AWS Certified Solutions Architect – Professional — Question 862

A company currently uses a single 1 Gbps AWS Direct Connect connection to establish connectivity between an AWS Region and its data center. The company has five Amazon VPCs, all of which are connected to the data center using the same Direct Connect connection. The Network team is worried about the single point of failure and is interested in improving the redundancy of the connections to AWS while keeping costs to a minimum.
Which solution would improve the redundancy of the connection to AWS while meeting the cost requirements?

Answer options

• A. Provision another 1 Gbps Direct Connect connection and create new VIFs to each of the VPCs. Configure the VIFs in a load balancing fashion using BGP.
• B. Set up VPN tunnels from the data center to each VPC. Terminate each VPN tunnel at the virtual private gateway (VGW) of the respective VPC and set up BGP for route management.
• C. Set up a new point-to-point Multiprotocol Label Switching (MPLS) connection to the AWS Region that's being used. Configure BGP to use this new circuit as passive, so that no traffic flows through this unless the AWS Direct Connect fails.
• D. Create a public VIF on the Direct Connect connection and set up a VPN tunnel which will terminate on the virtual private gateway (VGW) of the respective VPC using the public VIF. Use BGP to handle the failover to the VPN connection.

Correct answer: B

Explanation

Option B is the correct choice because establishing an IPsec VPN over the public internet to each VPC's VGW provides a highly cost-effective backup path without the high recurring costs of a second physical circuit. Options A and C are incorrect because provisioning an additional Direct Connect or MPLS line introduces significant extra expenses. Option D is incorrect because running a VPN over a public VIF on the existing Direct Connect does not provide physical path redundancy, meaning a failure of the physical fiber would drop both connections.