AWS Hybrid Network Architecture: Cost-effective Solution for Global Bank | Exam Answer

Cost-effective Solution for Global Bank's Hybrid Network Architecture

Prev Question Next Question

Question

A Global bank has a hybrid network architecture for its banking applications.

The client gets authenticated with servers deployed in Bank Data Centre & once authenticated, access banking application servers based in AWS VPC.

As per security norms, Client Credit Card transaction traffic should be over an encrypted link.

All other traffic between servers in Data Centre & AWS need to have high bandwidth for quick response to client queries.

In AWS VPC, a single server processes the minimal Credit card transaction traffic & multiple application servers handling a huge amount of client transactions.

There is a separate CIDR range configured for both these servers.

As a Solution Architect which of the following solution can be deployed to meet this requirement in the most cost-effective way?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B.

Since the client requires an encrypted link, a VPN link can be used while for high bandwidth traffic requirements, an AWS Direct Connect link will meet the requirement.

In the case of both AWS Direct Connect link & VPN Link, all traffic will prefer the AWS Direct Connect link.

To route-specific traffic over VPN links, we need to advertise specific prefixes over VPN links & summarised prefixes over AWS Direct Link.

Option A is incorrect as this will prefer AWS Direct Connect link for both traffic & this will send credit card traffic unencrypted over this link.

Option C is incorrect as since low bandwidth is required for a Credit card transaction, creating a VPN over a Direct Connect Link will incur additional cost.

Option D is incorrect as sending application traffic over a VPN link will impact application performance as it requires high bandwidth.

For more information on using VPN links along with AWS Direct Connect links, refer to the following URL.

https://aws.amazon.com/answers/networking/aws-multiple-data-center-ha-network-connectivity/

The most cost-effective solution for the given scenario would be option B: Create an AWS Direct Connect link & VPN link. Route traffic with VPC CIDR range over AWS Direct Connect for all other traffic & specific route of Credit Card servers over VPN for credit card transaction traffic.

Here's a detailed explanation of why this option is the most suitable for the given scenario:

  • The requirement is to have an encrypted link for credit card transaction traffic and high-bandwidth link for all other traffic.
  • AWS Direct Connect provides a high-bandwidth, dedicated network connection between AWS and an on-premises data center. By routing traffic with VPC CIDR range over AWS Direct Connect, we can ensure high bandwidth for all other traffic between servers in the data center and AWS VPC.
  • VPN can be used to establish an encrypted link between the client and the AWS VPC. By routing traffic with specific prefixes of servers over AWS Direct Connect and a summarized route of AWS VPC CIDR range over AWS VPN, we can ensure that only credit card transaction traffic is routed over VPN, which meets the security requirement.
  • Creating a separate CIDR range for credit card servers and routing traffic with specific routes for these servers over VPN also ensures that credit card transaction traffic is isolated from other traffic, providing an additional layer of security.
  • Option B only requires one AWS Direct Connect link and one VPN link, which makes it the most cost-effective solution compared to option C and D which require multiple Direct Connect links or VPN links.

In summary, option B provides a cost-effective solution that meets the security requirements and ensures high bandwidth for all other traffic.