Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the
company’s highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to
provide high bandwidth, low latency access to S3. Since the company does not own a publically routable
IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual
Interface (VIF).
The security team is calling this new connection a “backdoor”, and you have been asked to clarify the
risk to the company.
Which concern from the security team is valid and should be addressed?
Correct Answer: B
Explanation:
The valid security concern is that when using a Public Virtual Interface (Public VIF) over Amazon Direct Connect, the router advertises a publicly routable AWS-assigned IP address via BGP. Although this IP is not exposed through the Internet, it is reachable by other Direct Connect customers who are connected to the same AWS public network and use Public VIFs. Therefore, another Direct Connect customer could potentially send traffic directly to the company's router unless appropriate routing filters, firewall rules, and access controls are implemented. Option A is incorrect because AWS does not advertise customer router routes to the public Internet. Option C is incorrect because Internet-connected EC2 instances cannot directly reach the customer router over Direct Connect. Option D is incorrect because S3 and VPC endpoints provide access to AWS services, not direct connectivity back to the customer's router. Thus, the primary risk that should be addressed is connectivity from other Direct Connect customers sharing the AWS public routing domain.
Question 2
You are designing the network infrastructure for an application server in Amazon VPC. Users will
access all the application instances from the Internet and from an on-premises network. The on-premises network is connected to your VPC over an AWS Direct Connect link.
How should you design routing to meet these requirements?
Correct Answer: D
Explanation:
A VPC route table can have only one active route for a given destination prefix. Since the application must be reachable from both the Internet and the on-premises network via AWS Direct Connect, the best practice is:
Configure a default route (0.0.0.0/0) to the Internet Gateway (IGW) for Internet-bound traffic.
Advertise specific on-premises network prefixes (for example, 10.0.0.0/8, 172.16.0.0/12, etc.) through BGP over Direct Connect to the Virtual Private Gateway (VGW).
The VPC routing table will then send Internet traffic to the IGW and on-premises traffic to the VGW based on the more specific route match.
Why the other options are wrong:
A: Two default routes (0.0.0.0/0) in the same route table pointing to different targets would create ambiguity and is not a valid design.
B: A subnet can be associated with only one route table at a time, so associating both route tables with every subnet is impossible.
C: Advertising a default route from on-premises would cause all outbound traffic (including Internet traffic) to prefer the Direct Connect/VGW path, defeating the requirement to use the IGW for Internet access.
In summary: Use a route table with 0.0.0.0/0 → IGW and advertise specific on-premises routes via Direct Connect/VGW. AWS routing uses longest prefix match, so on-premises traffic follows the specific routes while all other traffic uses the Internet Gateway. Therefore, D is the correct answer.
Demo Practice Mode
You are viewing only the questions marked as Demo.