Question 890 of 1,705
Network DesigneasyMultiple SelectObjective-mapped

Quick Answer

The answer is the customer gateway and the virtual private gateway. These two components are required to establish an AWS Site-to-Site VPN connection because they form the logical endpoints of the encrypted IPsec tunnel: the virtual private gateway anchors the AWS side of the VPN, routing traffic from your VPC to your on-premises network, while the customer gateway represents your on-premises VPN device in AWS, providing the necessary public IP address and BGP ASN or static route configuration. On the AWS Certified Advanced Networking Specialty ANS-C01 exam, this concept tests your understanding of the fundamental building blocks of hybrid networking, often appearing in scenario-based questions where you must identify mandatory versus optional components like transit gateways or VPN CloudHub. A common trap is confusing the VPN connection itself with the gateway objects—remember, you cannot establish a tunnel without both a VGW and a CGW defined. Memory tip: think of the VGW as the “door” on the AWS side and the CGW as the “key” from your data center; both are needed to open the tunnel.

ANS-C01 Network Design Practice Question

This ANS-C01 practice question tests your understanding of network design. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Which TWO of the following are required to establish an AWS Site-to-Site VPN connection? (Select TWO.)

Question 1easymulti select
Read the full VPN explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Virtual private gateway

A virtual private gateway (VGW) is required as the AWS-side endpoint for the VPN tunnel; it anchors the encrypted IPsec session and routes traffic from the VPC to the on-premises network. The customer gateway (CGW) represents the on-premises VPN device in AWS, providing the public IP and BGP ASN (for dynamic routing) or static route configuration needed to establish the tunnel. Both are mandatory components of an AWS Site-to-Site VPN connection.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Direct Connect gateway

    Why it's wrong here

    Used with Direct Connect.

  • Virtual private gateway

    Why this is correct

    AWS-side endpoint for the VPN.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Customer gateway

    Why this is correct

    Represents the on-premises device.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Transit gateway

    Why it's wrong here

    Optional, not required.

  • VPN connection

    Why it's wrong here

    This is the connection itself, not a component.

Common exam traps

Common exam trap: answer the scenario, not the keyword

AWS often tests the misconception that a transit gateway is required for Site-to-Site VPN, but it is only needed when connecting multiple VPCs or using advanced routing features; a simple VPN to a single VPC only needs a VGW and CGW.

Detailed technical explanation

How to think about this question

The VPN tunnel uses IPsec with IKEv1 or IKEv2 to negotiate security associations (SAs) and encrypt traffic; the VGW and CGW must match pre-shared keys and encryption parameters. For dynamic routing, BGP (RFC 4271) is used over the tunnel to exchange routes, requiring the CGW to have a BGP ASN and the VGW to use a private ASN (default 64512). In a real-world scenario, if the CGW is misconfigured with an incorrect public IP or BGP ASN, the IKE phase 1 handshake will fail, and the VPN will never come up.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related ANS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free ANS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this ANS-C01 question test?

Network Design — This question tests Network Design — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Virtual private gateway — A virtual private gateway (VGW) is required as the AWS-side endpoint for the VPN tunnel; it anchors the encrypted IPsec session and routes traffic from the VPC to the on-premises network. The customer gateway (CGW) represents the on-premises VPN device in AWS, providing the public IP and BGP ASN (for dynamic routing) or static route configuration needed to establish the tunnel. Both are mandatory components of an AWS Site-to-Site VPN connection.

What should I do if I get this ANS-C01 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This ANS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ANS-C01 exam.