Logo
AWS Certified Solutions Architect - Professional / Question #745 of 529

Question #745

A solutions architect at a large enterprise needs to design a centrally managed network security solution for all outbound internet traffic across an AWS Organization with over 200 AWS accounts. The accounts are interconnected via a centralized AWS Transit Gateway, and each account currently uses an internet gateway and a NAT gateway for outbound traffic. The company requires rule-based filtering for all outbound traffic, which must be managed centrally and scale to handle peak traffic of 30 Gbps per Availability Zone in a single AWS Region.

Which solution meets these requirements?

A

Create a centralized VPC for outbound traffic. Attach the Transit Gateway to this VPC. Deploy an Auto Scaling group of Amazon EC2 instances running an open-source proxy for filtering. Modify all default routes to direct traffic through the proxy instances.
B

Create a dedicated VPC for centralized outbound traffic. Connect this VPC to the existing Transit Gateway. Deploy AWS Network Firewall with endpoints in each Availability Zone. Configure a NAT gateway and update all default routes to route traffic through the Network Firewall endpoints.
C

Deploy an AWS Network Firewall within each AWS account. Modify the default routes in each account to direct outbound traffic through the local Network Firewall instance.
D

In each Availability Zone, create a shared NAT gateway and AWS Network Firewall in a centralized VPC. Update all account routes to use the shared NAT gateway and firewall endpoints.

Explanation

Answer B is correct because:
1. Centralized Management: A dedicated VPC connected to the Transit Gateway allows all accounts to route traffic through AWS Network Firewall endpoints, enabling centralized rule-based filtering.
2. Scalability: AWS Network Firewall automatically scales to handle 30 Gbps/AZ, avoiding the manual scaling challenges of EC2-based proxies (Option A).
3. NAT Integration: The solution uses a NAT gateway in the centralized VPC, aligning with existing architecture while enforcing inspection via Network Firewall.

Why others are incorrect:
- A: EC2 proxies require manual scaling and lack AWS-managed scalability.
- C: Deploying firewalls per account violates the centralized management requirement.
- D: Shared NAT gateways are not natively supported across accounts; centralizing via Transit Gateway (B) is more efficient.

Key Points:
- Use AWS Network Firewall for managed, scalable filtering.
- Centralize traffic via Transit Gateway and a dedicated VPC.
- NAT gateway ensures outbound traffic compatibility after inspection.

Answer

The correct answer is: B