AWS Certified Solutions Architect – Professional (SAP-C02) — Question 328

A company operates a fleet of servers on premises and operates a fleet of Amazon EC2 instances in its organization in AWS Organizations. The company's AWS accounts contain hundreds of VPCs. The company wants to connect its AWS accounts to its on-premises network. AWS Site-to-Site VPN connections are already established to a single AWS account. The company wants to control which VPCs can communicate with other VPCs.

Which combination of steps will achieve this level of control with the LEAST operational effort? (Choose three.)

Answer options

• A. Create a transit gateway in an AWS account. Share the transit gateway across accounts by using AWS Resource Access Manager (AWS RAM).
• B. Configure attachments to all VPCs and VPNs.
• C. Setup transit gateway route tables. Associate the VPCs and VPNs with the route tables.
• D. Configure VPC peering between the VPCs.
• E. Configure attachments between the VPCs and VPNs.
• F. Setup route tables on the VPCs and VPNs.

Correct answer: A, B, C

Explanation

To connect hundreds of VPCs across multiple accounts with minimal effort, deploying a centralized AWS Transit Gateway and sharing it via AWS RAM is the most efficient method. Attaching all VPCs and VPNs to the Transit Gateway and utilizing its custom route tables allows administrators to easily control traffic isolation and routing policies. Alternative approaches like full-mesh VPC peering or manual point-to-point configurations do not scale effectively and require high operational overhead.