A company operates an AWS environment with multiple VPCs interconnected via a transit gateway. They plan to use AWS Site-to-Site VPN to connect their on-premises network to the AWS environment. However, the on-premises network lacks a static public IP address. A network engineer needs to configure the VPN connection to be initiated from the AWS side to enable traffic from the AWS environment to the on-premises network.

Which three steps should the network engineer perform to establish VPN connectivity between the transit gateway and the on-premises network?

Exam-Like

Explanation:

To establish VPN connectivity between the transit gateway and the on-premises network without a static public IP address on the on-premises side, the network engineer should take the following steps: First, configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 2 (IKEv2) for enhanced security and performance (Option B). Second, create a customer gateway and specify the current dynamic IP address of the customer gateway device’s external interface to allow AWS to initiate the VPN connection (Option E). Third, since the on-premises network does not have a static public IP address, it's not necessary to use a certificate from a public or private CA for the VPN connection, making Options C and D irrelevant. Option A is not recommended because IKEv1 is less secure and efficient compared to IKEv2. Option F is incorrect because specifying the IP address of the customer gateway device is necessary for AWS to initiate the VPN connection.

Powered ByGPT-5

AWS Certified Advanced Networking - Specialty

Get started today