AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial services company is designing a global, multi-account AWS environment to host a critical three-tier application. The architecture requires separate AWS accounts for development, staging, and production to ensure strict workload isolation. Each account will have its own VPC and connect to a central Transit Gateway for shared services and to an on-premises network via AWS Direct Connect. The on-premises network uses the 10.0.0.0/8 address space. The architects have allocated the 172.16.0.0/16 block for all AWS VPCs. A primary requirement is to maintain clear network segmentation between application tiers (web, application, database) within each VPC, while ensuring that routing between the VPCs and the on-premises network is scalable and avoids IP address conflicts. Which network segmentation strategy is the MOST effective and scalable for this scenario?
Assign a unique, non-overlapping CIDR block to each account's VPC (e.g., 172.16.10.0/24 for dev, 172.16.20.0/24 for staging, 172.16.30.0/24 for prod). Within each VPC, create separate subnets for the web, application, and database tiers across multiple Availability Zones.
Assign the primary CIDR block 172.16.0.0/16 to the production VPC. For the development and staging VPCs, use the same primary CIDR and then add unique secondary CIDR blocks to each to differentiate them for routing purposes.
Use the same 172.16.0.0/16 CIDR block for the VPC in each of the development, staging, and production accounts. Rely on the Transit Gateway to manage routing between the identical address spaces.
Create a single, large VPC in a shared services account with the 172.16.0.0/16 CIDR. Create separate sets of subnets within this single VPC for the development, staging, and production environments, using security groups to enforce isolation.