AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A global enterprise has a hybrid network architecture in the us-east-1 Region. The current setup is as follows:
Two on-premises data centers each use AWS Site-to-Site VPN to connect to a central "network-services" VPC.
A third corporate office connects to the same VPC by using an AWS Direct Connect private virtual interface that terminates on the VPC's virtual private gateway (VGW).
Several application VPCs are peered with the network-services VPC.
Network administrators report that the VPN-connected data centers cannot communicate with the Direct Connect-connected corporate office, and none of the on-premises locations can reach the application VPCs through the network-services VPC. The enterprise wants full, transitive connectivity among all on-premises networks and all VPCs, using a solution that is centrally managed and can scale to dozens of additional VPCs and connections in the future.
Which solution should a solutions architect recommend?
Create an AWS Transit Gateway and attach the network-services VPC, each application VPC, a Direct Connect gateway, and both Site-to-Site VPN connections. Use Transit Gateway route tables to allow traffic between all attachments.
Deploy redundant third-party virtual router appliances in the network-services VPC, terminate the VPN and Direct Connect links on them, and configure the appliances for transitive routing.
Configure AWS VPN CloudHub on the existing virtual private gateway, advertising BGP routes between the VPN connections and the Direct Connect private virtual interface.
Enable VGW route propagation for all connections and add static routes in every VPC route table to send traffic between the VPN prefixes and the Direct Connect gateway.
Deploying an AWS Transit Gateway (TGW) solves the problem. A TGW acts as a highly available cloud router that natively supports attachments for VPCs, Site-to-Site VPNs, and Direct Connect gateways. By attaching the network-services VPC, the application VPCs, the two VPN connections, and a Direct Connect gateway (for the existing Direct Connect circuit) to the TGW, all networks can communicate through TGW route tables while avoiding the edge-to-edge and transitive-routing limitations of VPC peering.
Incorrect options:
AWS VPN CloudHub - CloudHub running on a VGW can exchange routes between VPNs and even a Direct Connect private VIF on the same VGW, but it would still be blocked by the "edge-to-edge routing" limitation of VPC peering, so on-premises networks could not reach the application VPCs. CloudHub also scales only to 50 VPNs and lacks the centralized controls and visibility that TGW provides.
Enable route propagation on the VGW and add static routes - This does not overcome the peering edge-to-edge restriction and provides no central hub for additional VPCs or future connections.
Third-party virtual router appliances - While technically feasible, this approach adds operational overhead for HA, patching, licensing, and scaling, whereas TGW is a fully managed service purpose-built for this use case.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Transit Gateway, and how does it enable transitive routing?
Open an interactive chat with Bash
Why doesn't AWS VPN CloudHub work for this scenario?
Open an interactive chat with Bash
What are the limitations of using VPC peering for this architecture?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access