Creating a VPN Connection between AWS and On-Premise Infrastructure: Options for Compliance Management

Managing VPN Connections between AWS and On-Premise Infrastructure for Compliance

Prev Question Next Question

Question

You are the network administrator for a company.

Your company currently has resources on-premise and in AWS.

There is a requirement to create a VPN connection between AWS and the on-premise infrastructure.

But there is also a compliance requirement that the connections should be managed by the company on both sides of the connection.

Which of the below 2 options would suffice this requirement.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and C.

The AWS documentation mentions the following.

Amazon VPC offers you the flexibility to fully manage both sides of your Amazon VPC connectivity by creating a VPN connection between your remote network and a software VPN appliance running in your Amazon VPC network.

This option is recommended if you must manage both ends of the VPN connection either for compliance purposes or for leveraging gateway devices that are not currently supported by Amazon VPC's.

For more information on such networking options, one can visit the below URL:

https://media.amazonwebservices.com/AWS_Amazon_VPC_Connectivity_Options.pdf

The requirement is to create a VPN connection between AWS and the on-premise infrastructure that should be managed by the company on both sides of the connection. Let's look at each option and see which one would suffice this requirement:

A. Create a customer gateway at AWS VPC end A customer gateway is a logical representation of an on-premise VPN device that is used to connect to AWS. By creating a customer gateway at the AWS VPC end, the on-premise VPN device would connect to it, and a VPN connection would be established between the on-premise infrastructure and the VPC. However, creating a customer gateway at AWS does not provide the ability for the company to manage the VPN connection on both sides. Therefore, option A does not suffice this requirement.

B. Use Direct Connect as the connectivity option Direct Connect provides a dedicated, private connection between the on-premise infrastructure and the VPC over a dedicated network connection. This option provides the ability for the company to manage the connection on both sides, as they have full control over the on-premise infrastructure and the VPC. Therefore, option B would suffice this requirement.

C. Use a software VPN appliance in your VPC A software VPN appliance is a virtual machine that provides VPN connectivity. By using a software VPN appliance in the VPC, the on-premise VPN device would connect to it, and a VPN connection would be established between the on-premise infrastructure and the VPC. However, this option does not provide the ability for the company to manage the VPN connection on the on-premise side, which is a requirement. Therefore, option C does not suffice this requirement.

D. Use the Amazon virtual private interface Amazon virtual private interface (VPI) is a virtual network interface that enables the on-premise infrastructure to access AWS services over a private network connection. This option does not provide VPN connectivity between the on-premise infrastructure and the VPC, which is a requirement. Therefore, option D does not suffice this requirement.

In conclusion, option B (Use Direct Connect as the connectivity option) would suffice the requirement to create a VPN connection between AWS and the on-premise infrastructure that should be managed by the company on both sides of the connection.