AWS Certified Advanced Networking - Specialty
Get started today
Ultimate access to all questions.
A company is deploying a computationally intensive data processing application on AWS with highly sensitive data. The VPC is configured without direct internet access, and strict network security controls are in place. Data scientists need to transfer data from the on-premises data center (using the network range 172.31.0.0/20) to the application VPC (using the network range 172.31.16.0/20) via an AWS Site-to-Site VPN connection. However, they can launch application instances but cannot transfer data. A network engineer enabled VPC flow logs and tested reachability by pinging an instance, observing the flow logs.
What solution should the network engineer recommend to enable data transfer from the on-premises data center while meeting the requirements?
A company is deploying a computationally intensive data processing application on AWS with highly sensitive data. The VPC is configured without direct internet access, and strict network security controls are in place. Data scientists need to transfer data from the on-premises data center (using the network range 172.31.0.0/20) to the application VPC (using the network range 172.31.16.0/20) via an AWS Site-to-Site VPN connection. However, they can launch application instances but cannot transfer data. A network engineer enabled VPC flow logs and tested reachability by pinging an instance, observing the flow logs.
What solution should the network engineer recommend to enable data transfer from the on-premises data center while meeting the requirements?
Explanation:
The issue described involves the inability to transfer data from the on-premises data center to the instances within the VPC, despite the instances being reachable via ping. This suggests that while ICMP traffic (used by ping) is allowed, the necessary traffic for data transfer is being blocked. Security groups act as a virtual firewall for your instance to control inbound and outbound traffic. Since the data scientists can start new instances but cannot transfer data, it indicates that the security group associated with the application instances might be blocking the inbound traffic from the on-premises data center. Therefore, modifying the security group to allow inbound traffic from the on-premises data center network range to the application would resolve the issue. Network ACLs are stateless and control traffic at the subnet level, but since the issue is specifically with transferring data to the instances, adjusting the security group is the more direct and appropriate solution. Option A is the correct choice because it directly addresses the need to allow inbound traffic from the on-premises data center to the application instances.