Q41 — AWS SAP-C02 Ch.3
Question 41 of 75 | ← Chapter 3
Q266. A large company runs workloads in VPCs that are deployed of AWS accounts. Each VPC consists of public subnets and private subnets that span across multiple Availability Zones NAT gateway are deployed in the public subnets and allow outbound connectivity to the internet from the private subnets. A solution architect is working on a hub-and-spoke design. All private subnets in the spoke VPCs must route traffic to the internal through an aggress VPC. The solutions architect already has deployed has deployed a NAT gateway in an egress VPC in a cent al AWS account. Which set of additional steps should the solution architect take to meet these requirements?
- A. Create peering connections between the egress VPC and the spoke VPCs. Configure the required routing to allow access to the internet.
- B. Create a transit gateway and share it with the existing AWS accounts. Attach existing VPCs to the transit gateway. Configure routing to allow access to the internet. ✓
- C. Create a transit gateway in every account Attach the NAT gateway to the gateway configure the required routing to allow access to the internet.
- D. Create an AWS privateLink connection between the egress VPC and the spoke VPCs. Configure the require routing to allow access to he internet.
Correct Answer: B. Create a transit gateway and share it with the existing AWS accounts. Attach existing VPCs to the transit gateway. Configure routing to allow access to the internet.
Explanation
Option B recommends creating a transit gateway, sharing it with the existing AWS accounts, and attaching existing VPCs to the transit gateway. This approach provides a centralized hub for all communication between VPCs and ensures that all traffic flows through a single location. Additionally, by attaching the egress VPC with NAT gateway to the transit gateway, outbound traffic will automatically route to the NAT gateway without any additional routing configuration. Routing tables can be configured on the transit gateway to allow or deny access to the internet. Option A suggests creating peering connections between the egress VPC and spoke VPCs. While peering connections are a viable option for connecting VPCs, they do not provide a centralized hub for traffic flow and can become difficult to manage as the number of VPCs increases. Additionally, configuring routing to allow access to the internet in each spoke VPC could result in more operational overhead. Option C proposes creating a transit gateway in every account and attaching the NAT gateway to the gateway. While this solution would work, it would result in increased operational overhead and higher costs since transit gateways come with a cost per hour and data processing fees. Option D recommends creating an AWS PrivateLink connection between the egress VPC and spoke VPCs. While AWS PrivateLink offers private connectivity between VPCs, it is designed for accessing services within a VPC rather than providing access to the internet. Additionally, configuring routing to allow access to the internet in each spoke VPC would still result in more operational overhead.