Exam ANS-C01 All QuestionsBrowse all questions from this exam
Go to Exam
Question 181

A company has started using AWS Cloud WAN with one edge location in the us-east-1 Region. The company has a production segment and a security segment in AWS Cloud WAN. The company also has a default core network policy.

The company has created a production VPC for the production workload. The company has created an outbound inspection VPC to inspect internet-bound traffic from the production VPC. The company has attached the production VPC to the production segment and has attached the outbound inspection VPC to the security segment. The company has also created an AWS Network Firewall firewall in the outbound inspection VPC to inspect internet-based traffic.

The company has updated a route table for the production VPC to send all internet-bound traffic to the AWS Cloud WAN core network. The company has updated a route table for the outbound inspection VPC to ensure that Network Firewall inspects any outgoing traffic and incoming traffic.

During testing, an Amazon EC2 instance in the production VPC cannot reach the internet. The company checks the Network Firewall rules and confirms that the rules are not blocking the traffic.

Which combination of steps will meet these requirements? (Choose two.)

    Correct Answer: A, C

    To enable the inspection of internet-bound traffic from the production VPC, updating the core network policy to configure segment sharing and sharing the production segment with the security segment is essential. This action allows the inspected traffic to be appropriately routed between these segments. Additionally, creating a static route for the production segment that specifies 0.0.0.0/0 as the destination CIDR block and the outbound inspection VPC as an attachment ensures all internet-bound traffic is directed to the Network Firewall in the outbound inspection VPC for inspection.

Discussion
973b658Options: AC

A&C is OK.

Blitz1Options: AC

A. When traffic is returning from internet to inspection segment a route is needed to pass the traffic to correct segment. https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-policy-network-actions-routes.html C. is pushing all the traffic (internet) to outbound inspection

Stants

Option C: Update the core network policy to create a static route for the production segment. Specify 0.0.0.0/0 as the destination CIDR block. Specify the outbound inspection VPC as an attachment. Explanation: By creating a static route for the production segment with a destination of 0.0.0.0/0 (which covers all internet-bound traffic), and attaching it to the outbound inspection VPC, you ensure that traffic from the production VPC is directed to the Network Firewall in the outbound inspection VPC. Option D: Update the core network policy to create a static route for the production segment. Specify 10.2.0.0/16 as the destination CIDR block. Specify the outbound inspection VPC as an attachment. Explanation: Creating a static route for the production segment with a specific destination CIDR block (10.2.0.0/16) ensures that traffic from the production VPC is routed to the outbound inspection VPC.