AWS Certified SysOps Administrator – Associate (legacy) — Question 289

A user has created a VPC with CIDR 20.0.0.0/16. The user has created public and VPN only subnets along with hardware VPN access to connect to the user's datacenter. The user wants to make so that all traffic coming to the public subnet follows the organization's proxy policy. How can the user make this happen?

Answer options

• A. Setting up a NAT with the proxy protocol and configure that the public subnet receives traffic from NAT
• B. Setting up a proxy policy in the internet gateway connected with the public subnet
• C. It is not possible to setup the proxy policy for a public subnet
• D. Setting the route table and security group of the public subnet which receives traffic from a virtual private gateway

Correct answer: D

Explanation

To enforce the organization's proxy policy, traffic destined for the public subnet must be routed through the on-premises network where the proxy resides. This is accomplished by configuring the public subnet's route table and security groups to direct and allow traffic through the virtual private gateway (VGW) connected to the datacenter. Internet gateways and NAT instances cannot natively enforce corporate proxy policies for incoming traffic in this manner.