Answer-first summary for fast verification
Answer: Configure IPsec VPNs on the company edge routers for each MPLS VPN for each of the company's development environments. Attach each IPsec VPN tunnel to a discrete MPLS VPN. Configure AWS Site-to-Site VPN connections that terminate at a transit gateway for each MPLS VPN. Configure a transit gateway route table that matches the MPLS VPN for each Transit Gateway VPN attachment.
The question revolves around implementing network segmentation in an AWS environment that mirrors the existing MPLS VPN segmentation on-premises, with considerations for overlapping address spaces and future scalability. The solution must minimize operational overhead. Option B is the most suitable because it directly addresses the requirement for network segmentation by configuring IPsec VPNs for each MPLS VPN, attaching them to a discrete MPLS VPN, and terminating them at a transit gateway. This approach allows for the logical separation of traffic as required by the company's development environments and supports overlapping address spaces. It also scales well with the anticipated increase in the number of MPLS VPNs. Option A introduces unnecessary complexity with SD-WAN, which is not required for the given scenario. Option C suggests creating a transit VPC, which adds operational overhead and does not directly address the need for VRF-aware segmentation. Option D, while it mentions Transit Gateway Connect attachments, does not clearly outline how it handles overlapping address spaces or the specific configuration needed for each MPLS VPN, making it less optimal than Option B.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is implementing an AWS Transit Gateway hub-and-spoke architecture for migration to AWS. Their existing on-premises MPLS network enforces network segmentation using MPLS VPNs with strict controls. They have established two 10 Gbps AWS Direct Connect connections for resilient, high-speed, low-latency connectivity to AWS.
A security engineer must implement network segmentation in the AWS environment to ensure logical separation of virtual routing and forwarding (VRF) for each software development environment. The number of MPLS VPNs is expected to grow, and on-premises MPLS VPNs use overlapping address spaces. The AWS network design must accommodate overlapping address spaces for these VPNs.
Which solution meets these requirements with the MINIMUM operational overhead?
A
Deploy a software-defined WAN (SD-WAN) head-end virtual appliance and an SD-WAN controller into a Transit Gateway Connect VPC. Configure the company's edge routers to be managed by the new SD-WAN controller and to use SD-WAN to segment the traffic into the defined segments for each of the company's development environments.
B
Configure IPsec VPNs on the company edge routers for each MPLS VPN for each of the company's development environments. Attach each IPsec VPN tunnel to a discrete MPLS VPN. Configure AWS Site-to-Site VPN connections that terminate at a transit gateway for each MPLS VPN. Configure a transit gateway route table that matches the MPLS VPN for each Transit Gateway VPN attachment.
C
Create a transit VPC that terminates at the AWS Site-to-Site VRF-aware IPsec VPN. Configure IPsec VPN connections to each VPC for each of the company's development environment VRFs.
D
Configure a Transit Gateway Connect attachment for each MPLS VPN between the company's edge routers and Transit Gateway. Configure a transit gateway route table that matches the MPLS VPN for each of the company's development environments.