An architecture requires connecting a VPC to an on-premises data center via AWS VPN. The on-premises firewall only supports policy-based VPNs. Which TWO limitations must the architect consider? (Select TWO)

Answer options:

Policy-based VPNs limit the connection to a single IPsec security association (SA) pair.

Policy-based VPNs support BGP dynamic routing.

Policy-based VPNs can utilize AWS Transit Gateway ECMP for higher bandwidth.

Only one CIDR block from the VPC can be routed to one CIDR block on-premises over the VPN.

Policy-based VPNs do not support AES-256 encryption.

AWS does not support policy-based VPNs.

How to approach this question

Recall the specific limitations of policy-based vs route-based VPNs in AWS.

Full Answer

AWS Site-to-Site VPN supports policy-based VPNs, but restricts them to a single Security Association (SA). This means you can only define one pair of local and remote CIDR blocks.

Common mistakes

Assuming policy-based VPNs support dynamic routing or multiple subnets easily.

Question 17 All questions Question 19

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

75 questions · hints · full answers · grading

More questions from this exam

Q01A company is setting up a multi-account AWS environment using AWS Organizations. They need to ens...Easy Q02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...Easy Q03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...Easy Q04An architect needs to design a highly available database architecture that spans multiple AWS Reg...Easy Q05A global financial institution is migrating its core banking application to AWS. The application ...Medium

View all 75 questions →