AWS Certified SysOps Administrator – Associate (legacy) — Question 577

A company is concerned about its ability to recover from a disaster because all of its Amazon EC2 instances are located in a single Amazon VPC in us-east-1. A second Amazon VPC has been configured in eu-west-1 to act as a backup VPC in case of an outage. Data will be replicated from the primary region to the secondary region. The Information Security team's compliance requirements specify that all data must be encrypted and must not traverse the public internet.
How should the SysOps Administrator connect the two VPCs while meeting the compliance requirements?

Answer options

• A. Configure EC2 instances to act as VPN appliances, then configure route tables.
• B. Configure inter-region VPC peering between the two VPCs, then configure route tables.
• C. Configure NAT gateways in both VPCs, then configure route tables.
• D. Configure an internet gateway in each VPC, and use these as the targets for the VPC route tables.

Correct answer: B

Explanation

Inter-region VPC peering routes traffic across the AWS global network backbone without ever traversing the public internet, and all inter-region traffic is automatically encrypted at the physical layer. Utilizing NAT gateways or internet gateways would force replication traffic over the public internet, failing the security compliance requirements. While EC2-based VPNs can encrypt traffic, they are more complex to manage and typically route traffic over the public internet unless paired with AWS Direct Connect.