A company has a hybrid architecture with a 10 Gbps AWS Direct Connect connection. They need to encrypt all traffic in transit over the Direct Connect link between their on-premises routers and AWS. Which solution meets this requirement with the LEAST operational overhead?

Answer options:

Establish an AWS Site-to-Site VPN over the Direct Connect connection.

Enable MACsec on the Direct Connect connection.

Deploy third-party virtual firewall appliances in AWS to terminate IPsec tunnels.

Use AWS PrivateLink for all traffic.

How to approach this question

Identify the native layer 2 encryption option for Direct Connect.

Full Answer

B.Enable MACsec on the Direct Connect connection.✓ Correct

Enable MACsec on the Direct Connect connection.

MACsec (IEEE 802.1AE) provides point-to-point Layer 2 encryption over Direct Connect, supporting full line rate (10 Gbps or 100 Gbps) without the IPsec tunnel overhead.

Common mistakes

Choosing VPN, which limits bandwidth per tunnel and requires complex ECMP setups for 10 Gbps.

Question 06 All questions Question 08

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

75 questions · hints · full answers · grading

More questions from this exam

Q01A company is setting up a multi-account AWS environment using AWS Organizations. They need to ens...Easy Q02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...Easy Q03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...Easy Q04An architect needs to design a highly available database architecture that spans multiple AWS Reg...Easy Q05A global financial institution is migrating its core banking application to AWS. The application ...Medium

View all 75 questions →