A company has a multi-account environment managed by AWS Control Tower. They want to implement a centralized egress architecture. All outbound internet traffic from the private subnets of 50 member accounts must be routed through a central 'Network' account. The Network account will inspect the traffic using AWS Network Firewall before allowing it to the internet. Which architecture provides the MOST scalable solution?

Answer options:

Deploy an AWS Transit Gateway in the Network account and share it via AWS RAM. Attach the member VPCs. Route default traffic (0.0.0.0/0) from member VPCs to the Transit Gateway. In the Network account, route traffic from the TGW to the Network Firewall, then to a NAT Gateway.

Set up VPC Peering between all 50 member VPCs and the central Network VPC. Route default traffic over the peering connections to the Network Firewall.

Deploy a NAT Gateway in every member VPC. Route traffic from the NAT Gateways to the central Network Firewall using AWS PrivateLink.

Use AWS Cloud WAN to create a core network. Attach the member VPCs. Configure the core network to route all traffic directly to the internet, bypassing the Network account.

How to approach this question

Identify the service that enables transitive routing across multiple accounts (Transit Gateway).

Full Answer

A.Deploy an AWS Transit Gateway in the Network account and share it via AWS RAM. Attach the member VPCs. Route default traffic (0.0.0.0/0) from member VPCs to the Transit Gateway. In the Network account, route traffic from the TGW to the Network Firewall, then to a NAT Gateway.✓ Correct

To implement centralized egress and inspection across multiple accounts, you use AWS Transit Gateway. You deploy the TGW in a central Network account and share it with member accounts using AWS Resource Access Manager (RAM). Member accounts attach their VPCs to the TGW and set their default route (0.0.0.0/0) to the TGW. The TGW routes the traffic to an Inspection VPC in the Network account, where AWS Network Firewall inspects it before sending it to a NAT Gateway and out to the internet.

Common mistakes

Believing VPC peering can be used for centralized internet access (it cannot, due to lack of transitive routing).

Question 71 All questions Question 73

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

How to approach this question

Full Answer

Common mistakes

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

More questions from this exam