79. VPN Hub

i. If you have multiple sites, each with its own VPN connection, you can use AWS VPN CloudHub to connect those sites together
ii. Hub-and-spoke model
iii. Low cost and easy to manage
iv. It operates over the public internet, but all traffic between the customer gateway and the AWS VPN CloudHub is encrypted.

Question 1:
Your company has decided to move from an on-premises environment to AWS. It’s Tuesday now, and the data migration should be completed in 72 hours, starting from Friday night and finishing by Monday morning. This is done so that the migration doesn’t affect business operations. The data capacity for migration is 10TB, and it is necessary to protect the migration data with secure communication.
Select a migration method that meets this condition.
Options:
A. Data migration with Snowball
B. Data transfer via Direct Connect connection
C. Data transfer via VPN connection using AWS site-to-site VPN
D. Data transfer by Storage Gateway
Answer: C
Explanation
Option 3 is the correct answer. Instances launched in Amazon VPC cannot communicate with your on-premises network by default. Therefore, you need to connect your data center or office network to AWS through an AWS site-to-Site VPN (Site-to-Site VPN) connection. You can then use Internet Protocol Security (IPsec) communication to create an encrypted VPN tunnel between the two points.
In this scenario, you need to choose a migration method based on the amount of migration data and the migration schedule. It is difficult to order Direct Connect or Snowball from AWS and perform the migration on the weekend because it is Tuesday now and the data transfer is to be carried out on the weekend. This is important because these preparations require time to coordinate with AWS, more time than on offer in this scenario. The only means that can be implemented immediately is VPN connection settings. In addition, 10TB of data transfer can easily be completed in 72 hours by transfer via VPN connection.
Option 1 is incorrect. Snowball uses equipment borrowed from AWS. It is convenient when the amount of data is large, but it is not suitable for short-notice and for such a small amount of data.
Option 2 is incorrect. Direct Connect physically requires the AWS side to set up a dedicated line connection settings. This requires application and settings to AWS, and may not be ready in time.
Option 4 is incorrect. Storage Gateway is used for data transfer and backup configuration between S3 and on-premises storage. It can also be used for data migration of storage, but this time it is inappropriate because it is not only storage that we targeted for data migration in this scenario.

Question 2:
A media company has its corporate headquarters in Los Angeles with an on-premises data center using an AWS Direct Connect connection to the AWS VPC. The branch offices in San Francisco and Miami use Site-to-Site VPN connections to connect to the AWS VPC. The company is looking for a solution to have the branch offices send and receive data with each other as well as with their corporate headquarters.
As a solutions architect, which of the following AWS services would you recommend addressing this use-case?
• Software VPN
• VPC Endpoint
• VPN CloudHub (Correct)
• VPC Peering
Explanation
Correct option:
VPN CloudHub
If you have multiple AWS Site-to-Site VPN connections, you can provide secure communication between sites using the AWS VPN CloudHub. This enables your remote sites to communicate with each other, and not just with the VPC. Sites that use AWS Direct Connect connections to the virtual private gateway can also be part of the AWS VPN CloudHub. The VPN CloudHub operates on a simple hub-and-spoke model that you can use with or without a VPC. This design is suitable if you have multiple branch offices and existing internet connections and would like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices.
Per the given use-case, the corporate headquarters has an AWS Direct Connect connection to the VPC and the branch offices have Site-to-Site VPN connections to the VPC. Therefore using the AWS VPN CloudHub, branch offices can send and receive data with each other as well as with their corporate headquarters.
VPN CloudHub via – https://docs.aws.amazon.com/vpn/latest/s2svpn/VPN_CloudHub.html
Incorrect options:
VPC Endpoint – A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. When you use VPC endpoint, the traffic between your VPC and the other AWS service does not leave the Amazon network, therefore this option cannot be used to send and receive data between the remote branch offices of the company.
VPC Peering – A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. VPC peering facilitates a connection between two VPCs within the AWS network, therefore this option cannot be used to send and receive data between the remote branch offices of the company.
Software VPN – Amazon VPC offers you the flexibility to fully manage both sides of your Amazon VPC connectivity by creating a VPN connection between your remote network and a software VPN appliance running in your Amazon VPC network. Since Software VPN just handles connectivity between the remote network and Amazon VPC, therefore it cannot be used to send and receive data between the remote branch offices of the company.

Question 3:
A company runs an application on Amazon EC2 instances which requires access to sensitive data in an Amazon S3 bucket. All traffic between the EC2 instances and the S3 bucket must not traverse the internet and must use private IP addresses. Additionally, the bucket must only allow access from services in the VPC.
Which combination of actions should a Solutions Architect take to meet these requirements? (Select TWO.)
A• Apply an IAM policy to a VPC peering connection.
B• Create a peering connection to the S3 bucket VPC.
C• Apply a bucket policy to restrict access to the S3 endpoint.
D• Enable default encryption on the bucket.
E• Create a VPC endpoint for Amazon S3.
Answer: C & E
Explanation
Private access to public services such as Amazon S3 can be achieved by creating a VPC endpoint in the VPC. For S3 this would be a gateway endpoint. The bucket policy can then be configured to restrict access to the S3 endpoint only which will ensure that only services originating from the VPC will be granted access.
CORRECT: “Create a VPC endpoint for Amazon S3” is a correct answer.
CORRECT: “Apply a bucket policy to restrict access to the S3 endpoint” is also a correct answer.
INCORRECT: “Enable default encryption on the bucket” is incorrect. This will encrypt data at rest but does not restrict access.
INCORRECT: “Create a peering connection to the S3 bucket VPC” is incorrect. You cannot create a peering connection to S3 as it is a public service and does not run in a VPC.
INCORRECT: “Apply an IAM policy to a VPC peering connection” is incorrect. You cannot apply an IAM policy to a peering connection.