Q38 — AWS ANS-C01 Ch.1
Question 38 of 100 | ← Chapter 1
A company has established connectivity between its on-premises data center in Paris. France, and the AWS Cloud by using an AWS Direct Connect connection. The company uses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets in several VPCs that are attached to the transit gateway. The company recently acquired another corporation that hosts workloads on premises in an office building in Tokyo, Japan. The company needs to migrate the workloads from the Tokyo office to AWS. These workloads must have access to the company's existing workloads in Paris. The company also must establish connectivity between the Tokyo office building and the Paris data center. In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnets for migration of the workloads. The workload migration must be completed in 5 days. The workloads cannot be directly accessible from the internet. Which set of steps should a network engineer take to meet these requirements?
- A. 1. Create public subnets in the Tokyo VPC to migrate the workloads into. 2Configure an internet gateway for the Tokyo office to reach the Tokyo VPC. 3Configure security groups on the Tokyo workloads to only allow traffic from the Tokyo office and the Paris workloads. 4Create peering connections between the Tokyo VPC and the Paris VPCs. 5Configure a VPN connection between the Paris data center and the Tokyo office by using existing routers.
- B. 1Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC. 2Create peering connections between the Tokyo transit gateway and the Paris transit gateway. 3Set up a new Direct Connect connection from the Tokyo office to the Tokyo transit gateway. 4Configure routing on both transit gateways to allow data to flow between sites and the VPCs.
- C. 1 Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC. 2Create peering connections between the Tokyo transit gateway and the Paris transit gateway. 3Configure an AWS Site-to-Site VPN connection from the Tokyo office. Set the Tokyo transit gateway as the target. 4Configure routing on both transit gateways to allow data to flow between sites and the VPCs. ✓
- D. 1Configure an AWS Site-to-Site VPN connection from the Tokyo office to the Paris transit gateway. 2Create an association between the Paris transit gateway and the Tokyo VPC. 3Configure routing on the Paris transit gateway to allow data to flow between sites and the VPC.
Correct Answer: C. 1 Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC. 2Create peering connections between the Tokyo transit gateway and the Paris transit gateway. 3Configure an AWS Site-to-Site VPN connection from the Tokyo office. Set the Tokyo transit gateway as the target. 4Configure routing on both transit gateways to allow data to flow between sites and the VPCs.
Explanation
AWS网络架构中,transit gateway用于连接多个VPC和本地网络,支持跨区域对等连接。东京办公室需要快速建立与巴黎的连通性,且不能直接从互联网访问。AWS文档指出,transit gateway间的对等连接允许不同区域的资源通信。Site-to-Site VPN适用于快速部署,而Direct Connect通常需要更长时间。选项C在东京区域创建transit gateway并关联VPC,建立与巴黎transit gateway的对等连接,通过VPN连接东京办公室到本地transit gateway,配置路由实现跨区域流量。选项A使用公共子网违反安全要求;选项B的Direct Connect无法在5天内完成;选项D的VPN直接连接到巴黎transit gateway可能导致延迟和路由问题。正确方法符合AWS混合架构最佳实践。