AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer is to use MACsec (Media Access Control Security). MACsec is an IEEE 802.1AE standard that provides Layer 2 encryption for Direct Connect dedicated connections at 10 Gbps and 100 Gbps speeds. It offers line-rate encryption with minimal performance impact because it is implemented in hardware, making it the ideal solution for high-throughput, latency-sensitive workloads that require encryption over a Direct Connect link.

An AWS Site-to-Site VPN over a public VIF is a valid method to encrypt traffic over Direct Connect, but it is not the most performant solution for a 10 Gbps link. IPsec VPNs introduce significant overhead due to packet encapsulation and encryption processes, and a single VPN tunnel is limited to a maximum throughput of 1.25 Gbps. While multiple tunnels can be aggregated, achieving full 10 Gbps line-rate performance is difficult and complex.

Enforcing application-level encryption with TLS is a good security practice but does not meet the requirement of encrypting all traffic traversing the link, as it only protects traffic from applications configured to use it. It introduces considerable operational overhead to implement and manage universally across all applications and services. This approach does not encrypt the link itself.

AWS Network Firewall is a managed service used to filter and inspect network traffic. While it can enforce policies on encrypted traffic (like allowing only TLS 1.3), its function is not to provide end-to-end encryption for the Direct Connect link itself. It acts as a firewall, not a link encryption mechanism.