Amazon ANS-C01 Exam - Topic 5 Question 10 Discussion

Actual exam question for Amazon's ANS-C01 exam

Question #: 10
Topic #: 5

A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances must initiate any requests that leave the VPC, including requests to the company's on-premises data center over an AWS Direct Connect connection. No resources outside the VPC can be allowed to open communications directly to the EC2 instances.

The on-premises data center's customer gateway is configured with a stateful firewall device that filters for incoming and outgoing requests to and from multiple VPCs. In addition, the company wants to use a single IP match rule to allow all the communications from the EC2 instances to its data center from a single IP address.

Which solution will meet these requirements with the LEAST amount of operational overhead?

ACreate a VPN connection over the Direct Connect connection by using the on-premises firewall. Use the firewall to block all traffic from on premises to AWS. Allow a stateful connection from the EC2 instances to initiate the requests.

BConfigure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances. Allow a stateful connection if the EC2 instances in the VPC initiate the traffic.

CDeploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.

DDeploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT instance.

Show Suggested Answer

Suggested Answer: B

Creating a new Route 53 Resolver outbound endpoint in the shared services VPC would enable forwarding of DNS queries from the VPC to on-premises1.Creating forwarding rules for the on-premises hosted domains would enable specifying which domain names are forwarded to the on-premises DNS servers2.Associating the rules with the new Resolver endpoint and each application VPC would enable applying the rules to the VPCs2.This solution would not affect the default DNS resolution behavior of Route 53 Resolver for local VPC domain names and domains that are hosted in Route 53 private hosted zones3.

by Garry at Jul 07, 2023, 10:36 AM

Limited Time Offer

25%

Off

Get Premium ANS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Chu

3 months ago

B seems like the safest bet for filtering traffic effectively.

upvoted 0 times

...

Victor

3 months ago

A VPN over Direct Connect sounds solid, but is it really necessary?

upvoted 0 times

...

Shawn

4 months ago

Wait, why would you use a NAT instance? Isn’t that outdated?

upvoted 0 times

...

Willodean

4 months ago

I disagree, D could work too, but it’s more manual.

upvoted 0 times

...

Sage

4 months ago

I think option C is the best choice here. NAT gateway simplifies things.

upvoted 0 times

...

Emilio

4 months ago

I’m a bit confused about the firewall rules. I think option A could work, but it seems like it might add unnecessary complexity.

upvoted 0 times

...

Haydee

4 months ago

I feel like deploying a NAT instance could work, but it seems like it might require more management than a NAT gateway. I'm leaning towards option C.

upvoted 0 times

...

Chandra

5 months ago

I remember practicing a similar question where we had to ensure security while allowing outbound connections. I think option B sounds familiar, but I'm not confident it's the best choice here.

upvoted 0 times

...

Yuriko

5 months ago

I'm not entirely sure, but I think using a NAT gateway might be the best option since it simplifies outbound traffic management.

upvoted 0 times

...

Coral

5 months ago

Ah, I recognize this type of question. Piloting a process and implementing feedback sounds like the iterative design approach to me. I'm pretty confident that's the right answer here.

upvoted 0 times

...

Mickie

5 months ago

Ah, I see. The strategy is to ensure the system interfaces with other systems and networks, so I'll choose option B.

upvoted 0 times

...

Lavera

5 months ago

Hmm, I'm a bit unsure about this one. I'm trying to decide between options B and C. Creating a separate billing account per project seems like a lot of overhead, but I'm not sure if a single budget for all projects would be the best approach.

upvoted 0 times

...

Karan

5 months ago

Okay, I think I've got this. The key is remembering that DMR structures should resemble a star schema, with measures and dimensions separated. I'll select the option that reflects that principle.

upvoted 0 times

...

Rima

5 months ago

Iâ€™m leaning towards B; it seems like a safer option to be transparent about confidentiality limitations.

upvoted 0 times

...

Ariel

10 months ago

Option A? Seriously? Who thought that up, the 'Rube Goldberg Solutions' team?

upvoted 0 times

...

Margarett

10 months ago

I'm imagining the on-premises network admin seeing this question and just face-palming. 'You want me to do what now?'

upvoted 0 times

Pearlie

8 months ago

C) Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.

upvoted 0 times

...

Jacki

9 months ago

B) Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances. Allow a stateful connection if the EC2 instances in the VPC initiate the traffic.

upvoted 0 times

...

Shizue

9 months ago

A) Create a VPN connection over the Direct Connect connection by using the on-premises firewall. Use the firewall to block all traffic from on premises to AWS. Allow a stateful connection from the EC2 instances to initiate the requests.

upvoted 0 times

...

Joanne

10 months ago

As long as the NAT gateway doesn't become a bottleneck, Option C seems like the way to go. It's nice to have a single IP rule to manage on the on-premises firewall.

upvoted 0 times

Garry

8 months ago

Definitely, as long as the NAT gateway can handle the traffic, it should work well.

upvoted 0 times

...

Gabriele

8 months ago

I think Option C is the most efficient solution with the least operational overhead.

upvoted 0 times

...

Daniela

8 months ago

Yeah, having a single IP rule on the on-premises firewall simplifies management.

upvoted 0 times

...

Shayne

9 months ago

I agree, Option C with the NAT gateway seems like the best choice.

upvoted 0 times

...

Luz

9 months ago

As long as the NAT gateway can handle the traffic, it should work smoothly.

upvoted 0 times

...

Lashandra

9 months ago

Using a single IP rule for all communications is definitely a plus.

upvoted 0 times

...

Santos

9 months ago

I think so too. It simplifies the management of the on-premises firewall.

upvoted 0 times

...

Franchesca

9 months ago

I agree, Option C with the NAT gateway seems like the best choice.

upvoted 0 times

...

Dahlia

10 months ago

I'm not sure, but option D could also work. Configuring the on-premises firewall to allow connections from the NAT instance might be simpler.

upvoted 0 times

...

Mica

10 months ago

I'm a bit wary of using a NAT instance instead of a gateway. Instances can be more prone to failure, and the maintenance overhead might be higher. Option C seems cleaner.

upvoted 0 times

Jillian

9 months ago

Yeah, I think option C is the best choice for this scenario.

upvoted 0 times

...

Denise

10 months ago

I agree, using a NAT gateway would be more reliable and have less maintenance overhead.

upvoted 0 times

...

Pamela

10 months ago

I agree with Dante. Using a NAT gateway in the VPC seems like the most efficient way to meet the requirements.

upvoted 0 times

...

Dante

10 months ago

I think option C is the best solution.

upvoted 0 times

...

Ryan

10 months ago

I'm not sure, but option D also seems like a viable solution. A NAT instance could work well too.

upvoted 0 times

...

Rolande

11 months ago

I agree with Dominga. Using a NAT gateway in a private subnet seems like the most efficient way to meet the requirements.

upvoted 0 times

...

Dominga

11 months ago

I think option C is the best solution.

upvoted 0 times

...

Jerry

11 months ago

Option C looks like the most straightforward solution. Using a private NAT gateway and configuring the on-premises firewall to allow connections from its IP address should do the trick.

upvoted 0 times

Lazaro

9 months ago

Definitely, it's important to minimize operational overhead while maintaining security.

upvoted 0 times

...

Launa

10 months ago

I think so too. It simplifies the setup and ensures only the necessary connections are allowed.

upvoted 0 times

...

Buck

10 months ago

I agree, it seems like the most efficient way to meet the requirements.

upvoted 0 times

...

Amie

10 months ago

Option C looks like the most straightforward solution. Using a private NAT gateway and configuring the on-premises firewall to allow connections from its IP address should do the trick.

upvoted 0 times

...