Exam SAP-C02 All QuestionsBrowse all questions from this exam
Go to Exam
Question 470

A company uses AWS Organizations. The company runs two firewall appliances in a centralized networking account. Each firewall appliance runs on a manually configured highly available Amazon EC2 instance. A transit gateway connects the VPC from the centralized networking account to VPCs of member accounts. Each firewall appliance uses a static private IP address that is then used to route traffic from the member accounts to the internet.

During a recent incident, a badly configured script initiated the termination of both firewall appliances. During the rebuild of the firewall appliances, the company wrote a new script to configure the firewall appliances at startup.

The company wants to modernize the deployment of the firewall appliances. The firewall appliances need the ability to scale horizontally to handle increased traffic when the network expands. The company must continue to use the firewall appliances to comply with company policy. The provider of the firewall appliances has confirmed that the latest version of the firewall code will work with all AWS services.

Which combination of steps should the solutions architect recommend to meet these requirements MOST cost-effectively? (Choose three.)

    Correct Answer: A, C, E

    To meet the requirements of modernizing the deployment of firewall appliances in a cost-effective manner, first, deploying a Gateway Load Balancer in the centralized networking account is essential. This will provide load balancing and scaling capabilities suitable for handling traffic across the firewall appliances. Second, creating an Auto Scaling group and a launch template that uses the new script as user data will automate the deployment and scaling of the firewall appliances. This approach ensures high availability and horizontal scalability. Finally, creating VPC endpoints in each member account and updating their route tables to point to these VPC endpoints is necessary to ensure that traffic is redirected through the centralized networking account effectively, maintaining compliance with company policy.

Discussion
yog927Options: ACF

Refer this https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/ The endpoint is created in the centralized account only.

titi_r

No doubt that “A” and “C” are correct. E – it’s a valid config, but it’s against any logic – having a TGW and at the same time paying for GWLBEs in each member account’s VPC. F – The answer says “Update the route tables in each member account to point to the VPC endpoints.” – this is NOT possible. The route tables of the member/spoke accounts point to the TGW’s ENI (for 0.0.0.0/0) in their own VPC; they cannot point to the (GWLB) VPC endpoints in another VPC. Check the route table of Spoke1 VPC in below diagram – Destination: 0.0.0.0/0, Target: tgw-id (NOT vpce-az-a-id): https://d2908q01vomqb2.cloudfront.net/5b384ce32d8cdef02bc3a139d4cac0a22bb029e8/2022/04/14/GWLB_TGW_FIGURE2.jpg - P.S. Who wrote this question is an incompetent.

blacknameOptions: ACF

A - Gateway Load Balancer is LB type used to redirect traffic to traffic inspection devices like firewalls, this is done via GENEVE network protocol. (correct) B - NLB could not be used, NLB does not support GENEVE protocol. (incorrect) C - ASG is the way to go for this scenario, in addition could be add Autoscaling policies to add more instances during traffic spikes and reduce when no traffic spikes (correct) D - Launch wizard work directly with resource EC2 and EBS, I didn't see any integration with ASG (incorrect) E - Works but it's not cost effective, VPCE have a price of 0.01$/hour/az each, so if you have GWLB in multi-az you would pay (1VPCE * number of AZs * number of member account) (incorrect - not cost effective) F - Since transit gateway is used, all traffic could be routed to the centralized networking account, and in there 0.0.0.0/0 traffic would go to the GWLB endpoints, so instead of multiple vpc endpoints you would only have 1VPCE * number of AZs (correct)

djangoUnchainedOptions: ACE

Why would you create the VPC endpoint in the centralized account? The goal is to connect the member accounts to the centralized accounts. F is wrong. https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/getting-started.html

matheusrdo

All the accounts are already connected and forwarding traffic to the centralized account. In that case you only need to create a endpoint in the central VPC

trungtdOptions: ACF

Having multiple VPC endpoints will make connection unscalable

7f6aef3Options: ACE

VPC endpoint service in central account VPC endpoint in memeber account F is wrong

pangchnOptions: ACE

ACE VPC endpoint service in central account VPC endpoint in memeber account

AWSPro1234Options: ACF

I am thinking between E and F , E is not cost efficient but F is.

DgixOptions: ACF

For cost efficiency, ACF.

CMMCOptions: ACF

aligned

grandcanyonOptions: ACE

https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway-load-balancer.html

Zas1Options: ACE

F discard because update route. Explain "titi_r"

2aa610eOptions: ACE

gateway loadbalancer endpoint needs to be in the spoke VPC. https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-network-traffic-inspection-using-aws-gateway-load-balancer/

leliodesouzaOptions: BCE

Why B might also be considered: B. Deploy a Network Load Balancer in the centralized networking account: This would distribute incoming traffic across multiple instances of the firewall appliances deployed in the centralized networking account, providing scalability and high availability. Using AWS PrivateLink for endpoint services ensures that communication between member accounts and the centralized networking account remains within the AWS network, enhancing security and performance. However, this option may not be as cost-effective as option C alone because it involves additional costs associated with deploying and managing a Network Load Balancer. But it could be considered if high availability and scalability are prioritized over cost-effectiveness.

vip2Options: ACE

Main discussion about E and F it combine Member VPC, Centralize networking, Endpoint Service, VPC Endpoint Accoring to statement and answer A and C, that mean Transit-GW is in memeber VPC Firewall in Centralize VPC which alread has Endpoint Service in PrivateLink, So, MUST have VPC Endpoint in Memeber account, not Centralized Another important is 'Each firewall appliance uses a static private IP address that is then used to route traffic from the member accounts to the internet ', which prevent use one IP from transit-GW as endpoint.

vip2

Main discussion about E and F it combine Member VPC, Centralize networking, Endpoint Service, VPC Endpoint Accoring to statement and answer A and C, that mean Transit-GW is in memeber VPC Firewall in Centralize VPC which alread has Endpoint Service in PrivateLink, So, MUST have VPC Endpoint in Memeber account, not Centralized Another important is 'Each firewall appliance uses a static private IP address that is then used to route traffic from the member accounts to the internet ', which prevent use one IP from transit-GW as endpoint.

SpavankoOptions: BCE

More logical

adelynllllllllll

ACE E pairs up with end point service in A.