A company uses AWS CloudFormation to deploy applications within multiple VPCs that are al…

Question

A company uses AWS CloudFormation to deploy applications within multiple VPCs that are all attached to a transit gateway. Each VPC that sends traffic to the public internet must send the traffic through a shared services VPC. Each subnet within a VPC uses the default VPC route table, and the traffic is routed to the transit gateway. The transit gateway uses its default route table for any VPC attachment. A security audit reveals that an Amazon EC2 instance that is deployed within a VPC can communicate with an EC2 instance that is deployed in any of the company's other VPCs. A solutions architect needs to limit the traffic between the VPCs. Each VPC must be able to communicate only with a predefined, limited set of authorized VPCs. What should the solutions architect do to meet these requirements?

Accepted Answer

Correct answer: C. C. Create a dedicated transit gateway route table for each VPC attachment. Route traffic only to the authorized VPCs. — The correct answer is C because creating a dedicated transit gateway route table for each VPC attachment allows the solutions architect to control and restrict traffic to only the authorized VPCs. Option A would not adequately limit communication as it only adjusts network ACLs, which might not enforce strict controls over all traffic. Option B focuses on security groups, which influence instance-level controls rather than VPC-wide traffic management. Option D would also not suffice as it does not utilize the capabilities of a dedicated route table for fine-grained traffic control.

AWS Certified Solutions Architect – Professional (SAP-C02) — Question 248

Answer options

Correct answer: C

Explanation