AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial-services company must migrate a 50-TB on-premises Oracle database to an Amazon RDS for Oracle instance in its primary AWS Region. The company already has one dedicated 10 Gbps AWS Direct Connect connection that terminates at a single colocation facility and uses a private virtual interface (VIF) to the company's VPC.
To meet a strict migration deadline and ensure long-term operational resilience, the solutions architect must design connectivity that
increases total bandwidth,
survives the loss of an entire Direct Connect location, and
provides link-level encryption without adding significant throughput overhead.
Which networking solution best meets these requirements?
Upgrade the current Direct Connect port to 100 Gbps at the same location and create both public and private VIFs. Rely on application-layer encryption for data in transit.
Add a second 10 Gbps Direct Connect connection in a new facility. Create an AWS Transit Gateway, attach the VPC, and build IPsec Site-to-Site VPN tunnels over each Direct Connect to encrypt traffic.
Order a second 10 Gbps cross-connect at the existing facility and create a Link Aggregation Group (LAG) with the two ports. Configure a Site-to-Site VPN over the internet as a backup path.
Provision a second 10 Gbps dedicated Direct Connect connection at a different colocation facility. Configure a private VIF on each connection and attach them directly to the VPC's virtual private gateway. Enable MACsec on both connections for Layer-2 encryption.
Provisioning a second dedicated 10 Gbps Direct Connect connection in a different colocation facility and attaching private VIFs from both connections directly to the VPC's virtual private gateway meets all three requirements:
Two geographically diverse connections protect against a complete location failure and allow active/active traffic flow for 20 Gbps aggregate bandwidth.
MACsec can be enabled on each dedicated link to deliver Layer-2, near line-rate encryption between the customer router and the AWS Direct Connect device, eliminating the performance penalties of overlay IPsec tunnels.
Direct Connect traffic is not encrypted by default, so MACsec satisfies the company's end-to-end encryption requirement.
Other choices are less suitable:
Creating a Link Aggregation Group (LAG) in the same facility doubles bandwidth but still fails if the location goes offline.
Adding IPsec VPN over Direct Connect provides encryption but lowers effective throughput and adds operational complexity.
Upgrading to a single 100 Gbps port at the existing site increases bandwidth but does not address location-level availability or encryption.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is MACsec and why is it important in this context?
Open an interactive chat with Bash
What is a VPC's virtual private gateway and how does it interact with Direct Connect?
Open an interactive chat with Bash
Why is having two diverse Direct Connect locations important for resilience?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Accelerate Workload Migration and Modernization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access