AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial services company is designing a global, multi-account AWS environment to host a critical three-tier application. The architecture requires separate AWS accounts for development, staging, and production to ensure strict workload isolation. Each account will have its own VPC and connect to a central Transit Gateway for shared services and to an on-premises network via AWS Direct Connect. The on-premises network uses the 10.0.0.0/8 address space. The architects have allocated the 172.16.0.0/16 block for all AWS VPCs. A primary requirement is to maintain clear network segmentation between application tiers (web, application, database) within each VPC, while ensuring that routing between the VPCs and the on-premises network is scalable and avoids IP address conflicts. Which network segmentation strategy is the MOST effective and scalable for this scenario?
Use the same 172.16.0.0/16 CIDR block for the VPC in each of the development, staging, and production accounts. Rely on the Transit Gateway to manage routing between the identical address spaces.
Assign a unique, non-overlapping CIDR block to each account's VPC (e.g., 172.16.10.0/24 for dev, 172.16.20.0/24 for staging, 172.16.30.0/24 for prod). Within each VPC, create separate subnets for the web, application, and database tiers across multiple Availability Zones.
Create a single, large VPC in a shared services account with the 172.16.0.0/16 CIDR. Create separate sets of subnets within this single VPC for the development, staging, and production environments, using security groups to enforce isolation.
Assign the primary CIDR block 172.16.0.0/16 to the production VPC. For the development and staging VPCs, use the same primary CIDR and then add unique secondary CIDR blocks to each to differentiate them for routing purposes.