-
DX is not quick to set up
updated 1 year, 1 month ago
2 Members
·
2
Posts
-
“A government agency has multiple VPCs in various AWS regions across the United States that need to be linked up to an on-premises central office network in Washington, D.C. The central office requires inter-region VPC access over a private network that is dedicated to each region for enhanced security and more predictable data transfer performance. Your team is tasked to quickly build this network mesh and to minimize the management overhead to maintain these connections.”
The correct answer has DirectConnect in it, but Direct Connect fails to meet the requirement that this be quickly built. Connecting to an on-premises network (vs. one located in a Partner Location) via DirectConnect can take months. Something that must be built quickly will have to use VPN’s, which of course conflicts with the predictable data transfer performance requirement.
-
Hi PeterMescher,
Thank you for your feedback.
Yes, the word “quickly” appears on the question, but there are also other requirements regarding “secure, highly available, durable” and “private network that is dedicated to each region, and predictable data transfer performance”. So we have to choose among the choices, the closest we can get to those requirements as quickly as possible.
With regards to choosing the correct answer, we can use the process of elimination:
“Create a link aggregation group (LAG) in the central office network to aggregate multiple connections at a single AWS Direct Connect endpoint in order to treat them as a single, managed connection. Use AWS Direct Connect Gateway to achieve inter-region VPC access to all of your AWS resources. Create a virtual private gateway in each VPC and then create a public virtual interface for each AWS Direct Connect connection to the Direct Connect Gateway.”
>> incorrect because you can only create a private virtual interface to a Direct Connect gateway and not a public virtual interface.
“Implement a hub-and-spoke network topology in each region that routes all traffic through a network transit center using AWS Transit Gateway. Route traffic between VPCs and the on-premise network over AWS Site-to-Site VPN.”
>> incorrect because of the requirement “private network that is dedicated to each region” is not fulfilled.
“Enable inter-region VPC peering which allows peering relationships to be established between VPCs across different AWS regions. This will ensure that the traffic will always stay on the global AWS backbone and will never traverse the public Internet.”
>> incorrect because this would require a lot of manual setup and management overhead to successfully build a functional, error-free inter-region VPC network compared with just using a Direct Connect Gateway.
So the only option left is the “Utilize AWS Direct Connect Gateway for inter-region VPC access. Create a virtual private gateway in each VPC, then create a private virtual interface for each AWS Direct Connect connection to the Direct Connect gateway.”
It is the only option that fulfills the requirements on the question. A fast, dedicated private network link for each region VPC, with a predictable transfer performance. Direct Connect ticks all these boxes.
A VPN can’t satisfy the requirements because it traverses a normal internet connection, it is not a dedicated network link, and the network performance may not be consistent.
Additionally, when you request for an AWS Direct Connect link, it can take up to 72 hours for AWS to review your request and provision a port for your connection. I believe this is still a quick turnaround given for data center scenarios.
Reference link:https://docs.aws.amazon.com/directconnect/latest/UserGuide/getting_started.html
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo
Log in to reply.