AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer describes the necessary route table configurations to establish a centralized egress inspection architecture using a Transit Gateway and a Gateway Load Balancer. The traffic flow is as follows: Application VPC -> Transit Gateway -> Inspection VPC -> GWLBE -> Firewall -> GWLBE -> NAT Gateway -> Internet Gateway.

To achieve this, the default route (0.0.0.0/0) in the application VPC's private subnets must point to the Transit Gateway. This sends all outbound traffic to the central hub. Next, the Transit Gateway route table associated with the application VPC attachments must have a default route pointing to the inspection VPC attachment. This directs the traffic to the inspection VPC for processing. Finally, within the inspection VPC, the route table for the subnets that contain the Transit Gateway attachments must have a default route with the Gateway Load Balancer Endpoints (GWLBE) as the target. This critical step forwards the traffic to the firewalls for inspection. The return traffic from the firewalls is routed via a NAT Gateway to the Internet Gateway.

Routing directly from the application VPC to an Internet Gateway bypasses the required inspection, violating the security requirement. Routing traffic from the Transit Gateway directly to a NAT Gateway in the inspection VPC would also bypass the firewall appliances. Directly targeting a GWLBE in another VPC from an application VPC's route table is not a valid configuration, as VPC Endpoints are local to their VPC and cannot be a direct route target from a different VPC.