Amazon ANS-C01 Exam - Topic 7 Question 27 Discussion

Actual exam question for Amazon's ANS-C01 exam

Question #: 27
Topic #: 7

A company is using third-party firewall appliances to monitor and inspect traffic on premises The company wants to use this same model on AWS. The company has a single VPC with an internet gateway. The VPC has a fleet of web servers that run on Amazon EC2 instances that are managed by an Auto Scaling group.

The company's network team needs to work with the security team to establish inline inspection of all packets that are sent to and from the web servers. The solution must scale as the fleet of virtual firewall appliances scales.

Which combination of steps should the network team take to implement this solution? (Select THREE.)

ACreate a new VPC, and deploy a fleet of firewall appliances. Create a Gateway Load Balancer. Add the firewall appliances as targets.

BCreate a security group for use with the firewall appliances, and allow port 443. Allow a port for the Gateway Load Balancer to perform health checks.

CCreate a security group for use with the firewall appliances, and allow port 6081. Allow a port for the Gateway Load Balancer to perform health checks.

DDeploy a fleet of firewall appliances to the existing VPC. Create a Gateway Load Balancer. Add the firewall appliances as targets.

EUpdate the internet gateway route table and the web server route table to send traffic to and from the internet to the VPC endpoint ID of the Gateway Load Balancer. Update the subnet route table that is associated with the Gateway Load Balancer endpoint to direct internet traffic to the internet gateway.

FCreate a new route table inside the web server VPC. Create a new edge association with the internet gateway. Update the internet gateway route table and the web server route table to send traffic to and from the internet to the VPC endpoint ID of the Gateway Load Balancer. Update the subnet route table that is associated with the Gateway Load Balancer endpoint to direct internet traffic to the internet gateway.

Show Suggested Answer

Suggested Answer: B

Creating a new Route 53 Resolver outbound endpoint in the shared services VPC would enable forwarding of DNS queries from the VPC to on-premises1.Creating forwarding rules for the on-premises hosted domains would enable specifying which domain names are forwarded to the on-premises DNS servers2.Associating the rules with the new Resolver endpoint and each application VPC would enable applying the rules to the VPCs2.This solution would not affect the default DNS resolution behavior of Route 53 Resolver for local VPC domain names and domains that are hosted in Route 53 private hosted zones3.

by Eleonore at May 19, 2024, 06:37 AM

Limited Time Offer

25%

Off

Get Premium ANS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Lenita

3 months ago

Health checks are crucial, don’t forget those!

upvoted 0 times

...

Amalia

3 months ago

Wait, why are we using port 6081? That seems odd.

upvoted 0 times

...

Jaime

3 months ago

Agree, deploying in the existing VPC makes more sense!

upvoted 0 times

...

Leatha

4 months ago

I think option A is overkill, just use the existing VPC.

upvoted 0 times

...

Celestine

4 months ago

Definitely need a Gateway Load Balancer for this setup.

upvoted 0 times

...

Miriam

4 months ago

I’m a bit confused about whether we should deploy the firewall appliances in a new VPC or the existing one. I thought the existing setup was more efficient, but I can't remember the details.

upvoted 0 times

...

Sherell

4 months ago

I vaguely remember something about updating route tables to direct traffic properly. I wonder if option E is the right choice since it mentions the VPC endpoint ID.

upvoted 0 times

...

Loren

4 months ago

I think we practiced a similar question where we had to set up security groups for firewall appliances. I feel like allowing port 443 makes sense for HTTPS traffic, but I can't recall if that's the only port we need.

upvoted 0 times

...

Kassandra

5 months ago

I remember we discussed the importance of using a Gateway Load Balancer for scaling firewall appliances, but I'm not sure if we should create a new VPC or use the existing one.

upvoted 0 times

...

Graciela

5 months ago

This is a tricky one. I'm not super familiar with the Gateway Load Balancer, so I'll need to do some research on how that works and how to integrate it with the existing infrastructure. Definitely going to need to work closely with the security team on this one.

upvoted 0 times

...

Tresa

5 months ago

Okay, I think I've got a handle on this. We'll need to deploy the firewall appliances in the existing VPC, create a Gateway Load Balancer, and then update the routing tables to send all the traffic through the Load Balancer. The security group settings are also important to get right.

upvoted 0 times

...

Vicki

5 months ago

Hmm, not sure I fully grasp the routing aspect here. Do we need to create a new VPC and route all the traffic through that, or can we just deploy the firewall appliances in the existing VPC? The wording is a bit confusing.

upvoted 0 times

...

Darrel

5 months ago

This seems like a pretty straightforward question, just need to make sure I understand the requirements correctly. Looks like we need to set up a Gateway Load Balancer to handle the inline inspection of all traffic to and from the web servers.

upvoted 0 times

...

Dominga

5 months ago

The key is understanding what "NFV ENCS Virtualized branch" means. I'll focus on that to determine the best answer.

upvoted 0 times

...

Michael

5 months ago

This reminds me of a practice question I did recently. I think it involved GRS, but it also mentioned read access, which might make it different.

upvoted 0 times

...

Rolland

9 months ago

Ah, the joys of networking and security on AWS. I bet the network and security teams are already arguing over the best approach. Time to put on my diplomat hat!

upvoted 0 times

Marvel

8 months ago

D: Deploying the fleet of firewall appliances to the existing VPC seems like a good idea. Let's make sure to add them as targets for the Gateway Load Balancer.

upvoted 0 times

...

Reta

8 months ago

C: We should also update the route tables to direct traffic to the Gateway Load Balancer.

upvoted 0 times

...

Maybelle

8 months ago

B: Don't forget to create a security group for the firewall appliances and allow the necessary ports.

upvoted 0 times

...

Cherry

8 months ago

A: Let's create a new VPC and deploy the firewall appliances. We can use a Gateway Load Balancer.

upvoted 0 times

...

Olene

9 months ago

I'm feeling pretty confident about this one. The steps seem straightforward, but I'll need to double-check that I've selected the correct combination.

upvoted 0 times

...

Dorothy

10 months ago

Haha, I bet the security team is going to have a field day with this one. Gotta make sure we get all the firewall settings just right, or it's going to be a mess!

upvoted 0 times

Vallie

8 months ago

C: Let's make sure we update the route tables correctly to direct traffic to the Gateway Load Balancer. Can't afford any mistakes!

upvoted 0 times

...

Jospeh

8 months ago

B: Yeah, and we also need to create a security group for the firewall appliances and allow the necessary ports.

upvoted 0 times

...

Brunilda

9 months ago

C: And update the route tables to direct traffic to the Gateway Load Balancer. It's crucial for the setup.

upvoted 0 times

...

Alishia

9 months ago

B: Don't forget to create a security group for the firewall appliances and allow the necessary ports.

upvoted 0 times

...

Jaclyn

9 months ago

A: We need to create a new VPC and deploy the firewall appliances. Don't forget to add them as targets for the Gateway Load Balancer.

upvoted 0 times

...

Nu

9 months ago

A: We need to create a new VPC and deploy the firewall appliances. Add them as targets to the Gateway Load Balancer.

upvoted 0 times

...

Delsie

10 months ago

Okay, let's see. I think the key is to create a Gateway Load Balancer and add the firewall appliances as targets. But which security group settings and route table configurations do I need to get this right?

upvoted 0 times

Rosenda

9 months ago

E) Update the internet gateway route table and the web server route table to send traffic to and from the internet to the VPC endpoint ID of the Gateway Load Balancer. Update the subnet route table that is associated with the Gateway Load Balancer endpoint to direct internet traffic to the internet gateway.

upvoted 0 times

...

Lisha

9 months ago

B) Create a security group for use with the firewall appliances, and allow port 443. Allow a port for the Gateway Load Balancer to perform health checks.

upvoted 0 times

...

Herman

9 months ago

A) Create a new VPC, and deploy a fleet of firewall appliances. Create a Gateway Load Balancer. Add the firewall appliances as targets.

upvoted 0 times

...

Jeniffer

10 months ago

Hmm, this seems like a tricky question. I'll need to carefully consider the steps to implement the inline inspection of traffic using the firewall appliances.

upvoted 0 times

Cassie

9 months ago

upvoted 0 times

...

Rose

9 months ago

A) Create a new VPC, and deploy a fleet of firewall appliances. Create a Gateway Load Balancer. Add the firewall appliances as targets.

upvoted 0 times

...

Karan

11 months ago

We should also update the internet gateway route table and the web server route table to send traffic to and from the internet to the VPC endpoint ID of the Gateway Load Balancer.

upvoted 0 times

...

Pearlie

11 months ago

I agree. We also need to create a Gateway Load Balancer and add the firewall appliances as targets.

upvoted 0 times

...

Heike

11 months ago

I think we should create a new VPC and deploy a fleet of firewall appliances.

upvoted 0 times

...