Question 12 - Amazon ANS-C01 Real Exam Questions [Jan 2026 Update]

Q: 12

A financial company that is located in the us-east-1 Region needs to establish secure connectivity to AWS. The company has two on-premises data centers, each located within the same Region. The company's network team needs to establish hybrid connectivity to its AWS environment with reliable and consistent connectivity. The connection must provide access to the company's private resources inside its AWS environment. The resources are located in the us-east-1 and us-west-2 Regions. The connection must allow resources from the corporate networks to send large amounts of data to Amazon S3 over the same connection. To meet compliance requirements, the connection must be highly available and must provide encryption for all packets that are sent between the on-premises location and any services on AWS. Which combination of steps should the network team take to meet these requirements? (Choose two.)

Options

Correct Answer:

B, D

Explanation

This solution meets all requirements for high availability, multi-region connectivity, and encrypted access to both private (VPC) and public (Amazon S3) resources.

Option B addresses the high availability requirement by establishing redundant AWS Direct Connect (DX) connections, one from each of the two on-premises data centers. This eliminates the DX connection as a single point of failure.

Option D correctly configures the logical connectivity. A public virtual interface (VIF) is required to access public AWS service endpoints like Amazon S3 over a DX connection. To meet the encryption requirement for traffic to the VPCs, an AWS Site-to-Site VPN is established over the public VIF. This creates an encrypted tunnel from the on-premises data centers to the Virtual Private Gateways (VGWs) or Transit Gateways (TGWs) in the AWS Regions.

Why Incorrect

A. A private VIF is used to access private IP addresses within a VPC and cannot be used to directly access public AWS service endpoints like Amazon S3.

C. A single Direct Connect connection from only one data center does not satisfy the high availability requirement, as it creates a single point of failure.

E. A transit VIF is used exclusively to connect a Direct Connect Gateway to a Transit Gateway for VPC access; it cannot be used to access public services like Amazon S3.

References

1. AWS Direct Connect User Guide, Resiliency Recommendations: "For critical workloads, we recommend that you have connections at more than one location. [...] You can achieve high availability by using separate connections that terminate on separate devices in more than one location." This supports establishing a DX connection from each data center (Option B).

2. AWS Direct Connect User Guide, Virtual interface types: "Public virtual interface: Access all AWS public services using public IP addresses." This documentation confirms that a public VIF is the correct choice for accessing Amazon S3 (supporting Option D).

3. AWS Direct Connect User Guide, AWS Direct Connect and VPN: "You can configure an AWS Site-to-Site VPN connection to use a public virtual interface to establish a secure, private session. This combination offers the benefits of a connection with higher bandwidth and a more consistent network experience than an internet-based VPN connection." This directly validates the pattern of using a Site-to-Site VPN over a public VIF for encrypted communication (supporting Option D).

4. AWS Direct Connect User Guide, Direct Connect gateways: "You can use a Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more VPCs in your account that are located in the same or different Regions." While not an answer choice, this concept is relevant to how the multi-region VPC access would be implemented underneath the VPN layer. The VPN itself can terminate in any region over the public VIF.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE