AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A company is migrating several on-premises workloads to AWS. It operates two physically separate data centers (DC1 and DC2) that must stay reachable over private IP connectivity. Each site already has a dedicated 10-Gbps AWS Direct Connect connection that terminates in a different Direct Connect location. The migration will create 15 VPCs that live in different AWS accounts across three Regions. The VPCs belong to three business units that must be isolated from one another, but every VPC needs low-latency, high-bandwidth (up to 20 Gbps) access to the on-premises networks in both data centers.
Network engineering has set the following goals:
- Provide transitive routing between the on-premises networks and the VPCs without building a full mesh of VPN or VPC-peering connections.
- Enforce business-unit isolation inside AWS by using virtual routing segmentation.
- Maintain private connectivity if an entire Direct Connect location becomes unavailable.
- Minimize the operational effort required to onboard additional VPCs in the future.
Which architecture meets all of these requirements?
Enable AWS Direct Connect SiteLink between the two Direct Connect locations and create full-mesh VPC peering between all VPCs. Use security groups to restrict inter-VPC traffic for each business unit.
Create an AWS Direct Connect gateway and associate it with a centrally managed AWS Transit Gateway in each Region. Attach each 10-Gbps Direct Connect circuit to the Direct Connect gateway by using a transit virtual interface at each Direct Connect location. Attach every VPC to the Transit Gateway and place the attachments in separate Transit Gateway route tables-one per business unit-to enforce isolation.
Attach a virtual private gateway (VGW) to every VPC and associate each VGW with the existing Direct Connect gateway. Use individual VPC route tables to block traffic between business units.
Terminate IPSec Site-to-Site VPN tunnels from each data center on a firewall appliance behind a Gateway Load Balancer in a shared-services VPC. Connect the remaining VPCs to that VPC by using VPC peering and use network ACLs to isolate traffic.