AWS Certified Solutions Architect – Professional (SAP-C02) — Question 438

A company uses AWS Organizations to manage its development environment. Each development team at the company has its own AWS account. Each account has a single VPC and CIDR blocks that do not overlap.

The company has an Amazon Aurora DB cluster in a shared services account. All the development teams need to work with live data from the DB cluster.

Which solution will provide the required connectivity to the DB cluster with the LEAST operational overhead?

Answer options

• A. Create an AWS Resource Access Manager (AWS RAM) resource share for the DB cluster. Share the DB cluster with all the development accounts.
• B. Create a transit gateway in the shared services account. Create an AWS Resource Access Manager (AWS RAM) resource share for the transit gateway. Share the transit gateway with all the development accounts. Instruct the developers to accept the resource share. Configure networking.
• C. Create an Application Load Balancer (ALB) that points to the IP address of the DB cluster. Create an AWS PrivateLink endpoint service that uses the ALB. Add permissions to allow each development account to connect to the endpoint service.
• D. Create an AWS Site-to-Site VPN connection in the shared services account. Configure networking. Use AWS Marketplace VPN software in each development account to connect to the Site-to-Site VPN connection.

Correct answer: B

Explanation

AWS Transit Gateway shared via AWS Resource Access Manager (AWS RAM) is the most operationally efficient method to interconnect multiple VPCs with non-overlapping CIDRs. Directly sharing an Aurora DB cluster via AWS RAM is not supported for network routing. While options involving AWS PrivateLink or Site-to-Site VPNs can establish connectivity, they introduce significantly higher configuration and management overhead.