Answer-first summary for fast verification
Answer: Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an AWS Gateway Load Balancer that is backed by third-party, next-generation firewall appliances to the central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances. Create an Amazon S3 bucket in the central log account. Configure the firewall appliances to capture and save the network flow logs to the S3 bucket.
The question requires a solution that performs deep packet inspection for traffic leaving a VPC network boundary and logs all inspected traffic and actions in a central log account with the least administrative overhead. Option A suggests using an AWS Gateway Load Balancer backed by third-party, next-generation firewall appliances in a central network VPC. This setup allows for deep packet inspection by the firewall appliances, and the traffic and actions can be logged in an Amazon S3 bucket in the central log account. This solution centralizes the inspection and logging processes, reducing administrative overhead by leveraging AWS managed services and third-party appliances for deep packet inspection. Options B, C, and D either do not provide deep packet inspection (C), do not centralize logging effectively (B), or do not use the most efficient AWS service for the task (D). Therefore, Option A is the most suitable solution.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is moving critical applications to AWS, with multiple accounts and VPCs interconnected via a transit gateway. A network engineer needs to design a solution that conducts deep packet inspection for all traffic exiting a VPC boundary, ensuring that all inspected traffic and corresponding actions are logged in a central log account. What solution meets these requirements with minimal administrative effort?
A
Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an AWS Gateway Load Balancer that is backed by third-party, next-generation firewall appliances to the central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances. Create an Amazon S3 bucket in the central log account. Configure the firewall appliances to capture and save the network flow logs to the S3 bucket.
B
Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an AWS Application Load Balancer that is backed by third-party, next-generation firewall appliances to the central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances. Create a syslog server in the central log account. Configure the firewall appliances to capture and save the network flow logs to the syslog server.
C
Deploy network ACLs and security groups to each VPAttach the security groups to active network interfaces. Associate the network ACLs with VPC subnets. Create rules for the network ACLs and security groups to allow only the required traffic flows between subnets and network interfaces. Create an Amazon S3 bucket in the central log account. Configure a VPC flow log that captures and saves all traffic flows to the S3 bucket.
D
Create a central log VPC and an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an AWS Network Load Balancer (NLB) that is backed by third-party, next-generation intrusion detection system (IDS) security appliances to the central VPC. Activate rules on the security appliances to monitor for intrusion signatures. For each network interface, create a VPC Traffic Mirroring session that sends the traffic to the central VPC's NLB.