AWS Certified SysOps Administrator – Associate — Question 276

A company has set up an IPsec tunnel between its AWS environment and its on-premises data center. The tunnel is reporting as UP, but the Amazon EC2 instances are not able to ping any on-premises resources.

What should a SysOps administrator do to resolve this issue?

Answer options

• A. Create a new inbound rule on the EC2 instances’ security groups to allow ICMP traffic from the on-premises CIDR.
• B. Create a peering connection between the IPsec tunnel and the subnet of the EC2 instances.
• C. Enable route propagation for the virtual private gateway in the route table that is assigned to the subnet of the EC2 instances.
• D. Modify the VPC’s DHCP options set. Add the IPsec tunnel to the VPN section.

Correct answer: C

Explanation

For traffic to flow between AWS and an on-premises network over an established VPN, the VPC route tables must have routes directing traffic to the virtual private gateway (VGW). Enabling route propagation automatically distributes these on-premises network routes into the subnet's route table. Other options, such as security group rules or DHCP options, do not solve the fundamental routing issue, and VPC peering cannot be established with an IPsec tunnel.