AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 261

A company has an AWS environment that includes multiple VPCs that are connected by a transit gateway. The company wants to use a certificate-based AWS Site-to-Site VPN connection to establish connectivity between an on-premises environment and the AWS environment. The company does not have a static public IP address for the on-premises environment.

Which combination of steps should the company take to establish VPN connectivity between the transit gateway and the on-premises environment? (Choose two.)

Answer options

• A. Create a public certificate in AWS Certificate Manager (ACM).
• B. Create a private certificate in AWS Certificate Manager (ACM).
• C. Configure the Site-to-Site VPN tunnels to use the pre-shared key (PSK).
• D. Create a customer gateway. Specify the current dynamic IP address of the customer gateway device's external interface.
• E. Create a customer gateway. Do not specify the IP address of the customer gateway device.

Correct answer: B, E

Explanation

Creating a private certificate in AWS Certificate Manager (ACM) is necessary for securing the VPN connection. Additionally, not specifying the IP address of the customer gateway device is appropriate since it has a dynamic IP. The other options, such as creating a public certificate or specifying the dynamic IP, are not suitable for this scenario.