AWS Certified Solutions Architect – Professional — Question 926

A company wants to use a hybrid cloud architecture between an on-premises data center and AWS. The company already has deployed a multi-account structure in AWS Organizations while following the AWS Well-Architected Framework.
Due to strict security requirements, connectivity between the data center and AWS must be encrypted in transit. Only a single entry point into AWS is permitted from the data center. The data center must be able to access all the AWS accounts.
Which solution meets these requirements?

Answer options

• A. Connect the AWS accounts with AWS Transit Gateway. Establish an AWS Site-to-Site VPN connection with the data center, and attach the connection to the transit gateway. Route traffic from the data center to all AWS accounts.
• B. Connect the AWS accounts with VPC peering. Establish an AWS Site-to-Site VPN connection with the data center. Route traffic from the data center to all AWS accounts.
• C. Connect the AWS accounts with VPC peering. Establish an AWS Direct Connect connection to the closest AWS Region. Route traffic from the data center to all AWS accounts.
• D. Connect the AWS accounts with AWS Transit Gateway. Establish an AWS Direct Connect connection to the closest AWS Region, and attach the connection to the transit gateway. Route traffic from the data center to all AWS accounts.

Correct answer: A

Explanation

AWS Transit Gateway acts as a hub to easily interconnect multiple VPCs and accounts, serving as the required single entry point. An AWS Site-to-Site VPN connection provides IPsec encryption in transit, fulfilling the strict security requirement. Options involving VPC peering are incorrect because VPC peering does not support transitive routing, and standard AWS Direct Connect connections are not encrypted in transit by default.