You have been asked to virtually extend two existing data centres into AWS to support a highly available application that depends on existing, on-premises resources located in multiple data centres and static content that is served from an Amazon Simple Storage Service (S3) bucket. Your design currently includes a dual-tunnel VPN connection between your CGW and VGW. Which component of your architecture represents a potential single point of failure that you should consider changing to make the solution more highly available? (Choose 1)
a. No changes are necessary: the network architecture is currently highly available.
b. Add another CGW in a different data centre and create another dual-tunnel VPN connection.
c. Add another VGW in a different availability zone can create another dual-tunnel VPN connection.
d. Add a second VGW in a different availability zone, and a CGW in a different data centre, and create another dual-tunnel VPN connection.
This question is testing your understanding of VPN’s and the varying elements that go into the creation of establishing a VPN Connection with AWS.
There are a few elements that you need to understand:
Virtual Private Gateway (VGW)
A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection.
Customer Private Gateway (CGW)
A customer gateway is a physical device or software application on your side of the VPN connection. For a list of known Customer Gateway devices that work with Amazon VPC’s review the Frequently Asked Questions.
Virtual Private Network (VPN)
A virtual private network extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
To set up a VPN Connection within AWS you do the following:
- Create a Customer Gateway
- Create a Virtual Private Gateway
- Enable Route Propagation in your Route Table
- Update your Security Group to allow the appropriate access
- Create a VPN Connection and configure the Customer Gateway
When the VPN connection is created it actually establishes 2 VPN tunnels as the VGW is highly available and there are actually two public IP address associated with it given that the VGW is highly available.
I’d recommended watching the following AWS re:Invent Video’s for additional knowledge:
Now that I’ve covered that off lets walk through ruling out the incorrect answers.
“Answer C” is incorrect. Availability Zones form part of a VPC and whilst typically you would use multiple Availability Zones for high availability configurations, you can only attach 1 Virtual Private Gateway (VGW) to a single VPC. Therefore this is actually impossible to do.
“Answer A” is also incorrect because the Network Architecture is not highly available. Whilst there are 2 VPN Tunnels and the VGW is also highly available, the CGW is a single point of failure. If that device was to fail the 2 VPN Tunnels would also both fail. Likewise if there was an issue with the Data Center where the CGW was located for some reason i.e. Power Failure or Fire the connections would fail and therefore it’s not a highly available solution.
“Answer D” is partially correct as you do need to create another Customer Gateway in another Data Center to remove the risk of their being a Data Center failure and the CGW itself is a single point of failure. Therefore as you can only attach 1 Virtual Private Gateway (VGW) to a single VPC this answer is also incorrect.
“Answer B” is the correct answer. All you would need to do is to add another Customer Gateway in another Data Center and then create another VPN Connection and this would make the solution highly available.
That’s all for now.