Learn how to set up secure connectivity in AWS using Transit Gateway. Isolate your development VPC and connect production VPCs while extending your on-premises network seamlessly.
Table of Contents
Question
A company has an AWS account with four VPCs in the us-east-1 Region. The VPCs consist of a development VPC and three production VPCs that host various workloads.
The company has extended its on-premises data center to AWS with AWS Direct Connect by using a Direct Connect gateway. The company now wants to establish connectivity to its production VPCs and development VPC from on premises. The production VPCs are allowed to route data to each other. However, the development VPC must be isolated from the production VPCs. No data can flow between the development VPC and the production VPCs.
In preparation to implement this solution, a network engineer creates a transit gateway with a single transit gateway route table. Default route table association and default route table propagation are turned off. The network engineer attaches the production VPCs, the development VPC, and the Direct Connect gateway to the transit gateway. For each VPC route table, the network engineer adds a route to 0.0.0.0/0 with the transit gateway as the next destination.
Which combination of steps should the network engineer take next to complete this solution? (Choose three.)
A. Associate the production VPC attachments with the existing transit gateway route table. Propagate the routes from these attachments.
B. Associate all the attachments with the existing transit gateway route table. Propagate the routes from these attachments.
C. Associate the Direct Connect gateway attachment with the existing transit gateway route table. Propagate the Direct Connect gateway attachment to this route table.
D. Change the security group inbound rules on the existing transit gateway network interfaces in the development VPC to allow connections to and from the on-premises CIDR range only.
E. Create a new transit gateway route table. Associate the new route table with the development VPC attachment. Propagate the Direct Connect gateway and development VPC attachment to the new route table.
F. Create a new transit gateway with default route table association and default route table propagation turned on. Attach the Direct Connect gateway and development VPC to the new transit gateway.
Answer
A. Associate the production VPC attachments with the existing transit gateway route table. Propagate the routes from these attachments.
C. Associate the Direct Connect gateway attachment with the existing transit gateway route table. Propagate the Direct Connect gateway attachment to this route table.
D. Change the security group inbound rules on the existing transit gateway network interfaces in the development VPC to allow connections to and from the on-premises CIDR range only.
Explanation
To achieve the required isolation and connectivity for the company’s VPCs and on-premises data center using AWS Direct Connect and Transit Gateway, the network engineer should:
- Associate the production VPC attachments and propagate routes: Associate the production VPC attachments with the existing transit gateway route table and enable route propagation from these attachments (Option A). This allows connectivity among production VPCs while keeping the development VPC isolated.
- Associate the Direct Connect gateway attachment and propagate routes: Associate the Direct Connect gateway attachment with the existing transit gateway route table and propagate this attachment’s routes (Option C). This ensures connectivity between on-premises resources and the VPCs while maintaining the isolation between the development and production VPCs.
- Modify security group rules for the development VPC: Change the inbound rules on the existing transit gateway network interfaces in the development VPC to allow connections solely from and to the on-premises CIDR range (Option D). This step enforces the strict isolation of the development VPC from other VPCs.
These steps effectively establish the desired connectivity and isolation, ensuring that production VPCs can communicate while preventing any data flow between the development VPC and the production VPCs.
AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.