Resolving Connectivity Issues in AWS VPC Deployment
Question
An IT firm is deploying new application servers in AWS VPC created at the ap-south-1 region for its new client.
These servers will be accessed by the development team based in Bengaluru & Pune Locations.
For the POC phase to keep cost minimum & faster deployment, an AWS VPN with static routes will be set up from the firm's Mumbai Office CGW to VGW.
Initially, when the development team at Pune checked reachability to application servers in Mumbai, it worked fine.
Last week connectivity for the Bengaluru office was established via the Bengaluru-Mumbai internal WAN link & further VPN link to applications servers.
Since then, the development team in both Pune & Bangalore locations are facing issues with establishing connectivity to servers.
Further checks observed intermittent packet drops in VPN link while no issue was observed in client internal WAN links between Mumbai, Pune & Bengaluru locations.
Which of the following cost-effective actions can resolve this issue?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
Static VPN supports 1 Security associations in each direction for each Tunnel.
There is one inbound & one outbound SA in each direction.
When a new subnet is allowed over an existing VPN tunnel, this subnet will be using additional SA which is not allowed.
To pass all traffic over VPN Tunnel, a pass-all policy with a default route can be implemented to allow traffic to access servers in VPC over VPN.
Option A is incorrect as although this will work, this will incur additional cost.
Option B is incorrect as creating a new VPN connection from each location will lead to additional costs.
Option D is incorrect as each subnet in Pune & Bengaluru locations will create a separate security association which will not resolve this issue.
For more information on setting static VPN, refer to the following URL.
https://www.youtube.com/watch?v=SMvom9QjkPkThe issue with establishing connectivity to the application servers in AWS VPC from the development teams in Pune and Bengaluru locations is likely due to intermittent packet drops in the VPN link. This issue could be caused by a number of factors, including network congestion, misconfigured routing policies, or insufficient VPN bandwidth.
To resolve the issue, the IT firm can take one of the following cost-effective actions:
Option A: Create 2 VPN Connections from VGW to 2 separate CGW at Mumbai & create a policy to allow each of Pune & Bengaluru subnets to pass only through a specific tunnel & deny from another tunnel.
This option involves creating two VPN connections from the VGW (Virtual Private Gateway) in the AWS VPC to two separate CGWs (Customer Gateway) located at the Mumbai office. A policy will be created to allow each of the Pune and Bengaluru subnets to pass only through a specific tunnel and deny traffic from the other tunnel. This approach ensures that traffic from each location is routed through a specific tunnel and avoids any conflicts or congestion that might arise from sharing a single VPN connection.
Option B: Create separate VPN connection from Bengaluru & Pune office to AWS VPC at ap-south-1 region bypassing internal WAN links to Mumbai & have a policy allowing only specific subnets at each location to pass through VPN tunnel.
This option involves creating separate VPN connections from the Bengaluru and Pune offices directly to the AWS VPC at the ap-south-1 region, bypassing the internal WAN links to Mumbai. A policy will be created to allow only specific subnets at each location to pass through the VPN tunnel. This approach can help to reduce latency and avoid any issues with internal WAN links, but it may require additional VPN connections and could increase costs.
Option C: Create a VPN connection with a single security association by allowing a policy to pass any network (0.0.0.0/0) through a tunnel.
This option involves creating a VPN connection with a single security association and allowing a policy to pass any network (0.0.0.0/0) through the tunnel. While this approach is simple and straightforward, it could lead to congestion and packet drops due to the large amount of traffic that would be routed through the VPN connection.
Option D: Create a VPN Connection with a single security association by allowing a policy for only specific networks at Pune & Bengaluru locations & deny all other traffic to pass through the tunnel.
This option involves creating a VPN connection with a single security association and allowing a policy for only specific networks at the Pune and Bengaluru locations to pass through the tunnel. All other traffic would be denied. This approach can help to reduce congestion and avoid packet drops by limiting the amount of traffic that is routed through the VPN connection.
Based on the information provided, Option A would be the best solution to resolve the connectivity issue while keeping costs minimum. This approach would ensure that traffic from each location is routed through a specific tunnel and avoids any conflicts or congestion that might arise from sharing a single VPN connection.
