Your company currently has data in an on-premises location. They want to create an AWS Direct Connect connection to move this data to their AWS VPC securely. You also need to access other AWS services and ensure the confidentiality and integrity of the data in transit to your VPC. (Select THREE)

Answer options:

A.Set up a VPN over private VIF using the AWS Direct Connect connection.
B.Set up a VPN over public VIF using the AWS Direct Connect connection.
C.Attach a virtual private gateway to the VPC.D.Create an IPSec tunnel between the customer gateway and the virtual private gateway.

Answer – B, C, and D
This is also given in the AWS Documentation.
Short Description
A VPN that connects your office to your Amazon VPC over an AWS Direct Connect connection is likely to be faster and more secure than a VPN that connects to your VPC over the internet. 
Resolution
Create an AWS Direct Connect connection.
Configure a public virtual interface for the Direct Connect connection.
In the Prefixes that you want to advertise, in the field for the virtual interface, enter the IPv4 CIDR destination addresses (separated by commas) where traffic should be routed to you over the virtual interface. In this case, add the public IP and any network prefixes that you want to advertise.
Your public virtual interface receives all the public IP addresses from AWS regions (except the AWS China region), including the public IP addresses of the VPN. To get the current list of prefixes advertised by AWS, download the JSON file containing AWS IP address ranges. For more information, see AWS IP Address Ranges.
Option A is incorrect because a public VIF would handle this on AWS Direct Connect.
Option D is CORRECT since you need an IPsec tunnel over the private connection.
For more information on VPN over Direct Connect, one can visit the below URL 
https://aws.amazon.com/premiumsupport/knowledge-center/create-vpn-direct-connect/
https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-vpc-connectivity-options.pdf#welcome