Q87 — AWS ANS-C01 Ch.1

Question 87 of 100 | ← Chapter 1

A company needs to temporarily scale out capacity for an on-premises application and wants to deploy new servers on Amazon EC2 instances. A network engineer must design the networking solution for the connectivity and for the application on AWS. The EC2 instances need to share data with the existing servers in the on-premises data center. The servers must not be accessible from the internet. All traffic to the internet must route through the firewall in the on-premises data center. The servers must be able to access a third-party web application. Which configuration will meet these requirements?

Correct Answer: B. Create a VPC that has private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the private subnets with the route table. Add a default route to the virtual private gateway. Deploy the application to the private subnets.

Explanation

为了满足题目中的需求,需要构建一个AWSVPC(VirtualPrivateCloud)环境,其中服务器不应从互联网直接访问,但应能访问第三方Web应用和内部数据中心。选项B正确地设置了只有私有子网,并通过AWSSite-to-SiteVPN连接与内部数据中心进行通信。这样的配置确保了EC2实例可以安全地访问内部数据中心的资源,同时通过VPN路由所有互联网流量经过内部数据中心的防火墙。选项A和D都包含了公共子网,这违反了“服务器必须从互联网隔离”的要求。选项C虽然只使用公共子网,但部署应用于公共子网也不符合安全需求。因此,选项B是正确答案。 查看全部