Q49 — AWS SAP-C02 Ch.3

Question 49 of 75 | ← Chapter 3

Q274. A solutions architect at a large company needs to set up network security for outbound traffic to the internet from all AWS accounts within an organization in AWS Organizations. The organization has more than 100 AWS accounts, and the accounts route to each other by using a centralized AWS Transit Gateway. Each account has both an internet gateway and a NAT gateway for outbound traffic to the internet. The company deploys resources only into a single AWS Region. The company needs the ability to add centrally managed rule-based filtering on all outbound traffic to the internet for all AWS accounts in the organization. The peak load of outbound traffic will not exceed 25 Gbps in each Availability Zone. Which solution meets these requirements?

Correct Answer: B. Create a new VPC for outbound traffic to the internet Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall firewall for rule-based filtering Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints.

Explanation

B. Create a new VPC for outbound traffic to the internet Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall firewall for rule-based filtering Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints. This solution involves creating a new VPC with a NAT gateway for outbound traffic to the internet. A new AWS Network Firewall firewall can be deployed to provide centralized rule-based filtering for all outbound traffic. The firewall can be configured with rules to block or allow specific outbound traffic, and logging can be enabled to provide visibility into the network traffic. Network Firewall endpoints can be created in each Availability Zone, which allows for high availability and load balancing of outbound traffic across all endpoints. Finally, all default routes can be modified to point to the Network Firewall endpoints, ensuring that all outbound traffic from all AWS accounts within the organization is filtered by the centrally managed firewall. A, C, and D are not valid solutions: A. Create a new VPC for outbound traffic to the internet Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Create an Auto Scaling group of Amazon EC2 instances that run an open-source internet proxy for rule-based filtering across all Availability Zones in the Region Modify all default routes to point to the proxy's Auto Scaling group. This solution involves deploying and managing an open-source internet proxy on an Auto Scaling group of Amazon EC2 instances in each Availability Zone. This approach can be complex and time-consuming to set up and maintain and may not provide the required level of scalability and availability to handle peak loads of outbound traffic without significant manual intervention. C. Create an AWS Network Firewall firewall for rule-based filtering in each AWS account. Modify all default routes to point to the Network Firewall firewalls in each account. This solution requires deploying and managing a Network Firewall firewall in each AWS account, which would not provide centralized management and does not meet the requirement to add rule-based filtering on all outbound traffic for all AWS accounts within the organization. D. In each AWS account, create an Auto Scaling group of network-optimized Amazon EC2 instances that run an open-source internet proxy for rule-based filtering. Modify all default routes to point to the proxy's Auto Scaling group. This solution requires deploying and managing an open-source internet proxy on an Auto Scaling group of Amazon EC2 instances in each AWS account, which would not provide centralized management and does not meet the requirement to add rule-based filtering on all outbound traffic for all AWS accounts within the organization.