AWS Certified Solutions Architect – Professional (SAP-C02) — Question 460

A company wants to establish a dedicated connection between its on-premises infrastructure and AWS. The company is setting up a 1 Gbps AWS Direct Connect connection to its account VPC. The architecture includes a transit gateway and a Direct Connect gateway to connect multiple VPCs and the on-premises infrastructure.

The company must connect to VPC resources over a transit VIF by using the Direct Connect connection.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Update the 1 Gbps Direct Connect connection to 10 Gbps.
• B. Advertise the on-premises network prefixes over the transit VIF.
• C. Advertise the VPC prefixes from the Direct Connect gateway to the on-premises network over the transit VIF.
• D. Update the Direct Connect connection's MACsec encryption mode attribute to must_encrypt.
• E. Associate a MACsec Connection Key Name/Connectivity Association Key (CKN/CAK) pair with the Direct Connect connection.

Correct answer: B, C

Explanation

To establish proper routing between on-premises resources and AWS VPCs via a transit VIF, BGP routing must be configured to exchange network prefixes in both directions. Specifically, the on-premises network prefixes must be advertised to AWS over the transit VIF, and the VPC prefixes must be advertised from the Direct Connect gateway back to the on-premises router. Upgrading the connection speed to 10 Gbps or configuring MACsec encryption is not required to establish basic Transit VIF routing capabilities.