An enterprise is implementing a centralized egress architecture using AWS Network Firewall. They have a Transit Gateway connecting multiple spoke VPCs to a central Security VPC. Which TWO routing configurations are required to ensure all internet-bound traffic from spoke VPCs is inspected by the Network Firewall? (Select TWO)

Trace the packet path from Spoke -> TGW -> Security VPC.

What mistakes do candidates make on this AWS SAP-C02 question?

Misconfiguring the TGW route tables.

A.

In the spoke VPCs, set the default route (0.0.0.0/0) to point to the Internet Gateway.

B.

In the spoke VPCs, set the default route (0.0.0.0/0) to point to the Transit Gateway attachment.

C.

In the Transit Gateway route table, set the default route to point to the spoke VPC attachments.

D.

In the Security VPC, set the default route in the public subnet to point to the Transit Gateway.

E.

In the Transit Gateway route table associated with the spoke VPCs, set the default route (0.0.0.0/0) to point to the Security VPC attachment.

F.

Configure VPC Peering between all spoke VPCs and the Security VPC.