A company is implementing an AWS Transit Gateway hub-and-spoke architecture for migration to AWS. Their existing on-premises MPLS network enforces network segmentation using MPLS VPNs with strict controls. They have established two 10 Gbps AWS Direct Connect connections for resilient, high-speed, low-latency connectivity to AWS.

A security engineer must implement network segmentation in the AWS environment to ensure logical separation of virtual routing and forwarding (VRF) for each software development environment. The number of MPLS VPNs is expected to grow, and on-premises MPLS VPNs use overlapping address spaces. The AWS network design must accommodate overlapping address spaces for these VPNs.

Which solution meets these requirements with the MINIMUM operational overhead?

Exam-Like

Deploy a software-defined WAN (SD-WAN) head-end virtual appliance and an SD-WAN controller into a Transit Gateway Connect VPC. Configure the company's edge routers to be managed by the new SD-WAN controller and to use SD-WAN to segment the traffic into the defined segments for each of the company's development environments.

Configure IPsec VPNs on the company edge routers for each MPLS VPN for each of the company's development environments. Attach each IPsec VPN tunnel to a discrete MPLS VPN. Configure AWS Site-to-Site VPN connections that terminate at a transit gateway for each MPLS VPN. Configure a transit gateway route table that matches the MPLS VPN for each Transit Gateway VPN attachment.

Create a transit VPC that terminates at the AWS Site-to-Site VRF-aware IPsec VPN. Configure IPsec VPN connections to each VPC for each of the company's development environment VRFs.

Configure a Transit Gateway Connect attachment for each MPLS VPN between the company's edge routers and Transit Gateway. Configure a transit gateway route table that matches the MPLS VPN for each of the company's development environments.

AWS Certified Advanced Networking - Specialty

Comments

Get started today