MemberMarch 4, 2021 at 10:48 am
Category: CSAP – Continuous Improvement for Existing Solutions
A stocks brokerage firm hosts its legacy application on Amazon EC2 in a private subnet of its Amazon VPC. The application is accessed by the employees from their corporate laptops through a proprietary desktop program. The company network is peered with the AWS Direct Connect (DX) connection to provide a fast and reliable connection to the private EC2 instances inside the VPC. To comply with the strict security requirements of financial institutions, the firm is required to encrypt its network traffic that flows from the employees’ laptops to the resources inside the VPC.
Which of the following solution will comply with this requirement while maintaining the consistent network performance of Direct Connect?
Refer to the image attached.
To connect to services such as EC2 using just Direct Connect you need to create a private virtual interface. However, if you want to encrypt the traffic flowing through Direct Connect, you will need to use the public virtual interface of DX to create a VPN connection that will allow access to AWS services such as S3, EC2, and other services. –
So my answer was wrong – in red. The correct answer in green says … VPC with the BGP protocol… but BGP protocol does not protect the data in transit it seems – please clarify
MemberMarch 7, 2021 at 10:47 pm
Thank you for your feedback.
This question requires that the users’ connection from the on-premises network to AWS is encrypted and should go through the Direct Connect connection.
Using the current Direct Connect connection, create a new public virtual interface and input the network prefixes that you want to advertise. Create a new site-to-site VPN connection to the VPC over the Internet. Configure the employees’ laptops to connect to this VPN.
>> This option is incorrect because you need to establish the VPN connection through the Direct Connect connection. This does not satisfy the requirement of “maintaining the consistent network performance of Direct Connect”.
As stated on the correct answer:
Using the current Direct Connect connection, create a new public virtual interface –> needed to create a VPN connection to encrypt traffic.
VPN connection to the VPC with the BGP protocol using the DX connection. –> the requirement on the question needs to use the Direct Connect connection.
but BGP protocol does not protect the data in transit it seems – please clarify –> BGP is a routing protocol used to advertise network routes dynamically. Routers with BGP talk to each other to determine their routing tables. This communication is not encrypted. That is why you are creating a site-to-site VPN connection. Traffic will flow through this VPN tunnel and any data that flows through it is encrypted. BGP itself does not carry any important information, it just carries and advertises routing tables to its network peer.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Kenneth Samonte @ Tutorials Dojo
Log in to reply.