AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 98

A consulting company manages AWS accounts for its customers. One of the company's customers needs to add intrusion prevention for its environment without having to re-architect the environment. The customer's environment includes five VPCs in two AWS Regions in the United States. VPC-to-VPC connectivity is achieved through VPC peering. The customer does not plan to increase the number of VPCs within the next 2 years. The solution must accommodate unencrypted traffic.

Which solution will meet these requirements?

Answer options

• A. Configure VPC security groups and network ACLs.
• B. Use an AWS Network Firewall centralized deployment model in each VPC.
• C. Use an AWS Network Firewall distributed deployment model in each VPC.
• D. Deploy AWS Shield in each VPC.

Correct answer: C

Explanation

The correct answer is C, as a distributed deployment model of AWS Network Firewall allows for effective intrusion prevention across multiple VPCs without re-architecting the environment. Option A does not provide comprehensive intrusion prevention, while B's centralized model may not be suitable for the existing VPC peering setup, and D addresses DDoS protection rather than intrusion prevention.