AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 145

A network engineer needs to deploy an AWS Network Firewall firewall into an existing AWS environment. The environment consists of the following:

• A transit gateway with all VPCs attached to it
• Several hundred application VPCs
• A centralized egress internet VPC with a NAT gateway and an internet gateway
• A centralized ingress internet VPC that hosts public Application Load Balancers
• On-premises connectivity through an AWS Direct Connect gateway attachment

The application VPCs have workloads deployed across multiple Availability Zones in private subnets with the VPC route table s default route (0.0.0.0/0) pointing to the transit gateway. The Network Firewall firewall needs to inspect east-west (VPC-to-VPC) traffic and north-south (internet-bound and on-premises network) traffic by using Suricata compatible rules.

The network engineer must deploy the firewall by using a solution that requires the least possible architectural changes to the existing production environment.

Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

Answer options

• A. Deploy Network Firewall in all Availability Zones in each application VPC.
• B. Deploy Network Firewall in all Availability Zones in a centralized inspection VPC.
• C. Update the HOME_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.
• D. Update the EXTERNAL_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.
• E. Configure a single transit gateway route table. Associate all application VPCs and the centralized inspection VPC with this route table.
• F. Configure two transit gateway route tables. Associate all application VPCs with one transit gateway route table. Associate the centralized inspection VPC with the other transit gateway route table.

Correct answer: B, C, F

Explanation

The correct answer includes deploying the firewall in a centralized inspection VPC (B), which reduces architectural changes, updating the HOME_NET variable (C) to ensure traffic from all relevant sources is inspected, and using two route tables (F) to isolate traffic management efficiently. The other options either complicate the architecture or do not meet the requirements effectively.