Q83 — AWS ANS-C01 Ch.1
Question 83 of 100 | ← Chapter 1
A company has users who work from home. The company wants to move these users to Amazon WorkSpaces for additional security visibility. The company has deployed WorkSpaces in its own AWS account in VPC A A network engineer decides to provide the security visibility by using two firewall appliances behind a Gateway Load Balancer (GWLB). The network engineer provisions another VPC, VPC B, in a separate account and deploys the two firewall appliances in separate Availability Zones. What should the network engineer do to configure the network connectivity for this solution?
- A. Create a GWLB in VPC A with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the VPC endpoint.
- B. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the GWLB endpoint. ✓
- C. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the WorkSpaces subnet to the VPC endpoint.
- D. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the account that contains the firewall appliances to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the VPC endpoint.
Correct Answer: B. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the GWLB endpoint.
Explanation
在这个场景中,公司希望将远程工作的用户迁移到AmazonWorkSpaces以增强安全可见性。为了实现这一目标,网络工程师决定在另一个账户中的VPCB中部署两个防火墙设备,并通过GatewayLoadBalancer(GWLB)来提供安全访问。A选项错误,因为它试图在VPCA中创建GWLB,但防火墙设备在VPCB中,这会导致网络配置复杂且不符合跨账户资源访问的常规做法。B选项正确,因为它在VPCB中创建了GWLB,防火墙设备作为目标,并通过GWLB创建了端点。此外,它还添加了WorkSpaces账户的AWSprincipalARN到GWLB端点的允许列表中,以便WorkSpaces账户可以访问该端点。在WorkSpaces账户中,创建了VPC端点并指定了GWLB端点的服务名,然后修改了VPCA的路由表以指向GWLB端点,这允许从VPCA到VPCB中防火墙设备的流量路由。C选项错误,因为它虽然指向了GWLB端点,但错误地修改了VPCA的路由表以指向WorkSpaces子网,而不是GWLB端点。D选项错误,因为它错误地将包含防火墙设备的账户的AWSprincipalARN添加到了GWLB端点的允许列表中,而应该是WorkSpaces账户的ARN。 查看全部