Q89 — AWS ANS-C01 Ch.1

Question 89 of 100 | ← Chapter 1

A company is planning to use an AWS Transit Gateway hub and spoke architecture to migrate to AWS. The current on-premises multi-protocol Label switching (MPLS) network has strict controls that enforce network segmentation by using MPLS VPNs. The company has provisioned two 10 Gbps AWS Direct Connect connections to provide resilient, high-speed, low-latency connectivity to AWS.A security engineer needs to apply the concept of network segmentation to the AWS environment to ensure that virtual routing and forwarding (VRF) is logically separated for each of the company's software development environments. The number of MPLS VPNs will increase in the future. On-premises MPLS VPNs will have overlapping address space. The company's AWS network design must support overlapping address space for The VPNs. Which solution will meet these requirements with the LEAST operational overhead?

Correct Answer: D. Configure a Transit Gateway Connect attachment for each MPLS VPN between the company's edge routers and Transit Gateway. ConfigureA transit gateway route table that matches the MPLS VPN for each of the company's development environments.

Explanation

AWS Transit Gateway Connect支持通过创建专用附件将客户边缘路由器与Transit Gateway连接,每个附件关联独立的MPLS VPN。结合每个VPN对应的自定义路由表,可在逻辑上隔离不同环境的流量,处理地址重叠问题。选项D利用AWS原生服务简化架构,避免维护多个IPsec VPN或SD-WAN方案的复杂性,扩展时仅需新增附件和路由表,符合低运维开销要求。[AWS Transit Gateway Connect文档]提到该功能允许通过BGP动态路由实现与MPLS VPN的集成,支持多路由表进行流量隔离,适合未来增加的VPN数量。其他选项如IPsec VPN需逐条配置,SD-WAN引入第三方组件,Transit VPC架构过时,运维成本较高。