Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Advanced Networking – Specialty VPN IPv6 on TGW – inconsistent explanations

  • VPN IPv6 on TGW – inconsistent explanations

  • Bob Sutterfield

    Member
    January 3, 2024 at 9:02 am

    In the course AWS Certified Advanced Networking Specialty Practice Exams ANS-C01 2023
    in Category: ANS – Network Design

    the question is

    <font face=”arial, sans-serif”>A company needs to establish network connectivity between its Amazon VPCs and on-premises network using multiple AWS Site-to-Site VPN connections that are associated with a Transit Gateway. The Network Engineer has been assigned to increase the traffic bandwidth over multiple paths and get a higher VPN bandwidth beyond the default 1.25 Gbps limit.
    </font><font face=”arial, sans-serif”>Currently, the Site-to-Site VPN connections only support IPv4 traffic. There’s a new requirement to update these VPN connections to allow IPv6 communication between the company’s AWS resources and on-premises servers.
    </font><font face=”arial, sans-serif”>Which combination of steps below provides the most operationally efficient solution to satisfy the requirement? (Select TWO.)</font>

    The explanation addresses IPv6 on TGW in three ways that are incomplete and contradictory. I’ll emphasize the problematic phrases by making them not italics.

    First:

    <font face=”arial, sans-serif”>Your Site-to-Site VPN connection on a transit gateway can support <font size=”4″><b style=”font-style: normal;”>either IPv4 traffic or IPv6 traffic</font> inside the VPN tunnels. By default, a Site-to-Site VPN connection supports IPv4 traffic inside the VPN tunnels. You can configure a new Site-to-Site VPN connection to support IPv6 traffic inside the VPN tunnels. Then, if your VPC and your on-premises network are configured for IPv6 addressing, you can send IPv6 traffic over the VPN connection.</font>

    <font face=”arial, sans-serif”>Second:</font>

    The following rules apply:

    • <font face=”arial, sans-serif”><font size=”4″ style=”font-style: normal;”>IPv6 addresses</font> are only supported for the <font size=”4″>inside IP addresses of the VPN tunnels</font>. The outside tunnel IP addresses for the AWS endpoints are IPv4 addresses, and the public IP address of your customer gateway must be an IPv4 address.</font>
    • <font face=”arial, sans-serif”>Site-to-Site VPN connections on a virtual private gateway do not support IPv6.</font>
    • <font face=”arial, sans-serif”>You cannot enable IPv6 support for an existing Site-to-Site VPN connection.</font>
    • <font face=”arial, sans-serif”>A Site-to-Site VPN connection <font size=”4″ style=”font-style: normal;”>cannot support both IPv4 and IPv6 traffic</font>.</font>

    <font face=”arial, sans-serif”>Third:</font>

    <font face=”arial, sans-serif”>The option that says: Modify all the existing Site-to-Site VPN connections to enable IPv6 support. Move all the VPN connections from the Transit Gateway to a Virtual Private Gateway is incorrect. Firstly, you cannot modify an existing IPv4 Site-to-Site VPN connection to support IPv6. You have to launch <font size=”4″ style=”font-style: normal;”>a new Site-to-Site VPN that supports IPv6, which also implicitly allows IPv4 communication</font>. In addition, IPv6 is not supported on a Virtual Private Gateway.</font>

    My assessment of those three sections:

    1. The first section says the tunnels can carry either IPv4 or IPv6, whichever was configured when the VPN was created.
      This is incorrect – the tunnels can carry both IPv4 and IPv6, if they were both configured at creation.
    2. The second section’s first rule says IPv6 inside addresses (therefore IPv6 traffic in the tunnels) are supported, and the third rule says only if the VPN was configured for IPv6 at creation.
      This is correct.

      The second section’s fourth rule says a connection cannot carry both IPv4 and IPv6 traffic.
      This is incorrect.

    3. The third section says that a VPN that’s created with IPv6 support also supports IPv4.
      This is correct:

    I suggest you change the explanation with the words I have emphasized below by making them <font size=”4″>not italicized</font>, and remove the words I have made not italicized with the [REMOVE] tag:

    First:

    <font face=”arial, sans-serif”>Your Site-to-Site VPN connection on a transit gateway can support either IPv4 traffic or IPv6 traffic inside the VPN tunnels. By default, a Site-to-Site VPN connection supports <font size=”4″>only</font> IPv4 traffic inside the VPN tunnels. You can configure a new Site-to-Site VPN connection to support <font size=”4″ style=”font-style: normal;”>both IPv4 and</font> IPv6 traffic inside the VPN tunnels. Then, if your VPC and your on-premises network are configured for IPv6 addressing, you can send <font size=”4″>both IPv4 and </font>IPv6 traffic over the VPN connection.</font>

    <font face=”arial, sans-serif”>Second:</font>

    The following rules apply:

    • <font face=”arial, sans-serif”>IPv6 addresses are only supported for the inside IP addresses of the VPN tunnels. The outside tunnel IP addresses for the AWS endpoints are IPv4 addresses, and the public IP address of your customer gateway must be an IPv4 address.</font>
    • <font face=”arial, sans-serif”>Site-to-Site VPN connections on a virtual private gateway do not support IPv6.</font>
    • <font face=”arial, sans-serif”>You cannot enable <font size=”4″ style=”font-style: normal;”>or disable</font> IPv6 support for an existing Site-to-Site VPN connection.</font>
    • <font face=”arial, sans-serif” style=”font-style: normal;”>A Site-to-Site VPN connection cannot support both IPv4 and IPv6 traffic. <font size=”4″ style=””>[REMOVE]</font></font>

    <font face=”arial, sans-serif”>Third:</font>

    <font face=”arial, sans-serif”>The option that says: Modify all the existing Site-to-Site VPN connections to enable IPv6 support. Move all the VPN connections from the Transit Gateway to a Virtual Private Gateway is incorrect. Firstly, you cannot modify an existing IPv4 Site-to-Site VPN connection to support IPv6. You have to launch a new Site-to-Site VPN that supports <font size=”4″>both IPv4 and</font> IPv6, which also implicitly allows IPv4 communication <font size=”4″ style=””>[REMOVE]</font>. In addition, IPv6 is not supported on a Virtual Private Gateway.</font>

    I hope this is helpful to some future student!

  • JR – Tutorials Dojo

    Administrator
    January 9, 2024 at 1:33 pm

    Hi Bob Sutterfield,

    Thank you for bringing this to our attention. I appreciate the detailed analysis you provided and the time you took to point out the inaccuracies in the explanation. I apologize for any confusion that this may have caused. We will make the necessary updates and ensure that they are reflected in the portal as soon as possible.

    Best Regards,
    JR @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now