Examice

Exam ANS-C01 All QuestionsBrowse all questions from this exam

Question 173

A network engineer needs to improve the network security of an existing AWS environment by adding an AWS Network Firewall firewall to control internet-bound traffic. The AWS environment consists of five VPCs. Each VPC has an internet gateway, NAT gateways, public Application Load Balancers (ALBs), and Amazon EC2 instances. The EC2 instances are deployed in private subnets. The architecture is deployed across two Availability Zones.

The network engineer must be able to configure rules for the public IP addresses in the environment, regardless of the direction of traffic. The network engineer must add the firewall by implementing a solution that minimizes changes to the existing production environment. The solution also must ensure high availability.

Which combination of steps should the network engineer take to meet these requirements? (Choose two.)

Create a centralized inspection VPC with subnets in two Availability Zones. Deploy Network Firewall in this inspection VPC with an endpoint in each Availability Zone.

Configure new subnets in two Availability Zones in each VPC. Deploy Network Firewall in each VPC with an endpoint in each Availability Zone.

Deploy Network Firewall in each VPUse existing subnets in each of the two Availability Zones to deploy Network Firewall endpoints.

Update the route tables that are associated with the private subnets that host the EC2 instances. Add routes to the Network Firewall endpoints.

Update the route tables that are associated with the public subnets that host the NAT gateways and the ALBs. Add routes to the Network Firewall endpoints.

Correct Answer: A, E

To fulfill the requirements, we should implement a solution that minimizes changes to the existing environment and ensures high availability. Creating a centralized inspection VPC with subnets in two Availability Zones and deploying Network Firewall in this inspection VPC with an endpoint in each Availability Zone provides a high-availability solution and centralizes management, reducing complexity and changes in existing VPCs. Updating the route tables associated with the public subnets that host the NAT gateways and ALBs will ensure that internet-bound traffic flows through the Network Firewall, allowing the network engineer to configure rules for the public IP addresses regardless of the traffic direction. This setup covers inspection of traffic contributing to robust security without significant alterations to the current setup.

Discussion

backspace0900Options: BE

BE New Firewall subnet Public subnet Routetable change

daemon101

B would create 10 subnets with 10 network firewall and wouldn’t meet the requirement of minimizing changes to the existing production. I would go for A and E instead.

JoellaLi

But there is no Transit Gateway now. For centralized deployment model, AWS Transit Gateway is a prerequisite. AWS Transit Gateway acts as a network hub and simplifies the connectivity between VPCs as well as on-premises networks. AWS Transit Gateway also provides inter-region peering capabilities to other Transit Gateways to establish a global network using AWS backbone. Another key characteristic of the centralized deployment is a dedicated inspection VPC. Inspection VPC consists of two subnets in each AZs. One subnet is a dedicated firewall endpoint subnet and second is dedicated to AWS Transit Gateway attachment.

JoellaLi

I choose C and E.

JoellaLi

Change to A D

cerifyme85Options: BE

It is not a centralised setup. It is a distributed setup. Five seperate VPCs Each VPC : ALB + NAT + EC2 Question says architecture should not be changed. So just deploy ANF endpoints in a sep subnet in each AZ. https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/#:~:text=AWS%C2%A0Network%C2%A0Firewall%20is%20deployed%20to%20protect%20traffic%20between%20a%20workload%20public%20subnet%20and%20IGW Also question is concenred about about inbound traffic so E To use centralised we need a TGW

xTrayusxOptions: AE

'The network engineer must add the firewall by implementing a solution that minimizes changes to the existing production environment'

Blitz1Options: BE

It took me some time to understand the infra and what is requested. It's indeed about decentralized env because you need transit gateway for centralized one. Plus it is saying that each vpc is completely independent and we need to provide a " solution that minimizes changes". OK , so we have B until now. But were we put the routes: in private subnet or in public subnet. Here is comes the trick saying that we have ALB. So we will put route in public subnet to protect also ALB. So we have E. please read carefully: https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

acloudguruOptions: AE

The combination of these two steps meets the requirements of adding an AWS Network Firewall firewall to control internet-bound traffic, minimizing changes to the existing production environment, ensuring high availability, and allowing the configuration of rules for public IP addresses in both directions. Options B and C involve deploying Network Firewall in each VPC, which may not be necessary and could lead to increased complexity and management overhead. Option D alone is not sufficient, as it only covers traffic from the private EC2 instances but not the public ALBs.

Sailor

to choose A, you need connectivity between the new inspection VPC and the VPC either by VPC peering or transit gateway (both are not mentioned ) , so the only way to direct traffic to the network firewall is new subnet

[Removed]

I believe AE is correct, because: E is correct as we need to inspect internet-bound traffic. E already includes that we need to update route tables. With this given, A a centralized approach would make more sense than (again) updating the production environment by adding new subnets there (option B). So AE for me

cerifyme85Options: AD

Ans is AD

Sailor

D talks about private subnets and the question says: The network engineer must be able to configure rules for the public IP addresses in the environment, regardless of the direction of traffic., so it is A, E

JoellaLiOptions: AD

The Network Firewall acts as a "filter" for traffic between the subnets and locations outside the VPC. To enable this filtering, route tables need to be modified so traffic passes through the firewall endpoints. Private subnets contain the EC2 instances, so their route tables should be updated to send outbound traffic to the firewall. The firewall then allows or denies the traffic before sending it to its final destination like internet gateway or NAT gateway. Route tables for public subnets hosting NAT/ALB do not need changes as instances are not present there. Traffic originating from private subnets is what needs inspection.

JoellaLi

Filter traffic going to and from the EC2 instances in the private subnets. This will ensure traffic from the instances is directed through the Network Firewall endpoints before reaching its destination (such as the internet gateway or NAT gateway).]