AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 4

A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC.
The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future.
Which solution will meet these requirements in the MOST secure manner?

Answer options

• A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by using the transit gateway.
• B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.
• C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC.
• D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs.

Correct answer: C

Explanation

Option C is correct because using VPC endpoint services with AWS PrivateLink allows for secure and scalable access to the central shared services VPC without exposing the services to the public internet. The other options either do not provide the same level of security or would be less efficient and harder to manage as the number of business units increases.