Default Option to Bring VPN Tunnels UP
Question
A start-up firm is planning to set up new hybrid connectivity using AWS Site-to-Site VPN.
The Project Team working on setting up this connectivity has configured a Customer Gateway device with a public IP address.
It is looking for a default option to bring up VPN tunnels for this new connectivity. Which is the default option to bring VPN tunnels UP?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: D.
For AWS Site-to-Site VPN, by default, Customer gateway devices initiate IKE negotiations to bring VPN Tunnels UP.
Option A is incorrect as an additional networking tool is not required to bring VPN tunnel UP.
Option B is incorrect as VPN Tunnels are not automatically UP when the Customer gateway is assigned with an IP address.
Tunnels are UP when IKE negotiations are initiated from the customer gateway.
Option C is incorrect as AWS can initiate IKE negotiations.
But this is not a default option.
For more information on initiating VPN Tunnels, refer to the following URL,
https://docs.aws.amazon.com/vpn/latest/s2svpn/initiate-vpn-tunnels.htmlThe correct answer is D. Customer Gateway should initiate IKE negotiations to bring Tunnel UP.
When setting up a Site-to-Site VPN connection between an on-premises network and a VPC in AWS, the VPN connection consists of two endpoints: a virtual private gateway on the AWS side, and a customer gateway on the customer side.
IKE (Internet Key Exchange) is the protocol used to establish a secure, encrypted tunnel between the two endpoints. To establish a VPN tunnel, IKE negotiations must be initiated by one of the endpoints.
In this case, the Customer Gateway device has been configured with a public IP address, which means it is ready to initiate IKE negotiations with the virtual private gateway in AWS to bring up the VPN tunnel. Therefore, option D is the correct answer.
Option A is incorrect because a network tool on the on-premises Customer Gateway device cannot bring up the VPN tunnel by itself. It may be used to troubleshoot and diagnose connectivity issues, but it cannot initiate IKE negotiations.
Option B is incorrect because simply configuring a Customer Gateway device with a public IP address does not automatically bring up the VPN tunnel. IKE negotiations must still be initiated by one of the endpoints.
Option C is incorrect because IKE negotiations cannot be initiated by AWS. They must be initiated by one of the endpoints, in this case the Customer Gateway device.
