ANS-C01 Exam QuestionsBrowse all questions from this exam
Go to Exam

ANS-C01 Exam - Question 28

A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requires connectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWS and its on-premises network to accommodate the growing demand for the application.

The company already has encryption between its on-premises network and the colocation. The company needs to encrypt traffic between AWS and the edge routers in the colocation within the next few months. The company must maintain its current bandwidth.

What should a network engineer do to meet these requirements with the LEAST operational overhead?

Show Answer
Correct Answer: C

To encrypt the traffic between AWS and the edge routers in the colocation while maintaining the current bandwidth and minimizing operational overhead, deploying a new pair of 10 GB Direct Connect connections with MACsec is the most effective solution. MACsec provides the required encryption for the data traffic and works at the link layer, which ensures high-speed encryption without introducing significant latency or bandwidth limitations associated with other solutions such as VPNs. Once the new connections are in place and configured, traffic can be rerouted, and the old Direct Connect connections can be decommissioned, streamlining the process.

Discussion

15 comments
Sign in to comment
linuxek21
Apr 2, 2023

Correct answer is C, B - you need a public VIF for VPN to VGW, only TGW VPNs can be used with a private VIF. Also, they are supposed to maintain current bandwidth. VPN limits their connection to 1.25Gbps Additional Notes: I am not a big fan of answer C as it assumes the edge router supports macsec.

kaush4u
Jul 11, 2023

MacSec does not encrypt AWS to colocation ,hence B

Josh1217
Jul 12, 2023

Site-to-Site VPN will not satisfy 'Maintain current Bandwidth'. Hence B is incorrect.

A_A_AB
Jul 20, 2023

You mean C, right? B talks about VPC which doesn't satisfy the bandwidth requirement.

AWS_Exam_Enjoyer
Oct 7, 2023

B states that it will create the vif on-premise not colloc so B is incorrect. C on the other hand says "edge router" and edge router is on the Colloc as well. It's tricky but if you read thru you'll understand more

Akshay0403
Jul 1, 2024

We are talking about LEAST operational overhead so we cannot use Site to Site VPN here.

flowers00
Mar 19, 2023

C - correct.

ITgeek
Mar 29, 2023

why do you think deploying new direct connection would be easier, given the time constrain ? the connection are already in place

ITgeekOption: B
Mar 29, 2023

This option suggests creating a virtual private gateway and deploying new AWS Site-to-Site VPN connections from on premises to the virtual private gateway. Then, rerouting traffic from the Direct Connect private VIF to the new VPNs. This option requires less operational overhead than option A because it does not require creating a new VIF, but it does require BBB configuring a new VPN connection. This option would also meet the requirement of maintaining the current bandwidth. Please explain your answer of why C?

zaazanuna
Mar 30, 2023

Q: What throughput can I get with Private IP VPN? A: Just like regular Site-to-site VPN connections, each private IP VPN connection supports 1.25Gbps of bandwidth. You can use ECMP (Equal Cost Multi-path) across multiple private IP VPN connections to increase effective bandwidth. As an example, to send 10Gbps of DX traffic over a private IP VPN, you can use 4 private IP VPN connections (4 connections x 2 tunnels x 1.25Gbps bandwidth) with ECMP between a pair of Transit gateway and Customer gateway.

albertkr
May 9, 2023

B only says create "a" VPN tunnel, which means the max bw is only 1.25Gbps

zaazanuna
Mar 18, 2023

C - correct.

UntamablesOption: C
Apr 5, 2023

C https://docs.aws.amazon.com/directconnect/latest/UserGuide/MACsec.html

sen460
Jul 16, 2023

Correct Answer is C - Refer to extracted piece of text from the link shared - "You can use AWS Direct Connect connections that support MACsec to encrypt your data from your on-premises network or collocated device to your chosen AWS Direct Connect point of presence". Link for Reference - https://aws.amazon.com/directconnect/faqs/

CheamOption: C
Jul 30, 2023

Another tricky question. 1) You cannot create a VPN tunnel via Private VIFs 2) The company must maintain its current bandwidth. VPN tunnels max throughput is up to 1.25Gbps. Answer is C All the best.

Mishranihal737
Aug 7, 2023

C is correct, VPN connection will limit the BW to 1.25 GBps

vikasj1inOption: C
Feb 15, 2024

MACsec (Media Access Control Security) is a standard for securing Ethernet connections at the link layer. It provides encryption for data traffic between the AWS Direct Connect routers and the edge routers in the colocation facility. In this scenario, deploying a new pair of 10 GB Direct Connect connections with MACsec provides encryption for the traffic between AWS and the colocation without changing the existing bandwidth. Configuring MACsec on the edge routers ensures that the traffic is encrypted over the new Direct Connect connections. Option C is the most appropriate solution as it introduces MACsec on dedicated high-speed Direct Connect connections, ensuring security without the need for additional VPNs or significant operational overhead.

vikasj1in
Feb 18, 2024

Assuming the edge router supports MACsec (which is not mentioned in the question clearly).

Certified101Option: C
Jul 27, 2023

C is correct

habrosOption: C
Oct 17, 2023

C. Two pairs of DX is solid enough, S2SVPN adds even more redundancy, at 1.25Gbps max per line (way lesser than 10Gbps needed)

marfee
Feb 8, 2024

I think that it's correcty answer is B.

Marfee400704
Feb 14, 2024

I think that it's correct answer is C according to SPOTO products.

tromyunpak
Mar 24, 2024

C is the correct answer due you need new DX connections to enable macsec. with macsec you will have throughput required A is wrong since you have cannot public vif with encryption D is wrong since it doesn't make sense to have macsec and ipsec also IPSEC throughput is 1.25Gb/s not 10Gb/s B is wrong due to the throughput is limited by the VPNs and with VPG ecmp is not supported unlike TGW

RaphaelloOption: C
Apr 3, 2024

C is the correct answer. MACSec is a L2 encryption, and best solution to maintain the current bandwidth.