ANS-C01 Exam Dumps : Amazon AWS Certified Advanced Networking - Specialty

An IPsec VPN connection over the transit VIF can encrypt traffic between the on-premises network and AWS without using public IP addresses or the internet2. A VPC endpoint for Amazon S3 can enable private access to S3 buckets within the same region. HTTPS can provide additional encryption for communication.

The most operationally efficient way to restrict inbound traffic to the ALB to come from CloudFront is to use the AWS managed prefix list for CloudFront. A prefix list is a collection of CIDR blocks that can be used to configure security groups and network ACLs. AWS provides a managed prefix list for CloudFront that is automatically updated when CloudFront IP ranges change. By adding an inbound rule to the ALB’s security group to allow the AWS managed prefix list for CloudFront, the network engineer can ensure that only CloudFront can access the ALB at the network layer. This solution does not require any additional configuration or maintenance. Option B is less efficient because network ACLs are stateless and require rules for both inbound and outbound traffic. Option C is not a network layer solution, but an application layer solution that requires the ALB to inspect the HTTP headers and reject requests that do not have the custom header. Option D is also not a network layer solution, but a web layer solution that requires AWS WAF to filter the traffic based on the CloudFront IP set. This solution also requires an AWS Lambda function to update the CloudFront IP set, which adds complexity and cost

Setting up a new 1 Gbps Direct Connect dedicated connection to accommodate the additional traffic load from remote employees and the additional application would provide more bandwidth and lower latency than a VPN connection over the public internet1. Creating a link aggregation group (LAG) with the existing and new Direct Connect connections would provide resiliency and redundancy for the AWS connectivity2.