A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets, and
VPC-2 contains only public subnets. The company uses a single AWS Direct Connect connection and private
virtual interface to connect their on-premises network with VPC-1. Which two methods increases the fault
tolerance of the connection to VPC-1? Choose 2 answers
A.
Establish a hardware VPN over the internet between VPC-2 ana the on-premises network.
B.
Establish a hardware VPN over the internet between VPC-1 and the on-premises network.
C.
Establish a new AWS Direct Connect connection and private virtual interface in the same region as VPC-2.
D.
Establish a new AWS Direct Connect connection and private virtual interface in a different AWS region than
VPC-1.
E.
Establish a new AWS Direct Connect connection and private virtual interface in the same AWS region as
VPC-1
I agree with the answer. BC
Since Edge to edge routing is not allowed how can the VPC1 can use the direct connection of Vpc2?
we can setting VPC Peering/PVN Connection between VPC1 and VPC2 to make connection but in this question, There is not any information about this setting. But in my thinking, BC maybe correct.
I’m not sure you understood @gopa’s response.
Each VPC has its own virtual router. Each router has interfaces to internal traffic (within the VPC) and to external traffic (outside of the VPC). For EC2 instances or other services launched in the VPC, you can create routes to anything that your VPC router can see. However, a VPC router will never take traffic that originates outside of the VPC and pass it through to another destination outside of the VPC.
That means that even if you do create a 0/0 route to the peering interface from VPC2, VPC1 virtual router will simply drop all packets not destined for the IP range in VPC1. It will not forward.
Also, another clue that BC is wrong is because @networkmanagers says it is correct.
gopa i agree. A & C.
BE
“Establish a new AWS Direct Connect connection and private virtual interface in the same region as VPC-2” – Different VPC and Transitive Peering does not work
When talk about fault tolerance, why con’t we go for D ?
D can’t be correct, it talks about a new AWS direct connect in a different AWS region than VPC-1. VPC peering works only where both VPCs are in the same region.
BE is the correct
B&E, either method adds one additional connection to VPC-1. one is VPN, and another is Direct Connection.
BE
BE
B and E
B C
we are talking about fault tolerance. In the case of direct connect line failure between on-premises to vpc1, we need other ways to connect on-premises with vpc1:
vpn is using internet connection, we can set up vpn between on-premises and vpc1
or
DC between on-premise and vpc2. since there is peer connection between vpc2 and vpc1. we are still able to connect to vpc1
B and C are correct. Technically A should also be true since Hardware VPN between on premises and VPC2 can also help, but that’s a very indirect. B and C are more closer.
thanks mate. You made it simple with out complicated terms !!
Except he have the wrong answer because peering doesn’t work the way he described.
BE is the right answer.
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-basics.html
A, C, D is wrong because AWS not support edge to edge/transitive connection as your ref.
So B, E should be correct
BE
BE
B and E only