AWS Certified Solutions Architect – Professional (SAP-C02) — Question 276

A large company runs workloads in VPCs that are deployed across hundreds of AWS accounts. Each VPC consists of public subnets and private subnets that span across multiple Availability Zones. NAT gateways are deployed in the public subnets and allow outbound connectivity to the internet from the private subnets.

A solutions architect is working on a hub-and-spoke design. All private subnets in the spoke VPCs must route traffic to the internet through an egress VPC. The solutions architect already has deployed a NAT gateway in an egress VPC in a central AWS account.

Which set of additional steps should the solutions architect take to meet these requirements?

Answer options

• A. Create peering connections between the egress VPC and the spoke VPCs. Configure the required routing to allow access to the internet.
• B. Create a transit gateway, and share it with the existing AWS accounts. Attach existing VPCs to the transit gateway. Configure the required routing to allow access to the internet.
• C. Create a transit gateway in every account. Attach the NAT gateway to the transit gateways. Configure the required routing to allow access to the internet.
• D. Create an AWS PrivateLink connection between the egress VPC and the spoke VPCs. Configure the required routing to allow access to the internet.

Correct answer: B

Explanation

AWS Transit Gateway acts as a cloud router, making it the ideal service for hub-and-spoke architectures across hundreds of AWS accounts when shared via AWS Resource Access Manager (RAM). VPC Peering does not support transitive routing to a NAT gateway in another VPC, and creating a transit gateway in every account is redundant and incorrect. AWS PrivateLink is designed for private exposure of specific services rather than general outbound internet egress routing.