AWS Certified Solutions Architect – Professional — Question 776

A company wants to establish a dedicated connection between its on-premises infrastructure and AWS. The company is setting up a 1 Gbps AWS Direct Connect connection to its account VPC. The architecture includes a transit gateway and a Direct Connect gateway to connect multiple VPCs and the on-premises infrastructure.

The company must connect to VPC resources over a transit VIF by using the Direct Connect connection.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Update the 1 Gbps Direct Connect connection to 10 Gbps.
• B. Advertise the on-premises network prefixes over the transit VIF.
• C. Advertise the VPC prefixes from the Direct Connect gateway to the on-premises network over the transit VIF.
• D. Update the Direct Connect connection's MACsec encryption mode attribute to must_encrypt.
• E. Associate a MACsec Connection Key Name/Connectivity Association Key (CKN/CAK) pair with the Direct Connect connection.

Correct answer: B, C

Explanation

To enable end-to-end routing between the local network and the AWS VPCs over a transit VIF, BGP routing must be properly established. This requires advertising the on-premises IP ranges to AWS over the transit VIF, and conversely, advertising the VPC CIDR blocks from the Direct Connect gateway back to the on-premises router. Other options like upgrading the connection speed or configuring MACsec encryption are not prerequisites for establishing basic routing over a transit VIF.