AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 78

A company has recently established an AWS Direct Connect connection from its on-premises data center to AWS. A Network Engineer has blocked all traffic destined for Amazon S3 over the company's gateway to the internet from its on-premises firewall. S3 traffic should only traverse the Direct Connect connection.
Currently, no one in the on-premises data center can access Amazon S3.
Which solution will resolve this connectivity issue?

Answer options

• A. Configure a private virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop for traffic destined for Amazon S3.
• B. Establish an S3 VPC endpoint for the company's Amazon VPC. Configure a private virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop.
• C. Configure a public virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop for traffic destined for Amazon S3.
• D. Configure a public virtual interface on the Direct Connect connection. Establish an AWS managed VPN over the connection. Update the on-premises routing tables to choose the VPN connection as the preferred next hop.

Correct answer: C

Explanation

The correct answer is C because it allows S3 traffic to route through the Direct Connect using a public virtual interface, which is necessary for accessing Amazon S3. Options A and B involve private virtual interfaces and VPC endpoints, which do not resolve the issue of accessing S3 over the Direct Connect with the current firewall restrictions. Option D introduces unnecessary complexity with a VPN, which is not required for direct access to S3.