Answer-first summary for fast verification
Answer: Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Gateway Load Balancer, and set it up to forward to the newly created target group. Configure a default route in the inspection VPC’s transit gateway subnet toward the Gateway Load Balancer endpoint., Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPC’s attachment. Propagate all VPC attachments into the inspection route table. Define a static default route in the application route table. Enable appliance mode on the attachment that connects the inspection VPC.
The question requires a solution that ensures all traffic between any two VPCs is transparently inspected by a third-party appliance, using AWS Transit Gateway, with high availability across multiple Availability Zones, support for automated failover, and without asymmetric routing. Option A suggests using a Network Load Balancer (NLB) which, while providing high availability and automated failover, does not inherently prevent asymmetric routing. Option B proposes using a Gateway Load Balancer, which is specifically designed for deploying, scaling, and managing third-party virtual appliances, ensuring traffic symmetry and thus preventing asymmetric routing. This makes B a correct choice. Option C and D discuss configuring route tables on the transit gateway and enabling appliance mode, which is crucial for ensuring that traffic flows through the inspection appliances correctly. However, only option C correctly propagates all VPC attachments into the inspection route table and defines a static default route in the application route table, ensuring that traffic is routed through the inspection VPC. Therefore, C is also a correct choice. Option E is incorrect because it does not differentiate between application and inspection VPCs, failing to ensure that traffic is inspected.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Which two steps should be included in a solution that uses AWS Transit Gateway to meet the requirements of a highly available, multi-AZ setup with automated failover, ensuring all inter-VPC traffic is transparently inspected by a third-party appliance without allowing asymmetric routing?
A
Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Network Load Balancer (NLB), and set it up to forward to the newly created target group. Configure a default route in the inspection VPCs transit gateway subnet toward the NLB.
B
Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Gateway Load Balancer, and set it up to forward to the newly created target group. Configure a default route in the inspection VPC’s transit gateway subnet toward the Gateway Load Balancer endpoint.
C
Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPC’s attachment. Propagate all VPC attachments into the inspection route table. Define a static default route in the application route table. Enable appliance mode on the attachment that connects the inspection VPC.
D
Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPCs attachment. Propagate all VPC attachments into the application route table. Define a static default route in the inspection route table. Enable appliance mode on the attachment that connects the inspection VPC.
E
Configure one route table on the transit gateway. Associate the route table with all the VPCs. Propagate all VPC attachments into the route table. Define a static default route in the route table.