Home › Forums › AWS › AWS Certified Solutions Architect Professional › need of vpn in this answer?
-
An enterprise plans to create a new cloud deployment that will be used by several project teams. The network must be designed so that it allows autonomy for the administrators of the individual AWS accounts to modify their route tables freely. However, the company wants to monitor outbound traffic so it is required to have a centralized and controlled egress Internet connection for all accounts. As more teams are expected to join this deployment, the organization is expected to grow into thousands of AWS accounts.
Which of the following options should the Solutions Architect implement to meet the company requirements?
correct answer:
- Create a shared transit gateway. Have each spoke VPC connect to the transit gateway. Use a fleet of firewalls, each with a VPN attachment to the transit gateway, to route the outbound Internet traffic.
What is the need of putting aws vpn here. Why do we need vpn to connect two vpc via shared transit gateway?
-
I came here to post this exact same question. There is no sense in using VPN to connect a VPC to TGW, this answer is not only wrong but also misleading. The links to the documentation posted in the answer contain no reference to using a VPN to connect internal AWS resources.
This is not the first time I have encountered wrong or unclear answers in the SA Pro (unlike SAA) and it is getting frustrating.
-
Hi @AWSPro21, and sac,
Thank you for pointing this out. VPN is indeed not needed concerning what the scenario is asking. Typically, when using a shared transit gateway in AWS, direct VPC attachments to the transit gateway are sufficient for communication between VPCs. Using VPN attachments to the transit gateway is not required unless a secure connection is needed.
We’ll make sure to review this question and make the necessary corrections.
Regards,
Neil @ Tutorials Dojo -
Hello AWSPro21 and sac,
There are different architectures recommended by AWS for designing centralized egress traffic to the internet. The first option is to use a NAT Gateway (if you have resources in private subnets) along with a Transit Gateway. The second option is to provision a virtual appliance on an EC2 instance (in place of the NAT Gateway) and Transit Gateway. Typically, this setup is done when you want to have Intrusion Prevention/Detection System (IPS/IDS) capabilities. However, this setup has some drawbacks, such as a lack of support for failure detection (depends on the vendor you’re using), difficulty in horizontal scaling, and bandwidth limit. As a workaround, AWS used to recommend attaching an IPsec VPN to TGW instead of a VPN attachment. IPsec VPN leverages the failure detection capabilities of BGP and makes scaling a bit easier to manage. This is what the question is referring to regarding the VPN attachment.
However, please note that this type of design is quite outdated, and AWS now actually recommends using Gateway Load Balancer in place of the IPsec VPN attachments. We’ll make sure to update this question to correct the issue.
Regards,
Carlo @ Tutorials Dojo
-
Hi Carlo:
Today is June 8th 2024. The question is not updated according GW load balancer architecture. Pl upadte the question. thanks
-
Hello Tanmay,
Apologies for the delay.
We’ve already incorporated the required changes. It should be updated once our admin has reviewed it.
Let me know if have additional questions.
Regards,
Carlo Acebedo
-
Log in to reply.