AWS Certified Solutions Architect – Professional — Question 548

You want to establish redundant VPN connections and customer gateways on your network by setting up a second VPN connection.
Which of the following will ensure that this functions correctly?

Answer options

• A. The customer gateway IP address for the second VPN connection must be publicly accessible.
• B. The virtual gateway IP address for the second VPN connection must be publicly accessible.
• C. The customer gateway IP address for the second VPN connection must use dynamic routes.
• D. The customer gateway IP address for the second VPN connection must be privately accessible and be the same public IP address that you are using for the first VPN connection.

Correct answer: A

Explanation

To establish a redundant VPN tunnel, the second customer gateway must have a unique, publicly accessible IP address so that AWS can establish the IPSec connection. Option D is incorrect because using a private IP or reusing the first gateway's IP address would prevent proper tunnel routing. Options B and C are incorrect because AWS automatically provisions the virtual private gateway endpoint, and dynamic routing is not a strict requirement for the connection to function.