Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Review Mode Practice Test 2 – Q68

  • Review Mode Practice Test 2 – Q68

  • ClaireS

    May 27, 2021 at 5:48 pm


    The question describes a pure AWS Cloud architecture and does not include any description of a Hybrid architecture so I’m confused why the answer is relating to a VPN connection? What am I missing?



  • ClaireS

    May 27, 2021 at 6:03 pm

    Please find attached the question.

  • Kenneth-Samonte-Tutorials-Dojo

    May 27, 2021 at 9:18 pm

    Hi ClaireS,

    Thank you for your feedback.

    I understand that there is no “Hybrid architecture” mentioned on the question to merit an answer which requires VPN.

    However, please note that questions in the actual AWS exam are difficult, tricky, and ambiguous. This is the style that we are trying to mimic in our practice tests so revising questions will need to retain a level of difficulty without explicitly showing the obvious keywords such “Hybrid architecture”

    The scenario for this question, you can refer to this AWS document (scroll to the lower part of the page):

    That being said, here is how I would approach this question.

    The question states “the company wants to monitor outbound traffic so it is required to have a centralized and controlled egress Internet connection for all accounts” which can indicate that all traffic going to the internet will be monitored by the company using a custom solution (or firewall). Although AWS has NACLs and routing configurations that allow you to do this for egress traffic, these options are limited.

    As from the above AWS link, there are Firewall instances that will filter the egress traffic of other VPCs.

    “If the vendor you choose for egress traffic inspection doesn’t support automation for failure detection, or if you need horizontal scaling, you can use an alternative design. In this design (Figure 13), we don’t create a VPC attachment on the transit gateway for egress VPC, instead, we create an IPsec VPN attachment and create an IPsec VPN from Transit Gateway to the EC2 instances leveraging BGP to exchanges routes. “

    Using a VPN connection is not just limited to Hybrid architecture scenarios. VPNs can still be used on AWS to AWS scenarios too.

    Hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!


    Kenneth Samonte @ Tutorials Dojo

  • ClaireS

    May 28, 2021 at 12:57 am

    Hi Kenneth,

    Thank for your reply and excellent rationale given. What can I say, I’m here to learn and that’s a pretty good lesson for today!



  • Carlos Ramirez

    August 1, 2023 at 7:01 am

    Hello, the new version of the whitepaper (July 2023) didn’t mention the need to create IPsec VPN tunnel from TGW to EC2 instances”

Viewing 1 - 5 of 5 replies

Log in to reply.

Original Post
0 of 0 posts June 2018