AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 271

A company uses an AWS Direct Connect private VIF with a link aggregation group (LAG) that consists of two 10 Gbps connections. The company's security team has implemented a new requirement for external network connections to provide layer 2 encryption. The company's network team plans to use MACsec support for Direct Connect to meet the new requirement.

Which combination of steps should the network team take to implement this functionality? (Choose three.)

Answer options

• A. Create a new Direct Connect LAG with new circuits and ports that support MACsec.
• B. Associate the MACsec Connectivity Association Key (CAK) and the Connection Key Name (CKN) with the new LAG.
• C. Associate the Internet Key Exchange (IKE) with the existing LAG.
• D. Configure the MACsec encryption mode on the existing LAG.
• E. Configure the MACsec encryption mode on the new LAG.
• F. Configure the MACsec encryption mode on each Direct Connect connection that makes up the existing LAG.

Correct answer: A, B, E

Explanation

To implement MACsec on AWS Direct Connect, the connections must be deployed on dedicated, MACsec-compatible hardware, which requires provisioning a new LAG with new circuits and ports. Once the new LAG is established, administrators must associate the MACsec secret keys—the Connectivity Association Key (CAK) and the Connection Key Name (CKN)—with this new LAG, and then configure the MACsec encryption mode on it. Existing LAGs or connections cannot be upgraded in-place to support MACsec if they do not already reside on MACsec-capable ports.