AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 332

A company needs to set up a VPN between AWS VPC and its on-premises network. A team creates a VPN connection in the AWS Management Console, downloads the configuration file, and installs it on the on-premises router. The tunnel is not coming up because of firewall restrictions on the router. Which two network traffic options should you allow through the firewall? (Choose two.)

Answer options

• A. UDP port 500
• B. IP protocol 50
• C. IP protocol 5
• D. TCP port 50
• E. TCP port 500

Correct answer: A, B

Explanation

To establish an IPSec VPN tunnel, UDP port 500 must be allowed to enable Internet Key Exchange (IKE) for session negotiation. Additionally, Encapsulating Security Payload (ESP) traffic, which uses IP protocol 50, must be permitted through the firewall to transport the encrypted payload. Other protocols and TCP-based options are incorrect because standard IPSec does not use TCP for key exchange or data encapsulation.