A security architect is designing a hybrid cloud environment where a web application hosted in AWS needs to securely access an on-premises database. The architect wants to minimize exposure to the internet and ensure encryption in transit. Which TWO techniques should the architect consider? (Choose two.)
Why this answer
Option A is correct because an IPsec VPN tunnel creates an encrypted, site-to-site connection between the AWS VPC and the on-premises network, ensuring encryption in transit and minimizing internet exposure by using the VPN gateway as the endpoint. Option B is correct because AWS Direct Connect provides a dedicated, private network connection that bypasses the internet entirely, reducing exposure and supporting encryption via optional MACsec or IPsec, while maintaining low latency and consistent bandwidth.
Exam trap
The trap here is that candidates often confuse VPC peering with hybrid connectivity, not realizing it only works between VPCs within the same AWS region, or they assume TLS alone is sufficient for network-level security without addressing the underlying internet exposure.