AWS Certified Solutions Architect – Professional (SAP-C02) — Question 442

A company is designing an AWS environment for a manufacturing application. The application has been successful with customers, and the application's user base has increased. The company has connected the AWS environment to the company's on-premises data center through a 1 Gbps AWS Direct Connect connection. The company has configured BGP for the connection.

The company must update the existing network connectivity solution to ensure that the solution is highly available, fault tolerant, and secure.

Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Add a dynamic private IP AWS Site-to-Site VPN as a secondary path to secure data in transit and provide resilience for the Direct Connect connection. Configure MACsec to encrypt traffic inside the Direct Connect connection.
• B. Provision another Direct Connect connection between the company's on-premises data center and AWS to increase the transfer speed and provide resilience. Configure MACsec to encrypt traffic inside the Direct Connect connection.
• C. Configure multiple private VIFs. Load balance data across the VIFs between the on-premises data center and AWS to provide resilience.
• D. Add a static AWS Site-to-Site VPN as a secondary path to secure data in transit and to provide resilience for the Direct Connect connection.

Correct answer: D

Explanation

Adding an AWS Site-to-Site VPN over the public internet as a backup path is the most cost-effective way to achieve high availability and secure data in transit for an existing Direct Connect connection. Setting up a second Direct Connect connection is highly resilient but much more expensive, while multiple virtual interfaces (VIFs) on a single physical connection do not protect against physical line or device failures. Therefore, a static Site-to-Site VPN provides the required fault tolerance and security at a minimal cost.