"Troubleshooting AWS to On-Premises Connection via VPN | Exam Question"

"Troubleshooting AWS to On-Premises Connection via VPN"

Prev Question Next Question

Question

A VPN has been setup between AWS and the on-premise network.

An EC2 Instance is launched in the VPC to test the connection via the ping command from on-premises.

Which of the below must be done to ensure the test works as desired.

Choose 3 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A,C and D.

After you create the VPN connection and configure the customer gateway, you can launch an instance and test the connection by pinging the instance.

You need to use an AMI that responds to ping requests, and you need to ensure that your instance's security group is configured to enable inbound ICMP.

Remember that Security Groups are stateful in nature, so you don't need to ensure that Outbound traffic is allowed.

For more information on test VPN connections, please refer to the below URL:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/HowToTestEndToEnd_Linux.html

When a VPN connection is established between AWS and an on-premises network, it allows communication between the two networks. In this scenario, an EC2 instance is launched in the VPC, and we want to test the connectivity between the on-premises network and the EC2 instance using the ping command.

To ensure that the test works as desired, we need to consider the following:

  1. Security Groups
  2. Network ACLs (NACLs)

A Security Group acts as a virtual firewall that controls the inbound and outbound traffic for an EC2 instance. Similarly, a Network ACL is a network level firewall that controls the inbound and outbound traffic for an entire subnet.

Now, let's consider the given options:

A. Ensure the Security Groups allow Inbound ICMP traffic

This option ensures that the EC2 instance's Security Group allows incoming ICMP traffic. ICMP (Internet Control Message Protocol) is used by the ping command to test connectivity. Hence, this option is required to allow ping traffic from the on-premises network to the EC2 instance.

B. Ensure the Security Groups allow Outbound ICMP traffic

This option ensures that the EC2 instance's Security Group allows outgoing ICMP traffic. Outgoing ICMP traffic is required for the EC2 instance to respond to the ping command from the on-premises network.

C. Ensure that the NACL allows Inbound ICMP traffic

This option ensures that the NACL allows incoming ICMP traffic to the VPC subnet in which the EC2 instance is launched. If the NACL blocks incoming ICMP traffic, the ping command from the on-premises network to the EC2 instance will fail.

D. Ensure that the NACL allows Outbound ICMP traffic

This option is not necessary for the ping command to work as desired. Outgoing ICMP traffic from the VPC subnet is not required for the ping command to function correctly.

In conclusion, to ensure that the test works as desired, we must ensure that the Security Groups allow both inbound and outbound ICMP traffic, and the NACL allows inbound ICMP traffic. Hence, the correct answers are A, B, and C.