AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 164

You are configuring a VPN to AWS for your company. You have configured the VGW and CGW. You have created the VPN. You have also run the necessary commands on your router. You allowed all TCP and UDP traffic between your datacenter and your VPC. The tunnel still doesn't come up. What is the most likely reason?

Answer options

• A. You forgot to turn on route propagation in the route table.
• B. You do not have a public ASN.
• C. Your advertised subnet is too large.
• D. You haven't added protocol 50 to your firewall.

Correct answer: D

Explanation

The correct answer is D because protocol 50 (ESP) is necessary for establishing IPsec VPN tunnels; if it's blocked by a firewall, the tunnel won't come up. Options A, B, and C, while potentially relevant to routing or ASN issues, do not directly prevent the VPN tunnel from being established like a missing protocol does.