AWS Certified Security – Specialty — Question 322
A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.
Which combination of AWS solutions will meet these requirements? (Choose two.)
Answer options
- A. AWS Site-to-Site VPN
- B. AWS Direct Connect
- C. AWS VPN CloudHub
- D. VPC peering
- E. NAT gateway
Correct answer: A, B
Explanation
AWS Direct Connect provides the dedicated, low-latency physical connection required for the latency-sensitive database traffic, but it does not natively encrypt traffic. By establishing an AWS Site-to-Site VPN over the AWS Direct Connect connection, the organization satisfies the requirement for IPsec encryption. Other options like VPC peering and NAT gateways do not connect on-premises environments to AWS, while AWS VPN CloudHub is designed for hub-and-spoke VPN topologies rather than dedicated low-latency links.