AWS Certified Solutions Architect – Professional (SAP-C02) — Question 462

A company uses AWS Organizations. The company runs two firewall appliances in a centralized networking account. Each firewall appliance runs on a manually configured highly available Amazon EC2 instance. A transit gateway connects the VPC from the centralized networking account to VPCs of member accounts. Each firewall appliance uses a static private IP address that is then used to route traffic from the member accounts to the internet.

During a recent incident, a badly configured script initiated the termination of both firewall appliances. During the rebuild of the firewall appliances, the company wrote a new script to configure the firewall appliances at startup.

The company wants to modernize the deployment of the firewall appliances. The firewall appliances need the ability to scale horizontally to handle increased traffic when the network expands. The company must continue to use the firewall appliances to comply with company policy. The provider of the firewall appliances has confirmed that the latest version of the firewall code will work with all AWS services.

Which combination of steps should the solutions architect recommend to meet these requirements MOST cost-effectively? (Choose three.)

Answer options

• A. Deploy a Gateway Load Balancer in the centralized networking account. Set up an endpoint service that uses AWS PrivateLink.
• B. Deploy a Network Load Balancer in the centralized networking account. Set up an endpoint service that uses AWS PrivateLink.
• C. Create an Auto Scaling group and a launch template that uses the new script as user data to configure the firewall appliances. Create a target group that uses the instance target type.
• D. Create an Auto Scaling group. Configure an AWS Launch Wizard deployment that uses the new script as user data to configure the firewall appliances. Create a target group that uses the IP target type.
• E. Create VPC endpoints in each member account. Update the route tables to point to the VPC endpoints.
• F. Create VPC endpoints in the centralized networking account. Update the route tables in each member account to point to the VPC endpoints.

Correct answer: A, C, F

Explanation

Deploying a Gateway Load Balancer (GWLB) with a PrivateLink endpoint service is the AWS-recommended pattern for horizontally scaling third-party virtual appliances while maintaining transparent traffic inspection. Using an Auto Scaling group with a launch template and the bootstrap script as user data ensures the firewall instances can scale dynamically and configure themselves automatically. Finally, deploying the GWLB endpoints centrally in the networking account and routing member account traffic to them via the transit gateway provides a cost-effective, centralized architecture.