An architecture team is designing a hybrid network. They have two on-premises data centers and three AWS Regions. They need encrypted, high-throughput connectivity between all on-premises locations and all AWS Regions. The solution must support dynamic routing and minimize the number of point-to-point VPN connections to manage. Which architecture is BEST?

Deploy AWS Cloud WAN. Create a global core network. Attach AWS Site-to-Site VPN connections from the data centers to the closest Cloud WAN edge locations. Attach regional VPCs to the core network.

Deploy a Transit Gateway in each Region. Peer all Transit Gateways. Create Site-to-Site VPNs from each data center to every Transit Gateway.

Use AWS Direct Connect with MACsec encryption. Connect each data center to a Direct Connect Gateway. Associate the Direct Connect Gateway with Virtual Private Gateways in each Region.

Deploy software SD-WAN appliances on EC2 instances in a central transit VPC. Route all global traffic through this VPC using VPC peering.