Enhancing Security for Financial Transactions in AWS VPCs

Implementing Least Administrative Overhead for Traffic Routing between VPCs A, B, and C

Prev Question Next Question

Question

A Financial organization is deploying 3 tier application servers in VPC created across AZ in the us-east-1 region.

All external facing application servers are created in VPC A which access database servers in VPC C.

To enhance security for these financial transactions between application & database servers, they have launched servers in VPC B which will perform threat assessment on all traffic.

IT Team needs to have all traffic between VPC A & VPC C to pass through VPC B.

As an AWS consultant, which of the following solution will meet your requirement with the least administrative overhead?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E. F.

Correct Answer - A.

VPN will be deployed on an EC2 instance in VPC B where all traffic analysis & threat assessment will be done.

VGW in VPC A & VPC C can be used to create a VPN connection (separately for each of the VPCs) with EC2 instance in VPC.

B.In the above case, application servers in VPC B will send traffic over VPN connection to servers in VPC A for threat analysis.

It would be forwarded to Database servers in VPC C over a VPN connection.

Option B is incorrect as this will involve a Software VPN solution on each EC2 instance in VPC A& VPC C which will be difficult to manage.

Option C is incorrect as VPC Peering does not support Transitive routing.

Option D is incorrect as VPC Peering does not support Transitive routing.

For more information on using Transit routing with VPN connections, refer to the following URL,

https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharing/

The requirement is to have all traffic between VPC A and VPC C pass through VPC B for threat assessment. There are several possible solutions to achieve this, but the one with the least administrative overhead is the best.

Let's review the answer options:

A. Create a VPN Connection from VGW in VPC B to EC2 instance in VPC A ( VPN tunnel should be opened by VPC-B communicating with VPC-A) which will analyze all packets before forwarding traffic to VGW in VPC C via a VPN connection. This solution involves creating a VPN connection between the VGW in VPC B and the EC2 instance in VPC A, which will analyze all packets before forwarding them to the VGW in VPC C. This requires configuring the VPN connection, the EC2 instance in VPC A, and the routing tables in both VPC A and VPC B. This solution is not the least administrative overhead.

B. Create a VPN Connection from EC2 instance in VPC A to EC2 instance in VPC B which will analyze all packets before tunneling traffic to EC2 in VPC C via a VPN connection. This solution involves creating a VPN connection between the EC2 instances in VPC A and VPC B. The EC2 instance in VPC B will analyze all packets before tunneling traffic to the EC2 instance in VPC C. This solution requires configuring the VPN connection, the EC2 instances in VPC A and VPC B, and the routing tables in both VPC A and VPC B. This solution is not the least administrative overhead.

C. Create VPC Peering between VPC A and VPC B and another between VPC B and VPC C. This solution involves creating VPC peering connections between VPC A and VPC B, and between VPC B and VPC C. This solution requires configuring the VPC peering connections and the routing tables in all three VPCs. However, this solution does not allow for threat assessment of the traffic between VPC A and VPC C.

D. Make Routing changes to pass all traffic from VPC A to VPC C via VPC B. This solution involves configuring the routing tables in VPC A and VPC C to pass all traffic through VPC B. This solution does not require creating any additional resources in AWS and can be achieved with routing changes. However, this solution does not allow for threat assessment of the traffic between VPC A and VPC C.

E. Create a VPN Connection from VPC A to VGW in VPC B. This solution involves creating a VPN connection between VPC A and the VGW in VPC B. This solution requires configuring the VPN connection, the VGW in VPC B, and the routing tables in both VPC A and VPC B. However, this solution does not allow for threat assessment of the traffic between VPC A and VPC C.

F. Create a separate VGW for a VPN Connection between VPC B and VPC C. Create Routing entries in each VGW which will pass traffic from VPC A to VPC C via VPC B. This solution involves creating a separate VGW for a VPN connection between VPC B and VPC C. The routing tables in both VGWs will be configured to pass traffic from VPC A to VPC C via VPC B. This solution requires configuring the VPN connections, the VGWs, and the routing tables in all three VPCs. This solution allows for threat assessment of the traffic between VPC A and VPC C, and has the least administrative overhead.

Therefore, the best solution is F. Create a separate VGW for a VPN Connection between VPC B and VPC C. Create Routing entries in