A global enterprise is designing a multi-region network architecture connecting 50 AWS accounts across 3 AWS Regions and 4 on-premises data centers. The company requires transitive routing between all VPCs and on-premises networks. Traffic between AWS Regions must be encrypted and traverse the AWS global network. The solution must minimize operational overhead and support up to 50 Gbps of bandwidth per region. Which architecture meets these requirements MOST cost-effectively?

Identify the requirement for transitive routing and inter-region connectivity over the AWS backbone.

What mistakes do candidates make on this AWS SAP-C02 question?

Selecting VPC peering, which lacks transitive routing capabilities.

A.

Deploy AWS Transit Gateway in each Region. Peer the Transit Gateways. Connect on-premises data centers using AWS Direct Connect with MACsec.

B.

Create a full mesh of VPC peering connections across all 50 accounts and 3 Regions. Use AWS VPN CloudHub for on-premises connectivity.

C.

Deploy a third-party SD-WAN virtual appliance in a transit VPC in each Region. Establish IPsec VPNs between all VPCs and the transit VPCs.

D.

Use AWS Direct Connect Gateway to connect all VPCs directly to the on-premises networks. Enable SiteLink for VPC-to-VPC routing.