AWS Certified Solutions Architect – Professional — Question 285

A solutions architect is designing a network for a new cloud deployment. Each account will need autonomy to modify route tables and make changes. Centralized and controlled egress internet connectivity is also needed. The cloud footprint is expected to grow to thousands of AWS accounts.
Which architecture will meet these requirements?

Answer options

• A. A centralized transit VPC with a VPN connection to a standalone VPC in each account. Outbound internet traffic will be controlled by firewall appliances.
• B. A centralized shared VPC with a subnet for each account. Outbound internet traffic will be controlled through a fleet of proxy servers.
• C. A shared services VPC to host central assets to include a fleet of firewalls with a route to the internet. Each spoke VPC will peer to the central VPC.
• D. A shared transit gateway to which each VPC will be attached. Outbound internet access will route through a fleet of VPN-attached firewalls.

Correct answer: D

Explanation

AWS Transit Gateway easily scales to thousands of VPCs while allowing each AWS account to independently manage its own VPC route tables. Using a shared Transit Gateway with VPN-attached firewalls for centralized egress meets the security and scalability requirements. Other options like VPC peering (Option C) or VPN connections to a transit VPC (Option A) fail to scale to thousands of VPCs, while a shared VPC (Option B) restricts account autonomy over route tables.