SAP-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

SAP-C02 Exam - Question 470

A company uses AWS Organizations. The company runs two firewall appliances in a centralized networking account. Each firewall appliance runs on a manually configured highly available Amazon EC2 instance. A transit gateway connects the VPC from the centralized networking account to VPCs of member accounts. Each firewall appliance uses a static private IP address that is then used to route traffic from the member accounts to the internet.

During a recent incident, a badly configured script initiated the termination of both firewall appliances. During the rebuild of the firewall appliances, the company wrote a new script to configure the firewall appliances at startup.

The company wants to modernize the deployment of the firewall appliances. The firewall appliances need the ability to scale horizontally to handle increased traffic when the network expands. The company must continue to use the firewall appliances to comply with company policy. The provider of the firewall appliances has confirmed that the latest version of the firewall code will work with all AWS services.

Which combination of steps should the solutions architect recommend to meet these requirements MOST cost-effectively? (Choose three.)

Show Answer
Correct Answer: ACE

To meet the requirements of modernizing the deployment of firewall appliances in a cost-effective manner, first, deploying a Gateway Load Balancer in the centralized networking account is essential. This will provide load balancing and scaling capabilities suitable for handling traffic across the firewall appliances. Second, creating an Auto Scaling group and a launch template that uses the new script as user data will automate the deployment and scaling of the firewall appliances. This approach ensures high availability and horizontal scalability. Finally, creating VPC endpoints in each member account and updating their route tables to point to these VPC endpoints is necessary to ensure that traffic is redirected through the centralized networking account effectively, maintaining compliance with company policy.

Discussion

17 comments
Sign in to comment
yog927Options: ACF
Mar 31, 2024

Refer this https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/ The endpoint is created in the centralized account only.

titi_r
Apr 25, 2024

No doubt that “A” and “C” are correct. E – it’s a valid config, but it’s against any logic – having a TGW and at the same time paying for GWLBEs in each member account’s VPC. F – The answer says “Update the route tables in each member account to point to the VPC endpoints.” – this is NOT possible. The route tables of the member/spoke accounts point to the TGW’s ENI (for 0.0.0.0/0) in their own VPC; they cannot point to the (GWLB) VPC endpoints in another VPC. Check the route table of Spoke1 VPC in below diagram – Destination: 0.0.0.0/0, Target: tgw-id (NOT vpce-az-a-id): https://d2908q01vomqb2.cloudfront.net/5b384ce32d8cdef02bc3a139d4cac0a22bb029e8/2022/04/14/GWLB_TGW_FIGURE2.jpg - P.S. Who wrote this question is an incompetent.

djangoUnchainedOptions: ACE
Mar 22, 2024

Why would you create the VPC endpoint in the centralized account? The goal is to connect the member accounts to the centralized accounts. F is wrong. https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/getting-started.html

matheusrdo
Apr 8, 2024

All the accounts are already connected and forwarding traffic to the centralized account. In that case you only need to create a endpoint in the central VPC

blacknameOptions: ACF
May 12, 2024

A - Gateway Load Balancer is LB type used to redirect traffic to traffic inspection devices like firewalls, this is done via GENEVE network protocol. (correct) B - NLB could not be used, NLB does not support GENEVE protocol. (incorrect) C - ASG is the way to go for this scenario, in addition could be add Autoscaling policies to add more instances during traffic spikes and reduce when no traffic spikes (correct) D - Launch wizard work directly with resource EC2 and EBS, I didn't see any integration with ASG (incorrect) E - Works but it's not cost effective, VPCE have a price of 0.01$/hour/az each, so if you have GWLB in multi-az you would pay (1VPCE * number of AZs * number of member account) (incorrect - not cost effective) F - Since transit gateway is used, all traffic could be routed to the centralized networking account, and in there 0.0.0.0/0 traffic would go to the GWLB endpoints, so instead of multiple vpc endpoints you would only have 1VPCE * number of AZs (correct)

CMMCOptions: ACF
Mar 19, 2024

aligned

DgixOptions: ACF
Mar 20, 2024

For cost efficiency, ACF.

AWSPro1234Options: ACF
Mar 23, 2024

I am thinking between E and F , E is not cost efficient but F is.

pangchnOptions: ACE
Mar 25, 2024

ACE VPC endpoint service in central account VPC endpoint in memeber account

7f6aef3Options: ACE
May 7, 2024

VPC endpoint service in central account VPC endpoint in memeber account F is wrong

trungtdOptions: ACF
Jun 4, 2024

Having multiple VPC endpoints will make connection unscalable

leliodesouzaOptions: BCE
Apr 7, 2024

Why B might also be considered: B. Deploy a Network Load Balancer in the centralized networking account: This would distribute incoming traffic across multiple instances of the firewall appliances deployed in the centralized networking account, providing scalability and high availability. Using AWS PrivateLink for endpoint services ensures that communication between member accounts and the centralized networking account remains within the AWS network, enhancing security and performance. However, this option may not be as cost-effective as option C alone because it involves additional costs associated with deploying and managing a Network Load Balancer. But it could be considered if high availability and scalability are prioritized over cost-effectiveness.

2aa610eOptions: ACE
May 10, 2024

gateway loadbalancer endpoint needs to be in the spoke VPC. https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-network-traffic-inspection-using-aws-gateway-load-balancer/

Zas1Options: ACE
May 20, 2024

F discard because update route. Explain "titi_r"

grandcanyonOptions: ACE
Jul 2, 2024

https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway-load-balancer.html

adelynllllllllll
Mar 28, 2024

ACE E pairs up with end point service in A.

SpavankoOptions: BCE
Apr 23, 2024

More logical

vip2
Jul 7, 2024

Main discussion about E and F it combine Member VPC, Centralize networking, Endpoint Service, VPC Endpoint Accoring to statement and answer A and C, that mean Transit-GW is in memeber VPC Firewall in Centralize VPC which alread has Endpoint Service in PrivateLink, So, MUST have VPC Endpoint in Memeber account, not Centralized Another important is 'Each firewall appliance uses a static private IP address that is then used to route traffic from the member accounts to the internet ', which prevent use one IP from transit-GW as endpoint.

vip2Options: ACE
Jul 21, 2024

Main discussion about E and F it combine Member VPC, Centralize networking, Endpoint Service, VPC Endpoint Accoring to statement and answer A and C, that mean Transit-GW is in memeber VPC Firewall in Centralize VPC which alread has Endpoint Service in PrivateLink, So, MUST have VPC Endpoint in Memeber account, not Centralized Another important is 'Each firewall appliance uses a static private IP address that is then used to route traffic from the member accounts to the internet ', which prevent use one IP from transit-GW as endpoint.