AWS Certified Solutions Architect – Professional — Question 916

A company must deploy multiple independent instances of an application. The front-end application is internet accessible. However, corporate policy stipulates that the backends are to be isolated from each other and the internet, yet accessible from a centralized administration server. The application setup should be automated to minimize the opportunity for mistakes as new instances are deployed.
Which option meets the requirements and MINIMIZES costs?

Answer options

• A. Use an AWS CloudFormation template to create identical IAM roles for each region. Use AWS CloudFormation StackSets to deploy each application instance by using parameters to customize for each instance, and use security groups to isolate each instance while permitting access to the central server.
• B. Create each instance of the application IAM roles and resources in separate accounts by using AWS CloudFormation StackSets. Include a VPN connection to the VPN gateway of the central administration server.
• C. Duplicate the application IAM roles and resources in separate accounts by using a single AWS CloudFormation template. Include VPC peering to connect the VPC of each application instance to a central VPC.
• D. Use the parameters of the AWS CloudFormation template to customize the deployment into separate accounts. Include a NAT gateway to allow communication back to the central administration server.

Correct answer: C

Explanation

Deploying the application instances into separate AWS accounts using a single AWS CloudFormation template ensures strong isolation and consistent automation. Connecting these VPCs to a central administration VPC via VPC peering is the most cost-effective routing method, as it avoids the hourly charges associated with VPN connections or NAT gateways. Security groups alone in a single account do not provide the robust account-level isolation required, making the multi-account VPC peering approach the ideal choice.