Q87 — AWS ANS-C01 Ch.1
Question 87 of 100 | ← Chapter 1
A company needs to temporarily scale out capacity for an on-premises application and wants to deploy new servers on Amazon EC2 instances. A network engineer must design the networking solution for the connectivity and for the application on AWS. The EC2 instances need to share data with the existing servers in the on-premises data center. The servers must not be accessible from the internet. All traffic to the internet must route through the firewall in the on-premises data center. The servers must be able to access a third-party web application. Which configuration will meet these requirements?
- A. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a NAT gateway in a public subnet. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add a default route to the NAT gateway. Add routes for the data center subnets to the virtual private gateway. Deploy the application to the private subnets.
- B. Create a VPC that has private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the private subnets with the route table. Add a default route to the virtual private gateway. Deploy the application to the private subnets. ✓
- C. Create a VPC that has public subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Add routes for the on-premises data center subnets to the virtual private gateway. Deploy the application to the public subnets.
- D. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add routes for the on-premises data center subnets to the virtual private gateway. Deploy the application to the private subnets.
Correct Answer: B. Create a VPC that has private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the private subnets with the route table. Add a default route to the virtual private gateway. Deploy the application to the private subnets.
Explanation
为了满足题目中的需求,需要构建一个AWSVPC(VirtualPrivateCloud)环境,其中服务器不应从互联网直接访问,但应能访问第三方Web应用和内部数据中心。选项B正确地设置了只有私有子网,并通过AWSSite-to-SiteVPN连接与内部数据中心进行通信。这样的配置确保了EC2实例可以安全地访问内部数据中心的资源,同时通过VPN路由所有互联网流量经过内部数据中心的防火墙。选项A和D都包含了公共子网,这违反了“服务器必须从互联网隔离”的要求。选项C虽然只使用公共子网,但部署应用于公共子网也不符合安全需求。因此,选项B是正确答案。 查看全部