AWS Certified Solutions Architect – Professional — Question 308

A company hosts a legacy application that runs on an Amazon EC2 instance inside a VPC without internet access. Users access the application with a desktop program installed on their corporate laptops. Communication between the laptops and the VPC flows through AWS Direct Connect (DX). A new requirement states that all data in transit must be encrypted between users and the VPC.
Which strategy should a solutions architect use to maintain consistent network performance while meeting this new requirement?

Answer options

• A. Create a client VPN endpoint and configure the laptops to use an AWS client VPN to connect to the VPC over the internet.
• B. Create a new public virtual interface for the existing DX connection, and create a new VPN that connects to the VPC over the DX public virtual interface.
• C. Create a new Site-to-Site VPN that connects to the VPC over the internet.
• D. Create a new private virtual interface for the existing DX connection, and create a new VPN that connects to the VPC over the DX private virtual interface.

Correct answer: B

Explanation

Establishing an IPsec VPN over an AWS Direct Connect public virtual interface (VIF) ensures that all traffic is encrypted in transit while still leveraging the dedicated, consistent network performance of the DX link. Options A and C route traffic over the public internet, which cannot guarantee consistent network performance. Option D is incorrect because a private VIF cannot be used to establish an AWS Site-to-Site VPN connection, as the VPN endpoints require public IP addresses routed via a public VIF.