Exam ANS-C00 topic 1 question 34 discussion

D option is incomplete. which must be = Use an Amazon EC2 instance VPN for the desktop, mobile, and partner VPN connections. Use features of the VPN instance to limit routing and connectivity. and my opinion of correct answer is D

By elimination method: A: can't be correct since mobile/desktops can't use AWS VPN, B: Can't be correct, since NACLs will not control traffic between edges (CGW bound nets), C: we don't need Directconnect in this case. D: seems correct to me.

Correct Answer B

No distinction made between site-to-site versus client-vpn solutions. That implies it's all site-to-site. Question is outdated and should include distinction.

I am going with D

None of the other options would enable transitive networking as requested by the question.

D is correct, see vpn quota limits: https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-limits.html

B is Correct, partners imply on-prem facility..it says they need access to your VPC, much the same as your own on-prem, you create a VPN onto your VPC. Mobile devices are small and EC2 can handle the load, it's a clean routing solution. I go with B.

I think D. https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-limits.html

According to https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-limits.html Site-to-Site VPN resources Customer gateways per Region: 50 Virtual private gateways per Region: 5 You can attach only one virtual private gateway to a VPC at a time... Site-to-Site VPN connections per Region: 50 Site-to-Site VPN connections per virtual private gateway: 10 This is about one VPC. You can only attach one VGW to it. The VGW can only have 10 VPNs. The limit is 10 not 50 in my opinion. But anyway, this makes B incorrect.

Where is everyone getting this limit of 50 VPNs per VPC? There is soft limit of 10 VPN per VPW/VPC. Is 50 a hard limit?

You can have up to fifty (50) Site-to-Site VPN connections per virtual gateway. One VPC can have only one VGW attached, so each VPC can have up to 50 AWS VPN connections And that simply eliminates A&B Answer is D

Guys this is the complete question with complete answers and the correct answer as per the book is B Book: AWS Certified Advanced Networking – Specialty By Saransh Paliwal A company has 225 mobile and desktop devices and 300 partner VPNs that need access to an AWS VPC. VPN users should not be able to reach one another. Which approach will meet the technical and security requirements while minimizing costs? A. Use the AWS IPsec VPN for the mobile, desktop, and partner VPN connections. Use network access control lists (Network ACLs) and security groups to maintain routing separation. B. Use the AWS IPsec VPN for the partner VPN connections. Use an Amazon EC2 instance VPN for the mobile and desktop devices. Use Network ACLs and security groups to maintain routing separation. C. Create an AWS Direct Connect connection between on-premises and AWS Use a public virtual interface to connect to the AWS IPsec VPN for the mobile, desktop, and partner VPN connections. D. Use an Amazon EC2 instance VPN for the desktop, mobile, and partner VPN connections. Use features of the VPN instance to limit routing and connectivity. Correct Answer: B

B seems to make some sense but there are two issues: 1) "Use Network ACLs and security groups to maintain routing separation" does not apply to the edges; 2) VPN connections per VPC = 50. Therefore, we are left with D.

I am leaning towards D...

The End Of Answer "D" is: "... the VPN instance to limit routing and connectivity."

B, or D am not sure. B, a market place instance like openvpn for client to site vpn and VGW with IPsec for site-to-site vpn. downside is the 1.25gb/s limit on the vgw(technical bottle neck for 300 partners with ipsec encryp/decryp. D: market place appliance on an instance will scale to 2.5g and you can scale up too by adding more. But D doesn't have IPsec.