AWS Certified Advanced Networking – Specialty ANS-C00 – Question243

In your current role as the corporate network architect you have decided to replace your existing hardware firewall appliances with a pair of Juniper SRX-Series Services Gateways. You have chosen these as AWS lists these as supportable devices for establishing IPsec connections. With this in mind, select the minimum set of options to ensure that you can establish IPsec connectivity between your on premise private corporate network and your AWS hosted VPC.
Select which option is NOT required.

A.
Initiate network connections from somewhere within your corporate network, this is required to bring the tunnels UP
B. Deploy a Customer Gateway within your corporate network
C. Deploy a Customer Gateway within your VPC
D. Deploy a Virtual Private Gateway within your VPC

Correct Answer: B

Explanation:

Explanation:
A customer gateway within the corporate network is NOT required. The Customer Gateway (CGW) is a component that you deploy within your VPC that logically represents you VPN physical hardware’s perimeter public IP – therefore Answer C is required. A Virtual Private Gateway (VPG) is the AWS VPN Concentrator end point and is always a requirement that needs to be deployed in your VPC – therefore it must always be deployed therefore Answer D is required.
AWS only supports IPsec in Tunnel mode therefore Answer A is required.
Reference: https://aws.amazon.com/vpc/faqs/