Amazon Exam ANS-C01 Topic 5 Question 10 Discussion

Actual exam question for Amazon's ANS-C01 exam

Question #: 10
Topic #: 5

A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances must initiate any requests that leave the VPC, including requests to the company's on-premises data center over an AWS Direct Connect connection. No resources outside the VPC can be allowed to open communications directly to the EC2 instances.

The on-premises data center's customer gateway is configured with a stateful firewall device that filters for incoming and outgoing requests to and from multiple VPCs. In addition, the company wants to use a single IP match rule to allow all the communications from the EC2 instances to its data center from a single IP address.

Which solution will meet these requirements with the LEAST amount of operational overhead?

ACreate a VPN connection over the Direct Connect connection by using the on-premises firewall. Use the firewall to block all traffic from on premises to AWS. Allow a stateful connection from the EC2 instances to initiate the requests.

BConfigure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances. Allow a stateful connection if the EC2 instances in the VPC initiate the traffic.

CDeploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.

DDeploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT instance.

Show Suggested Answer

Suggested Answer: B

Creating a new Route 53 Resolver outbound endpoint in the shared services VPC would enable forwarding of DNS queries from the VPC to on-premises1.Creating forwarding rules for the on-premises hosted domains would enable specifying which domain names are forwarded to the on-premises DNS servers2.Associating the rules with the new Resolver endpoint and each application VPC would enable applying the rules to the VPCs2.This solution would not affect the default DNS resolution behavior of Route 53 Resolver for local VPC domain names and domains that are hosted in Route 53 private hosted zones3.

by Garry at Jul 07, 2023, 10:36 AM

Limited Time Offer

25%

Off

Get Premium ANS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Ariel

28 days ago

Option A? Seriously? Who thought that up, the 'Rube Goldberg Solutions' team?

upvoted 0 times

...

Margarett

29 days ago

I'm imagining the on-premises network admin seeing this question and just face-palming. 'You want me to do what now?'

upvoted 0 times

Jacki

1 days ago

B) Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances. Allow a stateful connection if the EC2 instances in the VPC initiate the traffic.

upvoted 0 times

...

Shizue

10 days ago

A) Create a VPN connection over the Direct Connect connection by using the on-premises firewall. Use the firewall to block all traffic from on premises to AWS. Allow a stateful connection from the EC2 instances to initiate the requests.

upvoted 0 times

...

Joanne

1 months ago

As long as the NAT gateway doesn't become a bottleneck, Option C seems like the way to go. It's nice to have a single IP rule to manage on the on-premises firewall.

upvoted 0 times

Lashandra

3 days ago

Using a single IP rule for all communications is definitely a plus.

upvoted 0 times

...

Santos

8 days ago

I think so too. It simplifies the management of the on-premises firewall.

upvoted 0 times

...

Franchesca

16 days ago

I agree, Option C with the NAT gateway seems like the best choice.

upvoted 0 times

...

Dahlia

2 months ago

I'm not sure, but option D could also work. Configuring the on-premises firewall to allow connections from the NAT instance might be simpler.

upvoted 0 times

...

Mica

2 months ago

I'm a bit wary of using a NAT instance instead of a gateway. Instances can be more prone to failure, and the maintenance overhead might be higher. Option C seems cleaner.

upvoted 0 times

Jillian

21 days ago

Yeah, I think option C is the best choice for this scenario.

upvoted 0 times

...

Denise

1 months ago

I agree, using a NAT gateway would be more reliable and have less maintenance overhead.

upvoted 0 times

...

Pamela

2 months ago

I agree with Dante. Using a NAT gateway in the VPC seems like the most efficient way to meet the requirements.

upvoted 0 times

...

Dante

2 months ago

I think option C is the best solution.

upvoted 0 times

...

Ryan

2 months ago

I'm not sure, but option D also seems like a viable solution. A NAT instance could work well too.

upvoted 0 times

...

Rolande

2 months ago

I agree with Dominga. Using a NAT gateway in a private subnet seems like the most efficient way to meet the requirements.

upvoted 0 times

...

Dominga

2 months ago

I think option C is the best solution.

upvoted 0 times

...

Jerry

2 months ago

Option C looks like the most straightforward solution. Using a private NAT gateway and configuring the on-premises firewall to allow connections from its IP address should do the trick.

upvoted 0 times

Lazaro

21 days ago

Definitely, it's important to minimize operational overhead while maintaining security.

upvoted 0 times

...

Launa

24 days ago

I think so too. It simplifies the setup and ensures only the necessary connections are allowed.

upvoted 0 times

...

Buck

1 months ago

I agree, it seems like the most efficient way to meet the requirements.

upvoted 0 times

...

Amie

1 months ago

Option C looks like the most straightforward solution. Using a private NAT gateway and configuring the on-premises firewall to allow connections from its IP address should do the trick.

upvoted 0 times

...