![AWS Certified Solutions Architect Associate [Video Course] SAA-C02 SAA-C03](https://td-portal-cdn.tutorialsdojo.com/wp-content/uploads/2021/07/AWS-Certified-Solutions-Architect-Associate-Video-Course-SAA-C02-SAA-C03-300x300.jpg)
-
Review Mode Practice Test 2 – Q68
updated 9 months, 3 weeks ago
3 Members
·
5
Posts
-
Hi,
The question describes a pure AWS Cloud architecture and does not include any description of a Hybrid architecture so I’m confused why the answer is relating to a VPN connection? What am I missing?
Thanks,
Claire
-
Please find attached the question.
-
Hi ClaireS,
Thank you for your feedback.
I understand that there is no “Hybrid architecture” mentioned on the question to merit an answer which requires VPN.
However, please note that questions in the actual AWS exam are difficult, tricky, and ambiguous. This is the style that we are trying to mimic in our practice tests so revising questions will need to retain a level of difficulty without explicitly showing the obvious keywords such “Hybrid architecture”
The scenario for this question, you can refer to this AWS document (scroll to the lower part of the page): https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html
That being said, here is how I would approach this question.
The question states “the company wants to monitor outbound traffic so it is required to have a centralized and controlled egress Internet connection for all accounts” which can indicate that all traffic going to the internet will be monitored by the company using a custom solution (or firewall). Although AWS has NACLs and routing configurations that allow you to do this for egress traffic, these options are limited.
As from the above AWS link, there are Firewall instances that will filter the egress traffic of other VPCs.
“If the vendor you choose for egress traffic inspection doesn’t support automation for failure detection, or if you need horizontal scaling, you can use an alternative design. In this design (Figure 13), we don’t create a VPC attachment on the transit gateway for egress VPC, instead, we create an IPsec VPN attachment and create an IPsec VPN from Transit Gateway to the EC2 instances leveraging BGP to exchanges routes. “
Using a VPN connection is not just limited to Hybrid architecture scenarios. VPNs can still be used on AWS to AWS scenarios too.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo
-
Hi Kenneth,
Thank for your reply and excellent rationale given. What can I say, I’m here to learn and that’s a pretty good lesson for today!
Thanks,
Claire
-
Hello, the new version of the whitepaper (July 2023) didn’t mention the need to create IPsec VPN tunnel from TGW to EC2 instances”
Log in to reply.