AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 137

A company has an AWS account with four VPCs in the us-east-1 Region. The VPCs consist of a development VPC and three production VPCs that host various workloads.

The company has extended its on-premises data center to AWS with AWS Direct Connect by using a Direct Connect gateway. The company now wants to establish connectivity to its production VPCs and development VPC from on premises. The production VPCs are allowed to route data to each other. However, the development VPC must be isolated from the production VPCs. No data can flow between the development VPC and the production VPCs.

In preparation to implement this solution, a network engineer creates a transit gateway with a single transit gateway route table. Default route table association and default route table propagation are turned off. The network engineer attaches the production VPCs, the development VPC, and the Direct Connect gateway to the transit gateway. For each VPC route table, the network engineer adds a route to 0.0.0.0/0 with the transit gateway as the next destination.

Which combination of steps should the network engineer take next to complete this solution? (Choose three.)

Answer options

• A. Associate the production VPC attachments with the existing transit gateway route table. Propagate the routes from these attachments.
• B. Associate all the attachments with the existing transit gateway route table. Propagate the routes from these attachments.
• C. Associate the Direct Connect gateway attachment with the existing transit gateway route table. Propagate the Direct Connect gateway attachment to this route table.
• D. Change the security group inbound rules on the existing transit gateway network interfaces in the development VPC to allow connections to and from the on-premises CIDR range only.
• E. Create a new transit gateway route table. Associate the new route table with the development VPC attachment. Propagate the Direct Connect gateway and development VPC attachment to the new route table.
• F. Create a new transit gateway with default route table association and default route table propagation turned on. Attach the Direct Connect gateway and development VPC to the new transit gateway.

Correct answer: A, C, E

Explanation

Option A is correct because it allows the production VPCs to route traffic through the transit gateway. Option C is also necessary to ensure that the Direct Connect gateway can route traffic correctly. Option E is required to maintain the isolation of the development VPC while allowing it to connect to on-premises resources. Options B, D, and F do not correctly align with the requirements of isolating the development VPC or managing the routing appropriately.