Question #998
A company is configuring a dedicated AWS Direct Connect connection to link its on-premises network with multiple VPCs using a transit gateway and Direct Connect gateway. The connection uses a 1 Gbps transit virtual interface (VIF) and must ensure bidirectional communication between on-premises resources and VPCs.
Which two steps are required to achieve this setup? (Choose two.)
Upgrade the Direct Connect connection from 1 Gbps to 10 Gbps.
Advertise the on-premises CIDR blocks to AWS via BGP over the transit VIF.
Ensure the Direct Connect gateway advertises the VPC CIDR blocks to the on-premises network over the transit VIF.
Enable MACsec encryption with a 'must_encrypt' policy on the Direct Connect connection.
Associate a MACsec CKN/CAK key pair with the Direct Connect connection.
Explanation
The correct answers are B and C.
- B: Advertising the on-premises CIDR blocks via BGP ensures AWS VPCs know how to route traffic back to the on-premises network.
- C: The Direct Connect gateway must advertise VPC CIDR blocks to the on-premises network so on-premises resources can route traffic to the VPCs.
Other options are incorrect because:
- A: The 1 Gbps connection is sufficient unless specific bandwidth requirements exist (not mentioned).
- D and E: MACsec encryption is optional unless explicitly required for security compliance (not stated in the question).
Key Points:
1. BGP route exchange is essential for bidirectional routing.
2. Direct Connect gateway propagates VPC routes to on-premises via transit VIF.
3. Bandwidth upgrades and encryption are not required unless specified.
Answer
The correct answer is: BC