A customer has established an AWS Direct Connect connection to AWS. The link is up and routes are being
advertised from the customer’s end, however the customer is unable to connect from EC2 instances inside its
VPC to servers residing in its datacenter.
Which of the following options provide a viable solution to remedy this situation? (Choose 2 answers)
A.
Add a route to the route table with an iPsec VPN connection as the target.
B.
Enable route propagation to the virtual pinnate gateway (VGW).
C.
Enable route propagation to the customer gateway (CGW).
D.
Modify the route table of all Instances using the ‘route’ command.
E.
Modify the Instances VPC subnet route table by adding a route back to the customer’s on-premises
environment.
E makes sense but others confusing.
My choice B and E.
Background: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html#vpn-configure-routing
1
0
Update, this link may be better reference point: https://myawsscribble.wordpress.com/2015/09/25/setting-up-and-configuring-aws-directconnect/
0
0
Yes it is B and E.
0
0
Aren’t Virtual private gateways for VPN?
0
0
B and E.
Customer Gateways are for VPN connections only where as Virtual Private Gateways are also a requirement for Direct Connect.
See: https://aws.amazon.com/directconnect/faqs/
Using AWS Direct Connect with Amazon Virtual Private Cloud
Q. What are the technical requirements for virtual interfaces to VPCs?
0
0
B&E
0
0
A and C
0
0
The technical requirements for virtual interfaces to VPCs is described below
This connection requires the use of Border Gateway Protocol (BGP). You will need the following information to complete the connection:
A public or private ASN. If you are using a public ASN you must own it. If you are using a private ASN, it must be in the 64512 to 65535 range.
A new unused VLAN tag that you select
The VPC Virtual Private Gateway (VGW) ID This is why B is correct
AWS will allocate private IPs (/30) in the 169.x.x.x range for the BGP session and will advertise the VPC CIDR block over BGP. You can advertise the default route via BGP.
1
0
BE
0
0
Answer: A,C (Answer Taken from exam dumps)
0
0
A is wrong because an IPSEC VPN is a different type of connection than DirectConnect (which uses an MPLS circuit rather than IPSEC over the internet)
B is correct. DirectConnect uses the same virtual interface (the virtual gateway) that VPN would use. Enabling the route propagation to this device allows the VPC virtual router to see what networks are available in the data center and do dynamic routing to them.
C is incorrect. The customer gateway is part of VPN setup, not DirectConnect
D is incorrect. The only time you do routing from an instance in AWS is when that instance is a networking appliance (e.g. Cisco Cloud Services Router)
E is correct. This sends traffic bound for the data center to the interface that connects to the data center.
2
0
B and E.
0
0
BE
0
0