AWS Certified Solutions Architect – Professional — Question 781

A company operates a fleet of servers on premises and operates a fleet of Amazon EC2 instances in its organization in AWS Organizations. The company's AWS accounts contain hundreds of VPCs. The company wants to connect its AWS accounts to its on-premises network. AWS Site-to-Site VPN connections are already established to a single AWS account. The company wants to control which VPCs can communicate with other VPCs.

Which combination of steps will achieve this level of control with the LEAST operational effort? (Choose three.)

Answer options

• A. Create a transit gateway in an AWS account. Share the transit gateway across accounts by using AWS Resource Access Manager (AWS RAM).
• B. Configure attachments to all VPCs and VPNs.
• C. Set up transit gateway route tables. Associate the VPCs and VPNs with the route tables.
• D. Configure VPC peering between the VPCs.
• E. Configure attachments between the VPCs and VPNs.
• F. Set up route tables on the VPCs and VPNs.

Correct answer: A, B, C

Explanation

AWS Transit Gateway is the ideal solution to connect hundreds of VPCs across multiple AWS accounts and on-premises networks with minimal operational overhead. Sharing the Transit Gateway via AWS RAM (Option A) and attaching all VPCs and VPNs to it (Option B) centralizes the hybrid network architecture. Using Transit Gateway route tables (Option C) allows administrators to precisely control which VPCs can communicate with each other, avoiding the high operational complexity of managing hundreds of individual VPC peering connections or manual routing setups.