AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 27
A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requires connectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWS and its on-premises network to accommodate the growing demand for the application.
The company already has encryption between its on-premises network and the colocation. The company needs to encrypt traffic between AWS and the edge routers in the colocation within the next few months. The company must maintain its current bandwidth.
What should a network engineer do to meet these requirements with the LEAST operational overhead?
Answer options
- A. Deploy a new public VIF with encryption on the existing Direct Connect connections. Reroute traffic through the new public VIF.
- B. Create a virtual private gateway Deploy new AWS Site-to-Site VPN connections from on premises to the virtual private gateway Reroute traffic from the Direct Connect private VIF to the new VPNs.
- C. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Configure MACsec on the edge routers. Reroute traffic to the new Direct Connect connections. Decommission the original Direct Connect connections
- D. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Deploy a new public VIF on the new Direct Connect connections. Deploy two AWS Site-to-Site VPN connections on top of the new public VIF. Reroute traffic from the existing private VIF to the new Site-to-Site connections. Decommission the original Direct Connect connections.
Correct answer: C
Explanation
Option C is the best choice as it directly addresses the need for encryption with the least complexity by utilizing MACsec on new Direct Connect connections. Options A and B introduce additional infrastructure and VPN configurations, which increase operational overhead. Option D, while also valid, adds unnecessary complexity by creating both a public VIF and additional VPN connections.