AWS Certified Solutions Architect – Professional — Question 942

A company has more than 100 AWS accounts, with one VPC per account, that need outbound HTTPS connectivity to the internet. The current design contains one NAT gateway per Availability Zone (AZ) in each VPC. To reduce costs and obtain information about outbound traffic, management has asked for a new architecture for internet access.
Which solution will meet the current needs, and continue to grow as new accounts are provisioned, while reducing costs?

Answer options

• A. Create a transit VPC across two AZs using a third-party routing appliance. Create a VPN connection to each VPC. Default route internet traffic to the transit VPC.
• B. Create multiple hosted-private AWS Direct Connect VIFs, one per account, each with a Direct Connect gateway. Default route internet traffic back to an on- premises router to route to the internet.
• C. Create a central VPC for outbound internet traffic. Use VPC peering to default route to a set of redundant NAT gateway in the central VPC.
• D. Create a proxy fleet in a central VPC account. Create an AWS PrivateLink endpoint service in the central VPC. Use PrivateLink interface for internet connectivity through the proxy fleet.

Correct answer: D

Explanation

Using a central proxy fleet combined with AWS PrivateLink allows the organization to consolidate internet-bound HTTPS traffic, eliminating the high costs associated with provisioning NAT gateways in every VPC. This architecture provides a highly scalable solution for new accounts while enabling traffic inspection and logging at the central proxy fleet. Other options, such as VPC peering, do not support transitive routing to a NAT gateway, and VPN or Direct Connect solutions introduce unnecessary latency, complexity, and cost.