A global enterprise requires highly available hybrid connectivity between its on-premises data centers in New York and London to AWS VPCs in us-east-1 and eu-west-2. The solution must provide line-rate encryption and protect against a single AWS Direct Connect location failure. Which architecture meets these requirements with the LEAST operational overhead?

Provision one DX connection per region. Establish IPsec VPNs over the DX connections to Transit Gateways.

Provision two DX connections in each region at different DX locations. Enable MACsec on the connections. Use Direct Connect gateways associated with Transit Gateways in each region.

Provision two DX connections per region. Use AWS VPN CloudHub for encryption and routing between regions.

Provision one DX connection and one Site-to-Site VPN per region. Enable MACsec on the VPN.