AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 41

A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWS environment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs have workloads that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspect all east west (VPC-to-VPC) traffic.
Users report that inter-VPC traffic to different Availability Zones is dropping. A network engineer verified this claim by issuing Internet Control Message Protocol (ICMP) pings between workloads in different Availability Zones across the application VPCs. The network engineer has ruled out security groups, stateful device configurations and network ACLs as the cause of the dropped traffic.
What is causing the traffic to drop?

Answer options

• A. The stateful appliances and the transit gateway attachments are deployed in a separate subnet in the shared services VPC.
• B. Appliance mode is not enabled on the transit gateway attachment to the shared services VPC.
• C. The stateful appliances and the transit gateway attachments are deployed in the same subnet in the shared services VPC.
• D. Appliance mode is not enabled on the transit gateway attachment to the application VPCs.

Correct answer: B

Explanation

The correct answer is B because appliance mode needs to be enabled on the transit gateway attachment to ensure proper inspection of traffic by the stateful appliances. Without appliance mode, the traffic may not be routed correctly through the security appliances, leading to dropped packets. The other options do not address the specific configuration required for traffic inspection between VPCs.