AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 111

A company has an AWS environment that includes multiple VPCs that are connected by a transit gateway. The company has decided to use AWS Site-to-Site VPN to establish connectivity between its on-premises network and its AWS environment.

The company does not have a static public IP address for its on-premises network. A network engineer must implement a solution to initiate the VPN connection on the AWS side of the connection for traffic from the AWS environment to the on-premises network.

Which combination of steps should the network engineer take to establish VPN connectivity between the transit gateway and the on-premises network? (Choose three.)

Answer options

• A. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 1 (IKEv1).
• B. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 2 (IKEv2).
• C. Use a private certificate authority (CA) from AWS Private Certificate Authority to create a certificate.
• D. Use a public certificate authority (CA) from AWS Private Certificate Authority to create a certificate.
• E. Create a customer gateway. Specify the current dynamic IP address of the customer gateway device’s external interface.
• F. Create a customer gateway without specifying the IP address of the customer gateway device.

Correct answer: B, C, F

Explanation

The correct steps involve configuring the VPN tunnel to use IKEv2 for enhanced security (B), creating a certificate with a private CA to manage identities securely (C), and allowing for dynamic IP connectivity by creating a customer gateway without specifying an IP address (F). The other options either involve using IKEv1, which is less secure, or require static IP addresses that are not applicable in this scenario.