AWS Certified Security – Specialty — Question 382

A company has a VPC that contains a publicly accessible subnet and a privately accessible subnet. Both subnets send network traffic that is destined for the company's data center through the public internet.

The public subnet uses Route Table A, which has a default route for network traffic to travel through the internet gateway of the VPC. The private subnet uses Route Table B, which has a default route for network traffic to travel through a NAT gateway within the VPC. Recently, the company created an AWS Site-to-Site VPN connection to the VPC from one of is data centers. The tunnel s active and is working property between the customer gateway and the virtual private gateway. The CIDR blocks of the VPC and the data center do not overlap.

According to a new security policy, all network traffic that originates from the VPC and travels to the data center must not travel across the public internet. A security engineer determines that resources in the public subnet and private subnet are still sending traffic across the public internet to the data center.

Which combination of steps will ensure that all network traffic that originates from the VPC will not use the public internet to communicate with the data cantor? (Choose two.)

Answer options

Correct answer: C, E

Explanation

To direct traffic through the AWS Site-to-Site VPN instead of the public internet, specific routes for the data center's CIDR block must be added to the route tables of both the public and private subnets. These routes must target the virtual private gateway (VGW), which acts as the AWS-side anchor for the VPN connection. Targeting the customer gateway (CGW) is incorrect because the CGW represents the on-premises side of the VPN connection and is not a valid target for VPC route tables.