An enterprise is building a centralized network inspection architecture using AWS Transit Gateway. They have a dedicated Inspection VPC containing AWS Network Firewall. They want to ensure that traffic between any two application VPCs is routed through the Inspection VPC. How should the Transit Gateway route tables be configured?

Use a single TGW route table and enable appliance mode on all VPC attachments.

Create two TGW route tables. Associate application VPCs with a route table that routes all traffic to the Inspection VPC. Associate the Inspection VPC with a route table that has routes to all application VPCs.

Configure VPC peering between all application VPCs and the Inspection VPC.

Enable AWS Shield Advanced on the Transit Gateway.