AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 377

A company has an AWS Direct Connect connection between its on-premises data center and Amazon VPC. An application running on an Amazon EC2 instance in the VPC needs to access confidential data stored in the on-premises data center with consistent performance. For compliance purposes, data encryption is required.
What should the network engineer do to meet these requirements?

Answer options

• A. Configure a public virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.
• B. Configure a private virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.
• C. Configure an internet gateway in the VPC. Set up a software VPN between the customer gateway and an EC2 instance in the VPC.
• D. Configure an internet gateway in the VPC. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

Correct answer: A

Explanation

To achieve both consistent performance and data encryption, an IPsec VPN must be established over the AWS Direct Connect connection. Configuring a public virtual interface (VIF) allows the VPN tunnel to terminate on the virtual private gateway using the dedicated Direct Connect path rather than the public internet. Options C and D are incorrect because they route traffic over the public internet via an internet gateway, failing the performance requirement, while Option B is incorrect because a standard Site-to-Site VPN cannot terminate on a VGW over a private VIF.