ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 1.1: Network ConnectivityNetworkingTransit GatewaySecurity

AWS SAP-C02 · Question 72 · Domain 1.1: Network Connectivity

A company has a multi-account environment managed by AWS Control Tower. They want to implement a centralized egress architecture. All outbound internet traffic from the private subnets of 50 member accounts must be routed through a central 'Network' account. The Network account will inspect the traffic using AWS Network Firewall before allowing it to the internet. Which architecture provides the MOST scalable solution?

Answer options:

A.

Deploy an AWS Transit Gateway in the Network account and share it via AWS RAM. Attach the member VPCs. Route default traffic (0.0.0.0/0) from member VPCs to the Transit Gateway. In the Network account, route traffic from the TGW to the Network Firewall, then to a NAT Gateway.

B.

Set up VPC Peering between all 50 member VPCs and the central Network VPC. Route default traffic over the peering connections to the Network Firewall.

C.

Deploy a NAT Gateway in every member VPC. Route traffic from the NAT Gateways to the central Network Firewall using AWS PrivateLink.

D.

Use AWS Cloud WAN to create a core network. Attach the member VPCs. Configure the core network to route all traffic directly to the internet, bypassing the Network account.

How to approach this question

Identify the service that enables transitive routing across multiple accounts (Transit Gateway).

Full Answer

A.Deploy an AWS Transit Gateway in the Network account and share it via AWS RAM. Attach the member VPCs. Route default traffic (0.0.0.0/0) from member VPCs to the Transit Gateway. In the Network account, route traffic from the TGW to the Network Firewall, then to a NAT Gateway.✓ Correct
Deploy an AWS Transit Gateway in the Network account and share it via AWS RAM. Attach the member VPCs. Route default traffic (0.0.0.0/0) from member VPCs to the Transit Gateway. In the Network account, route traffic from the TGW to the Network Firewall, then to a NAT Gateway.
To implement centralized egress and inspection across multiple accounts, you use AWS Transit Gateway. You deploy the TGW in a central Network account and share it with member accounts using AWS Resource Access Manager (RAM). Member accounts attach their VPCs to the TGW and set their default route (0.0.0.0/0) to the TGW. The TGW routes the traffic to an Inspection VPC in the Network account, where AWS Network Firewall inspects it before sending it to a NAT Gateway and out to the internet.

Common mistakes

Believing VPC peering can be used for centralized internet access (it cannot, due to lack of transitive routing).
71All questions73

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →