggregated ranges, which would make it globally reachable.

Correct Answer A

Key here is that customer is requesting Public IPs but it won't change the fact that AWS won't publish prefixes learned from customer to either other customers or internet even if the public IPs were provided by AWS. That leaves only C as possible answer. https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html#no-export-bgp-communities-privatre-transit AWS Direct Connect keeps prefixes advertised by customers within the Amazon network. We do not re-advertise customer prefixes learned from a public VIF to any of the following: Other AWS Direct Connect customers Networks that peer with the AWS Global Network Amazon's transit providers

224:9100—Local AWS Region • 7224:9200—All AWS Regions for a continent • North America–wide • Asia Pacific • Europe, the Middle East and Africa • 7224:9300—Global (all public AWS Regions) Default As explained here, if you don't use any BGP community, the propagation of the route will be global, that is, anyone on the internet can access it. In other words, A may be the correct answer.

I actually think the answer should be A. The key is that the prefix is allocated by AWS to you as for the public VIF. Therefore, those would be public v4 or v6 range, which from the aggregated range from AWS. The said range would be advertised to transit provider over internet already hence it also means your IP is reachable via AWS from the internet, as well as anywhere from the AWS network. This is a pubic VIF, so it does not limited to a specific region.

"C" is the right answer.

C. EC2 instances in the same region with access to the Internet could directly reach the router.

The answer is C My answer is based on the information provided in below link where, minimal control that can be applied is to control regional prefixes with community 7224:8100, which means regional visibility is possible. https://aws.amazon.com/premiumsupport/knowledge-center/control-routes-direct-connect/

It is C, for sure. About Public VIF - "Once AWS receives a BGP announcement from you, all network traffic from AWS destined to the announced prefix will be routed via AWS Direct Connect. This includes traffic from other AWS customers using public or Elastic IP addresses on their Amazon Elastic Compute Cloud(EC2) instances, traffic routed via NAT gateways, AWL Lambda functions that make outbound connections, and more."

Agree with C.

Passed the exam with 98x score a few months back. A. No. Public VIF IPv4 are by default advertised within the region only. B. No. D. No VPCe mentioned in question. C. Yes. An EC2 instance in the SAME region with an AWS assigned EIP/Public IPv4 address could reach this Public VIF. This is AWS' state this clearly in documentation, refer to Transit Gateway/Direct Connect Gateway reinvent video's for a better understanding. The misdirect. DXGW is a regional construct with cross-region VPC support. DX Public VIFs inherit the local-region attribute of DX links. The question key point is asking what concern is valid and should be addressed. Protecting the that particular Public VIF landing should be. AWS DX Design 101: Create a small subnet for hosting/terminating DX/TG constructs, leave the NACLs open > yes open > the rest of the VPC services are protected by NACLs/SGs, etc. If your wondering why open NACLs, even single traffic flow would need to be identified and very quickly you would exhaust the NACL line limts. In simple terms, clear the room and leave no chairs, that way there is nowhere to sit down apart from the floor, which is fine because everything else is the next room.

A its correct answer Resolution To connect to AWS resources that are reachable by a public IP address (such as an Amazon Simple Storage Service bucket) or AWS public endpoints, use a public virtual interface. With a public virtual interface, you can: Connect to all AWS public IP addresses globally. Create public virtual interfaces in any DX location to receive Amazon’s global IP routes. Access publicly routable Amazon services in any AWS Region (except the AWS China Region). https://aws.amazon.com/premiumsupport/knowledge-center/public-private-interface-dx/

C is right

B is wrong because: "AWS does not re-advertise customer prefixes to other customers that have been received over AWS Direct Connect public VIFs." C is correct because: Once AWS receives a BGP announcement from you, all network traffic from AWS destined to the announced prefix will be routed via AWS Direct Connect. This includes traffic from other AWS customers using public or Elastic IP addresses on their Amazon Elastic Compute Cloud (Amazon EC2) instances, traffic routed via Network Address Translation (NAT) gateways, AWS Lambda functions that make outbound connections, and more

Answer should be A. AWS Direct Connect advertises all local and remote AWS Region prefixes where available, and includes on-net prefixes from other AWS non-region points of presence (POPs) where available, such as Amazon CloudFront or Amazon Route 53. Direct Connect supports a range of Border Gateway Protocol (BGP) community tags to help control the scope (regional, continent, or global) of routes advertised and received over a public VIF. Reference: https://aws.amazon.com/premiumsupport/knowledge-center/control-routes-direct-connect/