AWS Certified Advanced Networking - Specialty ANS-C01 Exam - Question 173

Question

A network engineer needs to improve the network security of an existing AWS environment by adding an AWS Network Firewall firewall to control internet-bound traffic. The AWS environment consists of five VPCs. Each VPC has an internet gateway, NAT gateways, public Application Load Balancers (ALBs), and Amazon EC2 instances. The EC2 instances are deployed in private subnets. The architecture is deployed across two Availability Zones.

The network engineer must be able to configure rules for the public IP addresses in the environment, regardless of the direction of traffic. The network engineer must add the firewall by implementing a solution that minimizes changes to the existing production environment. The solution also must ensure high availability.

Which combination of steps should the network engineer take to meet these requirements? (Choose two.)

Examice · Accepted Answer

To fulfill the requirements, we should implement a solution that minimizes changes to the existing environment and ensures high availability. Creating a centralized inspection VPC with subnets in two Availability Zones and deploying Network Firewall in this inspection VPC with an endpoint in each Availability Zone provides a high-availability solution and centralizes management, reducing complexity and changes in existing VPCs. Updating the route tables associated with the public subnets that host the NAT gateways and ALBs will ensure that internet-bound traffic flows through the Network Firewall, allowing the network engineer to configure rules for the public IP addresses regardless of the traffic direction. This setup covers inspection of traffic contributing to robust security without significant alterations to the current setup.

backspace0900 · Answer

BE
New Firewall subnet
Public subnet Routetable change

xTrayusx · Answer

'The network engineer must add the firewall by implementing a solution that minimizes changes to the existing production environment'

cerifyme85 · Answer

It is not a centralised setup.
It is a distributed setup.
Five seperate VPCs
Each VPC : ALB + NAT + EC2
Question says architecture should not be changed.
So just deploy ANF endpoints in a sep subnet in each AZ.
https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/#:~:text=AWS%C2%A0Network%C2%A0Firewall%20is%20deployed%20to%20protect%20traffic%20between%20a%20workload%20public%20subnet%20and%20IGW

Also question is concenred about about inbound traffic so E
To use centralised we need a TGW

Blitz1 · Answer

It took me some time to understand the infra and what is requested.
It's indeed about decentralized env because you need transit gateway for centralized one. Plus it is saying that each vpc is completely independent and we need to provide a " solution that minimizes changes". 
OK , so we have B until now.

But were we put the routes: in private subnet or in public subnet. Here is comes the trick saying that we have ALB. So we will put route in public subnet to protect also ALB.
So we have E.
please read carefully: 
https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

hughnguyen · Answer

It's easier to create a single VPC than it is to add 2 subnets two five VPCs

JoellaLi · Answer

The Network Firewall acts as a "filter" for traffic between the subnets and locations outside the VPC.

To enable this filtering, route tables need to be modified so traffic passes through the firewall endpoints.

Private subnets contain the EC2 instances, so their route tables should be updated to send outbound traffic to the firewall.

The firewall then allows or denies the traffic before sending it to its final destination like internet gateway or NAT gateway.

Route tables for public subnets hosting NAT/ALB do not need changes as instances are not present there. Traffic originating from private subnets is what needs inspection.

cerifyme85 · Answer

Ans is AD

[Removed] · Answer

I believe AE is correct, because: 
E is correct as we need to inspect internet-bound traffic. E already includes that we need to update route tables. With this given, A a centralized approach would make more sense than (again) updating the production environment by adding new subnets there (option B).

So AE for me

acloudguru · Answer

The combination of these two steps meets the requirements of adding an AWS Network Firewall firewall to control internet-bound traffic, minimizing changes to the existing production environment, ensuring high availability, and allowing the configuration of rules for public IP addresses in both directions.

Options B and C involve deploying Network Firewall in each VPC, which may not be necessary and could lead to increased complexity and management overhead. Option D alone is not sufficient, as it only covers traffic from the private EC2 instances but not the public ALBs.

MO_SAM · Answer

ALL options are valid **___but___**  you need to look at the requirements aka the criteria! which means min changes/interruption to the existing PROD env 
so definitely  BE

percolate792 · Answer

Comparing this to Option A (centralized inspection VPC), which creates a single new VPC without touching the existing VPCs' structure, Option B introduces more changes to the production environment by adding new subnets to each VPC.
In terms of "minimizing changes to existing production environment," Option A (centralized model) would generally be considered less intrusive than Option B (distributed model) because:

It leaves the structure of existing VPCs unchanged
It requires only one Network Firewall deployment instead of five
It centralizes security management rather than distributing it

AWS Certified Advanced Networking - Specialty ANS-C01 Exam - Question 173

Discussion