AWS Certified SysOps Administrator – Associate — Question 294

A company currently runs its infrastructure within a VPC in a single Availability Zone. The VPC is connected to the company’s on-premises data center through an AWS Site-to-Site VPN connection attached to a virtual private gateway. The on-premises route tables route all VPC networks to the VPN connection. Communication between the two environments is working correctly. A SysOps administrator created new VPC subnets within a new Availability Zone, and deployed new resources within the subnets. However, communication cannot be established between the new resources and the on-premises environment.

Which steps should the SysOps administrator take to resolve the issue?

Answer options

• A. Add a route to the route tables of the new subnets that send on-premises traffic to the virtual private gateway.
• B. Create a ticket with AWS Support to request adding Availability Zones to the Site-to-Site VPN route configuration.
• C. Establish a new Site-to-Site VPN connection between a virtual private gateway attached to the new Availability Zone and the on-premises data center.
• D. Replace the Site-to-Site VPN connection with an AWS Direct Connect connection.

Correct answer: A

Explanation

When new subnets are created in a VPC, their associated route tables must be updated to route traffic destined for the on-premises network to the virtual private gateway (VGW) connected to the VPN. AWS Site-to-Site VPNs and virtual private gateways operate at the VPC level, meaning they span all Availability Zones within that VPC, so creating a new VPN or contacting AWS support is unnecessary. Simply adding the appropriate route or enabling route propagation in the new subnets' route tables will restore connectivity.