Learn how to design a secure VPC networking solution for temporary application capacity scaling to AWS using private subnets and routing traffic through an on-premises firewall via Site-to-Site VPN.
Table of Contents
Question
A company needs to temporarily scale out capacity for an on-premises application and wants to deploy new servers on Amazon EC2 instances. A network engineer must design the networking solution for the connectivity and for the application on AWS.
The EC2 instances need to share data with the existing servers in the on-premises data center. The servers must not be accessible from the internet. All traffic to the internet must route through the firewall in the on-premises data center. The servers must be able to access a third-party web application.
Which configuration will meet these requirements?
A. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a NAT gateway in a public subnet. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add a default route to the NAT gateway. Add routes for the data center subnets to the virtual private gateway. Deploy the application to the private subnets.
B. Create a VPC that has private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the private subnets with the route table. Add a default route to the virtual private gateway. Deploy the application to the private subnets.
C. Create a VPC that has public subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Add routes for the on-premises data center subnets to the virtual private gateway. Deploy the application to the public subnets.
D. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add routes for the on-premises data center subnets to the virtual private gateway. Deploy the application to the private subnets.
Answer
B. Create a VPC that has private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the private subnets with the route table. Add a default route to the virtual private gateway. Deploy the application to the private subnets.
Explanation
The configuration that will meet all the requirements is B:
- Create a VPC with private subnets only
- Create a AWS Site-to-Site VPN with customer gateway and virtual private gateway
- Create a route table and associate private subnets, adding a default route to the VPN gateway
- Deploy the application to the private subnets
This solution:
- Keeps servers in private subnets, avoiding public Internet access
- Routes all internet traffic through the on-premises firewall via VPN
- Allows access to resources in the data center subnets
The other options do not fully meet all requirements:
A/D – Public subnets are not needed and allow public internet access
C – Deploying to public subnets permits direct internet access
Implementing a VPC with private subnets only, using the VPN gateway as the sole default route properly isolates the servers while providing connectivity.
AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.