Exam ANS-C01 All QuestionsBrowse all questions from this exam
Go to Exam
Question 86

A company has deployed its AWS environment in a single AWS Region. The environment consists of a few hundred application VPCs, a shared services VPC, and a VPN connection to the company’s on-premises environment. A network engineer needs to implement a transit gateway with the following requirements:

• Application VPCs must be isolated from each other.

• Bidirectional communication must be allowed between the application VPCs and the on-premises network.

• Bidirectional communication must be allowed between the application VPCs and the shared services VPC.

The network engineer creates the transit gateway with options disabled for default route table association and default route table propagation. The network engineer also creates the VPN attachment for the on-premises network and creates the VPC attachments for the application VPCs and the shared services VPC.

The network engineer must meet all the requirements for the transit gateway by designing a solution that needs the least number of transit gateway route tables.

Which combination of actions should the network engineer perform to accomplish this goal? (Choose two.)

    Correct Answer: C, E

    To achieve the isolation of application VPCs while allowing bidirectional communication with the on-premises network and the shared services VPC, the network engineer should create a separate transit gateway route table for all application VPCs. This table will facilitate communication with the shared services VPC and the VPN by propagating the respective routes. Simultaneously, another separate transit gateway route table should be configured for the shared services VPC and the on-premises connectivity. Associating the VPN attachment and the shared services VPC attachment with this table and propagating all application VPC attachments will ensure the required connectivity and isolation using the least number of transit gateway route tables.

Discussion
Kristin01Options: CE

CE is correct

netgeek1991

BE is correct. Option C is wrong because if we C. Configure a separate transit gateway route table for all application VPCs. Associate all application VPCs with this transit gateway route table. Then all the Application VPCs will be able to talk to each-other which breaks the requirement of isolating the communication between Application VPCs

netgeek1991

Its C and E.

albertkr

yeah, won't putting all application VPCs under the same routing table will enable the communication among the VPCs? I can't understand why people voted for B.

cerifyme85

It wont.. the question says "Least amount of TGW RT".. so all in the same RT. Connectivity only happens when the routes are propagated to each other. APP vpcs ==> Assocaited to one table App VPCs ==> Propagated to shared VPn + Shared VPCs ==> Associated to Their RTs VPN + Shared VPC ==> Propagated to only AP VPCs

cerifyme85

It wont.. the question says "Least amount of TGW RT".. so all in the same RT. Connectivity only happens when the routes are propagated to each other. APP vpcs ==> Assocaited to one table (1RT) App VPCs ==> Propagated to shared + VPN RT VPn + Shared VPCs ==> Associated to Their RT ( 1 RT) VPN + Shared VPC ==> Propagated to only APP VPCs

mrt261Options: BE

Option B allows for isolating each application VPC by creating a separate transit gateway route table for each one. This ensures that communication between application VPCs is isolated. The shared services VPC attachment and the VPN attachment are propagated to each application VPC's transit gateway route table, allowing bidirectional communication with both. Option E creates a separate transit gateway route table for on-premises and the shared services VPC. This allows for efficient routing and isolation. All application VPC attachments are propagated to this transit gateway route table, ensuring bidirectional communication with both the on-premises network and the shared services VPC.

Neo00

B,E is correct. C will make all application VPCs talks each other

Neo00

I was wrong, should be CE.

JoellaLi

Why change to CE?

vikasj1inOptions: CE

C) - Create a transit gateway route table specifically for all the application VPCs. - Associate all the application VPC attachments with this transit gateway route table. - Propagate the shared services VPC attachment and the VPN attachment to this transit gateway route table. E) - Create another transit gateway route table for on-premises and the shared services VPC. - Associate the VPN attachment and the shared services VPC attachment with this transit gateway route table. - Propagate all application VPC attachments to this transit gateway route table. This way, you can achieve the required isolation between application VPCs, allow bidirectional communication between application VPCs and the on-premises network, and enable communication between application VPCs and the shared services VPC. Using two separate transit gateway route tables helps organize the routing requirements efficiently.

mrt261

With option C, all application VPCs would share the same transit gateway route table, which means they would not be isolated from each other. This violates the requirement that application VPCs must be isolated from each other. Therefore, option C is not suitable for meeting the specified requirements.

AradOptions: CE

CE is the right answer.

Tofu13Options: CE

C: Allows traffic to flow from App VPCs to Shared-Service VPC and to on-premise. E: Allows traffic to flow from Shared-Service VPC and on-premise to App VPCs. https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-isolated-shared.html

alejo232425

the link shared says what someone said above: "The first entry is the default entry for local routing in the VPC" you dont want that. so if you include all all of them will be reachable.

Certified101Options: CE

By implementing the steps in option C, you're providing the necessary isolation between the application VPCs while allowing for communication with the shared services VPC and the on-premises network. Option E then allows bidirectional communication between the on-premises network, the shared services VPC, and all application VPCs. This is achieved by creating a separate transit gateway route table for the shared services VPC and on-premises network, and propagating the routes of all application VPCs to this route table.

[Removed]Options: BD

Consider this that the application VPCs must be isolated from each other...

Blitz1Options: CE

CE. BE is an option but with too many routing tables. And it seems that not all the ppl understood attachment vs propagation. In a transit gateway route table the routes(actual field in aws console) are coming from the propagation and not from attachment. The simple fact that you create association in the routing table with a transit gateway attachment(vpc) doesn't mean that you have you have transitivity ( unless you add also the propagation)

RaphaelloOptions: CE

Think of it a 2 separate routing domains (VRF). Application VPCs routing table >> VPN & shared-services VPC routes VPN & Shared-services VPC routing table >> App VPCs routes C & E are the correct answers.

JoellaLiOptions: BE

Each VPC has a route table, and the transit gateway has two route tables—one for the VPCs and one for the VPN connection and shared services VPC.

JoellaLi

change to CE. If we configure a separate transit gateway route table for each application VPC and there are 3 application VPCs, then there will be 3 transit gateway route tables in total—one for each application VPC.

Marfee400704

I think that it's correct answer is AE according to SPOTO products.

az2022

DE is correct

Stardec

My mistake. It is C AND E.

Stardec

C and D.

cavuturv

wont it be B and C ?