An enterprise is implementing a centralized egress architecture using AWS Network Firewall. They have a Transit Gateway connecting multiple spoke VPCs to a central Security VPC. Which TWO routing configurations are required to ensure all internet-bound traffic from spoke VPCs is inspected by the Network Firewall? (Select TWO)

Answer options:

In the spoke VPCs, set the default route (0.0.0.0/0) to point to the Internet Gateway.

In the spoke VPCs, set the default route (0.0.0.0/0) to point to the Transit Gateway attachment.

In the Transit Gateway route table, set the default route to point to the spoke VPC attachments.

In the Security VPC, set the default route in the public subnet to point to the Transit Gateway.

In the Transit Gateway route table associated with the spoke VPCs, set the default route (0.0.0.0/0) to point to the Security VPC attachment.

Configure VPC Peering between all spoke VPCs and the Security VPC.

How to approach this question

Trace the packet path from Spoke -> TGW -> Security VPC.

Full Answer

B,E

To centralize egress, spoke VPCs must route 0.0.0.0/0 to the TGW. The TGW route table associated with the spokes must then route 0.0.0.0/0 to the Security VPC attachment.

Common mistakes

Misconfiguring the TGW route tables.

Question 11 All questions Question 13

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

75 questions · hints · full answers · grading

More questions from this exam

Q01A company is setting up a multi-account AWS environment using AWS Organizations. They need to ens...Easy Q02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...Easy Q03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...Easy Q04An architect needs to design a highly available database architecture that spans multiple AWS Reg...Easy Q05A global financial institution is migrating its core banking application to AWS. The application ...Medium

View all 75 questions →