Answer-first summary for fast verification
Answer: Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Gateway Load Balancer, and set it up to forward to the newly created target group. Configure a default route in the inspection VPC’s transit gateway subnet toward the Gateway Load Balancer endpoint., Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPC’s attachment. Propagate all VPC attachments into the inspection route table. Define a static default route in the application route table. Enable appliance mode on the attachment that connects the inspection VPC.
To meet the requirements of transparently inspecting all traffic between any two VPCs using a third-party appliance, ensuring high availability across multiple Availability Zones, supporting automated failover, and avoiding asymmetric routing, the solution must leverage AWS Transit Gateway with specific configurations. Option A suggests using a Network Load Balancer (NLB) to forward traffic to the inspection appliances, which does not inherently support the encapsulation protocol (GENEVE) required for transparent inspection with Gateway Load Balancer. Option B correctly suggests deploying a Gateway Load Balancer, which is designed for transparent inspection scenarios, supports high availability, and avoids asymmetric routing by using GENEVE encapsulation. Option C and D discuss route table configurations on the transit gateway. Option C correctly suggests enabling appliance mode on the inspection VPC's attachment, which is crucial for ensuring that traffic flows symmetrically through the inspection appliances. Option D incorrectly suggests propagating all VPC attachments into the application route table, which would not ensure that traffic is inspected. Option E is incorrect as it suggests using a single route table for all VPCs, which does not meet the requirement for traffic inspection. Therefore, the correct combination of steps that meets the requirements is deploying a Gateway Load Balancer and configuring the transit gateway with two route tables, enabling appliance mode on the inspection VPC's attachment.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A government contractor is creating a multi-account environment with multiple VPCs for a customer. The network security policy mandates that all traffic between any two VPCs must undergo transparent inspection by a third-party appliance.
The customer requires a solution utilizing AWS Transit Gateway, ensuring high availability across multiple Availability Zones and support for automated failover. Additionally, the inspection appliances do not support asymmetric routing.
Which two steps are essential in designing a solution that fulfills these requirements?
A
Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Network Load Balancer (NLB), and set it up to forward to the newly created target group. Configure a default route in the inspection VPCs transit gateway subnet toward the NLB.
B
Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Gateway Load Balancer, and set it up to forward to the newly created target group. Configure a default route in the inspection VPC’s transit gateway subnet toward the Gateway Load Balancer endpoint.
C
Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPC’s attachment. Propagate all VPC attachments into the inspection route table. Define a static default route in the application route table. Enable appliance mode on the attachment that connects the inspection VPC.
D
Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPCs attachment. Propagate all VPC attachments into the application route table. Define a static default route in the inspection route table. Enable appliance mode on the attachment that connects the inspection VPC.
E
Configure one route table on the transit gateway. Associate the route table with all the VPCs. Propagate all VPC attachments into the route table. Define a static default route in the route table.