SAP-C02 第 216 题
题目
A solutions architect at a large company needs to set up network security for outbound traffic to the internet from all AWS accounts within an organization in AWS Organizations. The organization has more than 100 AWS accounts, and the accounts route to each other by using a centralized AWS Transit Gateway. Each account has both an internet gateway and a NAT gateway for outbound traffic to the internet. The company deploys resources only into a single AWS Region. The company needs the ability to add centrally managed rule-based filtering on all outbound traffic to the internet for all AWS accounts in the organization. The peak load of outbound traffic will not exceed 25 Gbps in each Availability Zone. Which solution meets these requirements?
中文翻译:
一家大公司的解决方案架构师需要为 AWS Organizations 中组织内的所有 AWS 账户到 Internet 的出站流量设置网络安全。该组织拥有 100 多个 AWS 账户,这些账户通过使用集中式 AWS Transit Gateway 相互路由。每个帐户都有一个 Internet 网关和一个 NAT 网关,用于发送到 Internet 的出站流量。该公司仅将资源部署到单个 AWS 区域。该公司需要能够对组织中所有 AWS 账户的所有互联网出站流量添加集中管理的基于规则的过滤。每个可用区的出站流量峰值负载不会超过 25 Gbps。哪种解决方案满足这些要求?
选项
A. Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Create an Auto Scaling group of Amazon EC2 instances that run an open-source internet proxy for rule-based filtering across all Availability Zones in the Region. Modify all default routes to point to the proxy's Auto Scaling group.
中文翻译:
为 Internet 的出站流量创建新的 VPC。将现有中转网关连接到新 VPC。配置新的 NAT 网关。创建一个由 Amazon EC2 实例组成的 Auto Scaling 组,该实例运行开源 Internet 代理,以便在该区域的所有可用区中进行基于规则的过滤。修改所有默认路由以指向代理的 Auto Scaling 组。
B. Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall firewall for rule-based filtering. Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints.
中文翻译:
为 Internet 的出站流量创建新的 VPC。将现有中转网关连接到新 VPC。配置新的 NAT 网关。使用 AWS Network Firewall 防火墙进行基于规则的过滤。在每个可用区中创建网络防火墙端点。修改所有默认路由以指向网络防火墙端点。
C. Create an AWS Network Firewall firewall for rule-based filtering in each AWS account. Modify all default routes to point to the Network Firewall firewalls in each account. Firewall。
中文翻译:
创建 AWS Network Firewall 防火墙,以便在每个 AWS 账户中进行基于规则的过滤。修改所有默认路由以指向每个帐户中的网络防火墙防火墙。防火墙。
D. In each AWS account, create an Auto Scaling group of network-optimized Amazon EC2 instances that run an open-source internet proxy for rule-based filtering. Modify all default routes to point to the proxy's Auto Scaling group.
中文翻译:
在每个 AWS 账户中,创建一个由网络优化的 Amazon EC2 实例组成的 Auto Scaling 组,这些实例运行开源互联网代理以进行基于规则的过滤。修改所有默认路由以指向代理的 Auto Scaling 组。
答案
B
解析
正确答案:B 解析: 本题应选择 B。 正确选项: B. 为 Internet 的出站流量创建新的 VPC。将现有中转网关连接到新 VPC。配置新的 NAT 网关。使用 AWS Network Firewall 防火墙进行基于规则的过滤。在每个可用区中创建网络防火墙端点。修改所有默认路由以指向网络防火墙端点。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开...