A user has created a VPC with CIDR 20.0.0.0/16. The user has created public and VPN only subnets along with
hardware VPN access to connect to the user’s datacenter. The user wants to make so that all traffic coming to
the public subnet follows the organization’s proxy policy. How can the user make this happen?
A.
Setting up a NAT with the proxy protocol and configure that the public subnet receives traffic from
NAT
B.
Settin up a proxy policy in the internet gateway connected with the public subnet
C.
It is not possible to setup the proxy policy for a public subnet
D.
Setting the route table and security group of the public subnet which receives traffic from a virtual private
gateway
Explanation:
The user can create subnets within a VPC. If the user wants to connect to VPC from his own data centre, he can
setup public and VPN only subnets which uses hardware VPN access to connect with his data centre. When the
user has configured this setup, it will update the main route table used with the VPN-only subnet, create a
custom route table and associate it with the public subnet. It also creates an internet gateway for the public
subnet. By default the internet traffic of the VPN subnet is routed to a virtual private gateway while the
internet traffic of the public subnet is routed through the internet gateway. The user can set up the route and
security group rules. These rules enable the traffic to come from the organization’s network over the virtual
private gateway to the public subnet to allow proxy settings on that public subnet.
Does anyone understand what they are asking about? I don’t.
I had to read this page several times:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario3.html
The key part(I hope) is this:
Any traffic from your network going to an Elastic IP address for an instance in the public subnet goes over the Internet, and not over the virtual private gateway. You could instead set up a route and security group rules that enable the traffic to come from your network over the virtual private gateway to the public subnet.
The answer is D
D is correct
C is the answer
You cannot reach the public IP of the instance via the VGW, only the IGW keeps a track of the Public IP and the Private IP mapping.
You can only reach the Private addresses of the instances using the VGW and more over It is no longer a public subnet if you associate the default route to VGW.
D
d
Option D
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario3.html
Dog
DOG, LOL
d
D