AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 211

Your company has installed an AWS Direct Connect connection in an ap-southeast-1 Direct Connect location. A public virtual interface is configured through a router to a dedicated firewall. You advertise your company's public /24 CIDR block to AWS with AS 65500. The company maintains a separate, corporate Internet firewall to map all outbound traffic to a single IP. This firewall maintains a BGP relationship with an upstream Internet provider that has delegated the public IP block your company uses. When the BGP session for the public virtual interface is up, corporate network users cannot access Amazon S3 resources in the ap- southeast-1 region.
Which step should you take to provide concurrent AWS and Internet access?

Answer options

• A. Configure AS-PATH prepending for the public virtual interface.
• B. Advertise a host route for the corporate firewall on the public virtual interface.
• C. Advertise a host route for the corporate firewall to the upstream Internet provider.
• D. NAT the traffic destined for AWS from the dedicated firewall using the public virtual interface.

Correct answer: D

Explanation

The correct answer is D because NATing the traffic destined for AWS allows the corporate firewall to translate the internal IP addresses to the public address used in the virtual interface, ensuring access to AWS resources. The other options either do not provide a solution for simultaneous access or involve advertising routes that do not specifically address the issue of traffic routing to AWS.