ANS-C01 Question #180: Real Exam Question with Answer & Explanation

Question

A network engineer needs to deploy an AWS Network Firewall firewall into an existing AWS environment. The environment consists of the following: - A transit gateway with all VPCs attached to it - Several hundred application VPCs - A centralized egress internet VPC with a NAT gateway and an internet gateway - A centralized ingress internet VPC that hosts public Application Load Balancers - On-premises connectivity through an AWS Direct Connect gateway attachment The application VPCs have workloads deployed across multiple Availability Zones in private subnets with the VPC route table s default route (0.0.0.0/0) pointing to the transit gateway. The Network Firewall firewall needs to inspect east-west (VPC-to-VPC) traffic and north-south (internet-bound and on-premises network) traffic by using Suricata compatible rules. The network engineer must deploy the firewall by using a solution that requires the least possible architectural changes to the existing production environment. Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

Options

• ADeploy Network Firewall in all Availability Zones in each application VPC.
• BDeploy Network Firewall in all Availability Zones in a centralized inspection VPC.
• CUpdate the HOME_NET rule group variable to include all CIDR ranges of the VPCs and on-
• DUpdate the EXTERNAL_NET rule group variable to include all CIDR ranges of the VPCs and on-
• EConfigure a single transit gateway route table. Associate all application VPCs and the centralized
• FConfigure two transit gateway route tables. Associate all application VPCs with one transit