AWS Certified Solutions Architect – Professional — Question 1006

A company has introduced a new policy that allows employees to work remotely from their homes if they connect by using a VPN. The company is hosting internal applications with VPCs in multiple AWS accounts. Currently, the applications are accessible from the company's on-premises office network through an AWS Site- to-Site VPN connection. The VPC in the company's main AWS account has peering connections established with VPCs in other AWS accounts.
A solutions architect must design a scalable AWS Client VPN solution for employees to use while they work from home.
What is the MOST cost-effective solution that meets these requirements?

Answer options

• A. Create a Client VPN endpoint in each AWS account. Configure required routing that allows access to internal applications.
• B. Create a Client VPN endpoint in the main AWS account. Configure required routing that allows access to internal applications.
• C. Create a Client VPN endpoint in the main AWS account. Provision a transit gateway that is connected to each AWS account. Configure required routing that allows access to internal applications.
• D. Create a Client VPN endpoint in the main AWS account. Establish connectivity between the Client VPN endpoint and the AWS Site-to-Site VPN.

Correct answer: B

Explanation

AWS Client VPN supports routing traffic over active VPC peering connections. By deploying a single Client VPN endpoint in the primary AWS account and leveraging the existing VPC peering infrastructure, the company avoids the additional deployment and data processing costs associated with multiple endpoints or an AWS Transit Gateway. This makes configuring routing over the existing peering connections the most cost-effective and scalable approach.