Q62 — AWS SAP-C02 Ch.1
Question 62 of 75 | ← Chapter 1
Q137. A company is designing its network configuration in the AWS Cloud. The company uses AWS Organizations to manage a multi-account setup. The company has three OUs.Each OU contains more than 100 AWS accounts. Each account has a single VPC, and all the VPCs in each OU are in the same AWS Region.The CIDR ranges for all the AWS accounts do not overlap. The company needs to implement a solution in which VPCs in the same OU can communicate with each other but cannot communicate with VPCs in other OUsWhich solution will meet these requirements with the LEAST operational overhead?
- A. Create an AWS CloudFormation stack set that establishes VPC peering between accounts in each OU.Provision the stack set in each OU
- B. In each OU, create a dedicated networking account that has a single VPC. Share this VPC with all the other accounts in the OU by using AWS Resource Access Manager (AWS RAM). Create a VPC peering connection between the networking account and each account in the OU
- C. Provision a transit gateway in an account in each OU. Share the transit gateway across the organization by using AWS Resource Access Manager (AWS RAM). Create transit gateway VPC attachments for each VPC ✓
- D. In each OU, create a dedicated networking account that has a single VPC. Establish a VPN connection between the networking account and the other accounts in the OU. Use third-party routing software to route transitive traffic between the VPCs
Correct Answer: C. Provision a transit gateway in an account in each OU. Share the transit gateway across the organization by using AWS Resource Access Manager (AWS RAM). Create transit gateway VPC attachments for each VPC
Explanation
Option C is the solution that will meet the requirements with the least operational overhead.Option A requires creating a VPC peering between all pairs of VPCs in each OU, which could be time-consuming and difficult to manage as the number of accounts grows.Option B requires setup of a dedicated networking account for each OU, which adds complexity and increases maintenance costs.Option D requires manual configuration and management of VPN connections, which is not scalable and can increase operational overhead.On the other hand, option C provision a transit gateway in an account in each OU, which is shared across the organization using AWS Resource Access Manager (AWS RAM). This approach provides centralized management and simplifies connectivity between all VPCs in the same OU. It also avoids the need to manually configure and manage VPC peering or VPN connections, reducing the operational overhead.