Examtopics

AWS Certified Advanced Networking - Specialty

  • Topic 1 Question 150

    A network engineer needs to deploy an AWS Network Firewall firewall into an existing AWS environment. The environment consists of the following:

    • A transit gateway with all VPCs attached to it • Several hundred application VPCs • A centralized egress internet VPC with a NAT gateway and an internet gateway • A centralized ingress internet VPC that hosts public Application Load Balancers • On-premises connectivity through an AWS Direct Connect gateway attachment

    The application VPCs have workloads deployed across multiple Availability Zones in private subnets with the VPC route table s default route (0.0.0.0/0) pointing to the transit gateway. The Network Firewall firewall needs to inspect east-west (VPC-to-VPC) traffic and north-south (internet-bound and on-premises network) traffic by using Suricata compatible rules.

    The network engineer must deploy the firewall by using a solution that requires the least possible architectural changes to the existing production environment.

    Which combination of steps should the network engineer take to meet these requirements?

    3 つ選択

    • Deploy Network Firewall in all Availability Zones in each application VPC.

    • Deploy Network Firewall in all Availability Zones in a centralized inspection VPC.

    • Update the HOME_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.

    • Update the EXTERNAL_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.

    • Configure a single transit gateway route table. Associate all application VPCs and the centralized inspection VPC with this route table.

    • Configure two transit gateway route tables. Associate all application VPCs with one transit gateway route table. Associate the centralized inspection VPC with the other transit gateway route table.

    シャッフルモード