Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon ANS-C01 Exam - Topic 5 Question 10 Discussion

A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances must initiate any requests that leave the VPC, including requests to the company's on-premises data center over an AWS Direct Connect connection. No resources outside the VPC can be allowed to open communications directly to the EC2 instances.The on-premises data center's customer gateway is configured with a stateful firewall device that filters for incoming and outgoing requests to and from multiple VPCs. In addition, the company wants to use a single IP match rule to allow all the communications from the EC2 instances to its data center from a single IP address.Which solution will meet these requirements with the LEAST amount of operational overhead?
B) Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances. Allow a stateful connection if the EC2 instances in the VPC initiate the traffic.
A) Create a VPN connection over the Direct Connect connection by using the on-premises firewall. Use the firewall to block all traffic from on premises to AWS. Allow a stateful connection from the EC2 instances to initiate the requests.
C) Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.
D) Deploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT instance.

Amazon ANS-C01 Exam - Topic 5 Question 10 Discussion

Actual exam question for Amazon's ANS-C01 exam
Question #: 10
Topic #: 5
[All ANS-C01 Questions]

A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances must initiate any requests that leave the VPC, including requests to the company's on-premises data center over an AWS Direct Connect connection. No resources outside the VPC can be allowed to open communications directly to the EC2 instances.

The on-premises data center's customer gateway is configured with a stateful firewall device that filters for incoming and outgoing requests to and from multiple VPCs. In addition, the company wants to use a single IP match rule to allow all the communications from the EC2 instances to its data center from a single IP address.

Which solution will meet these requirements with the LEAST amount of operational overhead?

Show Suggested Answer Hide Answer
Suggested Answer: B

Creating a new Route 53 Resolver outbound endpoint in the shared services VPC would enable forwarding of DNS queries from the VPC to on-premises1.Creating forwarding rules for the on-premises hosted domains would enable specifying which domain names are forwarded to the on-premises DNS servers2.Associating the rules with the new Resolver endpoint and each application VPC would enable applying the rules to the VPCs2.This solution would not affect the default DNS resolution behavior of Route 53 Resolver for local VPC domain names and domains that are hosted in Route 53 private hosted zones3.


by Garry at Jul 07, 2023, 10:36 AM

Limited Time Offer

25%

Off

Get Premium ANS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Chu
6 months ago
B seems like the safest bet for filtering traffic effectively.
upvoted 0 times
...
Victor
7 months ago
A VPN over Direct Connect sounds solid, but is it really necessary?
upvoted 0 times
...
Shawn
7 months ago
Wait, why would you use a NAT instance? Isn’t that outdated?
upvoted 0 times
...
Willodean
7 months ago
I disagree, D could work too, but it’s more manual.
upvoted 0 times
...
Sage
7 months ago
I think option C is the best choice here. NAT gateway simplifies things.
upvoted 0 times
...
Emilio
7 months ago
I’m a bit confused about the firewall rules. I think option A could work, but it seems like it might add unnecessary complexity.
upvoted 0 times
...
Haydee
8 months ago
I feel like deploying a NAT instance could work, but it seems like it might require more management than a NAT gateway. I'm leaning towards option C.
upvoted 0 times
...
Chandra
8 months ago
I remember practicing a similar question where we had to ensure security while allowing outbound connections. I think option B sounds familiar, but I'm not confident it's the best choice here.
upvoted 0 times
...
Yuriko
8 months ago
I'm not entirely sure, but I think using a NAT gateway might be the best option since it simplifies outbound traffic management.
upvoted 0 times
...
Coral
8 months ago
Ah, I recognize this type of question. Piloting a process and implementing feedback sounds like the iterative design approach to me. I'm pretty confident that's the right answer here.
upvoted 0 times
...
Mickie
8 months ago
Ah, I see. The strategy is to ensure the system interfaces with other systems and networks, so I'll choose option B.
upvoted 0 times
...
Lavera
8 months ago
Hmm, I'm a bit unsure about this one. I'm trying to decide between options B and C. Creating a separate billing account per project seems like a lot of overhead, but I'm not sure if a single budget for all projects would be the best approach.
upvoted 0 times
...
Karan
8 months ago
Okay, I think I've got this. The key is remembering that DMR structures should resemble a star schema, with measures and dimensions separated. I'll select the option that reflects that principle.
upvoted 0 times
...
Rima
8 months ago
I’m leaning towards B; it seems like a safer option to be transparent about confidentiality limitations.
upvoted 0 times
...
Ariel
1 year ago
Option A? Seriously? Who thought that up, the 'Rube Goldberg Solutions' team?
upvoted 0 times
...
Margarett
1 year ago
I'm imagining the on-premises network admin seeing this question and just face-palming. 'You want me to do what now?'
upvoted 0 times
Pearlie
12 months ago
C) Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.
upvoted 0 times
...
Jacki
1 year ago
B) Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances. Allow a stateful connection if the EC2 instances in the VPC initiate the traffic.
upvoted 0 times
...
Shizue
1 year ago
A) Create a VPN connection over the Direct Connect connection by using the on-premises firewall. Use the firewall to block all traffic from on premises to AWS. Allow a stateful connection from the EC2 instances to initiate the requests.
upvoted 0 times
...
...
Joanne
1 year ago
As long as the NAT gateway doesn't become a bottleneck, Option C seems like the way to go. It's nice to have a single IP rule to manage on the on-premises firewall.
upvoted 0 times
Garry
11 months ago
Definitely, as long as the NAT gateway can handle the traffic, it should work well.
upvoted 0 times
...
Gabriele
12 months ago
I think Option C is the most efficient solution with the least operational overhead.
upvoted 0 times
...
Daniela
12 months ago
Yeah, having a single IP rule on the on-premises firewall simplifies management.
upvoted 0 times
...
Shayne
12 months ago
I agree, Option C with the NAT gateway seems like the best choice.
upvoted 0 times
...
Luz
12 months ago
As long as the NAT gateway can handle the traffic, it should work smoothly.
upvoted 0 times
...
Lashandra
1 year ago
Using a single IP rule for all communications is definitely a plus.
upvoted 0 times
...
Santos
1 year ago
I think so too. It simplifies the management of the on-premises firewall.
upvoted 0 times
...
Franchesca
1 year ago
I agree, Option C with the NAT gateway seems like the best choice.
upvoted 0 times
...
...
Dahlia
1 year ago
I'm not sure, but option D could also work. Configuring the on-premises firewall to allow connections from the NAT instance might be simpler.
upvoted 0 times
...
Mica
1 year ago
I'm a bit wary of using a NAT instance instead of a gateway. Instances can be more prone to failure, and the maintenance overhead might be higher. Option C seems cleaner.
upvoted 0 times
Jillian
1 year ago
Yeah, I think option C is the best choice for this scenario.
upvoted 0 times
...
Denise
1 year ago
I agree, using a NAT gateway would be more reliable and have less maintenance overhead.
upvoted 0 times
...
...
Pamela
1 year ago
I agree with Dante. Using a NAT gateway in the VPC seems like the most efficient way to meet the requirements.
upvoted 0 times
...
Dante
1 year ago
I think option C is the best solution.
upvoted 0 times
...
Ryan
1 year ago
I'm not sure, but option D also seems like a viable solution. A NAT instance could work well too.
upvoted 0 times
...
Rolande
1 year ago
I agree with Dominga. Using a NAT gateway in a private subnet seems like the most efficient way to meet the requirements.
upvoted 0 times
...
Dominga
1 year ago
I think option C is the best solution.
upvoted 0 times
...
Jerry
1 year ago
Option C looks like the most straightforward solution. Using a private NAT gateway and configuring the on-premises firewall to allow connections from its IP address should do the trick.
upvoted 0 times
Lazaro
1 year ago
Definitely, it's important to minimize operational overhead while maintaining security.
upvoted 0 times
...
Launa
1 year ago
I think so too. It simplifies the setup and ensures only the necessary connections are allowed.
upvoted 0 times
...
Buck
1 year ago
I agree, it seems like the most efficient way to meet the requirements.
upvoted 0 times
...
Amie
1 year ago
Option C looks like the most straightforward solution. Using a private NAT gateway and configuring the on-premises firewall to allow connections from its IP address should do the trick.
upvoted 0 times
...
...

Save Cancel