AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 42

A company has hundreds of Amazon EC2 instances that are running in two production VPCs across all Availability Zones in the us-east-1 Region. The production VPCs are named
VPC A and VPC B.
A new security regulation requires all traffic between production VPCs to be inspected before the traffic is routed to its final destination. The company deploys a new shared VPC that contains a stateful firewall appliance and a transit gateway with a VPC attachment across all VPCs to route traffic between VPC A and VPC B through the firewall appliance for inspection. During testing, the company notices that the transit gateway is dropping the traffic whenever the traffic is between two Availability Zones.
What should a network engineer do to fix this issue with the LEAST management overhead?

Answer options

• A. In the shared VPC, replace the VPC attachment with a VPN attachment. Create a VPN tunnel between the transit gateway and the firewall appliance. Configure BGP.
• B. Enable transit gateway appliance mode on the VPC attachment in VPC A and VPC B.
• C. Enable transit gateway appliance mode on the VPC attachment in the shared VPC.
• D. In the shared VPC, configure one VPC peering connection to VPC A and another VPC peering connection to VPC B.

Correct answer: C

Explanation

The correct option is C because enabling transit gateway appliance mode on the shared VPC attachment allows the transit gateway to properly handle traffic inspection through the firewall appliance, ensuring traffic flows correctly between the two VPCs. Options A and D introduce unnecessary complexity and management overhead, while option B does not address the issue correctly, as it only modifies the attachments in the production VPCs instead of the shared VPC where the firewall is located.