Examice

Exam SAP-C01 All QuestionsBrowse all questions from this exam

Question 906

A company wants to use a hybrid cloud architecture between an on-premises data center and AWS. The company already has deployed a multi-account structure in AWS Organizations while following the AWS Well-Architected Framework.

Due to strict security requirements, connectivity between the data center and AWS must be encrypted in transit. Only a single entry point into AWS is permitted from the data center. The data center must be able to access all the AWS accounts.

Which solution meets these requirements?

Connect the AWS accounts with AWS Transit Gateway. Establish an AWS Site-to-Site VPN connection with the data center, and attach the connection to the transit gateway. Route traffic from the data center to all AWS accounts.

Connect the AWS accounts with VPC peering. Establish an AWS Site-to-Site VPN connection with the data center. Route traffic from the data center to all AWS accounts.

Connect the AWS accounts with VPC peering. Establish an AWS Direct Connect connection to the closest AWS Region. Route traffic from the data center to all AWS accounts.

Connect the AWS accounts with AWS Transit Gateway. Establish an AWS Direct Connect connection to the closest AWS Region, and attach the connection to the transit gateway. Route traffic from the data center to all AWS accounts.

Correct Answer: A

To meet the company's strict security requirements for encrypted connectivity between the data center and AWS, an AWS Site-to-Site VPN connection should be used as it leverages IPsec to provide encryption in transit. Using AWS Transit Gateway allows for a single entry point into AWS and enables routing traffic from the data center to all AWS accounts. VPC peering does not support transitive routing, and AWS Direct Connect alone does not provide encrypted traffic by default without additional configuration, which was not mentioned. Therefore, the appropriate solution is to connect the AWS accounts with AWS Transit Gateway and establish a Site-to-Site VPN connection from the data center.

Discussion

AwsBRFanOption: A

A. https://docs.aws.amazon.com/directconnect/latest/UserGuide/encryption-in-transit.html

RVDOption: A

Encryption in transit is possible by ipsec not DX

ToanVN1988Option: A

A or D but need to encrypt in transit . Directconnect not correct. Answer is A

rajvee

A. 1. For the transit to be encrypted, Site to Site VPN is required i.e. IPSec. 2. For the single point of entry from DC, only Transit GW will work. Because VPC Peering does not allow traffic to transit i.e. https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html

pixepe

Answer - A. Requirement - "connectivity between the data center and AWS must be encrypted in transit" means it's VPN. VPN: "VPN connections use IPsec to establish encrypted network connectivity between your intranet and an Amazon VPC over the public internet." Direct connect: By DEFAULT traffic is unencrypted. Of course, we can encrypt by additional step, but it's NOT mentioned in answer-D. Hence, correct answer is A.

WhyIronManOption: A

A) as need encryption and it is not mention in D) as direct connect uses no encryption by default

zdlt

Selected Answer: A Because of transit encryption, site to site vpn (using IPSec) should be created instead of direct connect, mentioned in D

Rocketeer

VPN goes through internet and hence need encryption. DX is direct connection from on-prem to AWS. Using https provided the needed encryption. My answer is D