AWS Certified Solutions Architect – Professional — Question 366

ABC has created a multi-tenant Learning Management System (LMS). The application is hosted for five different tenants (clients) in the VPCs of the respective
AWS accounts of the tenant. ABC wants to setup a centralized server which can connect with the LMS of each tenant upgrade if required. ABC also wants to ensure that one tenant VPC should not be able to connect to the other tenant VPC for security reasons.
How can ABC setup this scenario?

Answer options

• A. ABC has to setup one centralized VPC which will peer in to all the other VPCs of the tenants.
• B. ABC should setup VPC peering with all the VPCs peering each other but block the IPs from CIDR of the tenant VPCs to deny them.
• C. ABC should setup all the VPCs with the same CIDR but have a centralized VPC. This way only the centralized VPC can talk to the other VPCs using VPC peering.
• D. ABC should setup all the VPCs meshed together with VPC peering for all VPCs.

Correct answer: A

Explanation

AWS VPC peering is inherently non-transitive, meaning that traffic cannot transit through a central VPC to reach another peered VPC. By establishing a hub-and-spoke topology where only the central VPC is peered with each individual tenant VPC, the central server can communicate with all tenants while the tenants remain completely isolated from each other. Additionally, option C is incorrect because VPC peering does not support overlapping CIDR blocks.