Skip to Content

ANS-C01: Configuring AWS VPN to On-Premises Network with Dynamic IP

By: Author Alex Lim

Posted on

Categories Amazon, Exam

Learn how to establish a VPN from AWS to an on-premises network with a dynamic IP address using IKEv2 and private certificates.

Table of Contents

Question

A company has an AWS environment that includes multiple VPCs that are connected by a transit gateway. The company has decided to use AWS Site-to-Site VPN to establish connectivity between its on-premises network and its AWS environment.

The company does not have a static public IP address for its on-premises network. A network engineer must implement a solution to initiate the VPN connection on the AWS side of the connection for traffic from the AWS environment to the on-premises network.

Which combination of steps should the network engineer take to establish VPN connectivity between the transit gateway and the on-premises network? (Choose three.)

A. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 1 (IKEv1).
B. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 2 (IKEv2).
C. Use a private certificate authority (CA) from AWS Private Certificate Authority to create a certificate.
D. Use a public certificate authority (CA) from AWS Private Certificate Authority to create a certificate.
E. Create a customer gateway. Specify the current dynamic IP address of the customer gateway device’s external interface.
F. Create a customer gateway without specifying the IP address of the customer gateway device.

Answer

B. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 2 (IKEv2).
C. Use a private certificate authority (CA) from AWS Private Certificate Authority to create a certificate.
F. Create a customer gateway without specifying the IP address of the customer gateway device.

Explanation

Together, this allows setting up the VPN connection from the AWS side without needing the dynamic on-prem IP address. IKEv2 supports that traffic flow initiation. The ACM private CA provides a certificate and the customer gateway can be configured without an IP specified.

AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.