Question #969
A software as a service (SaaS) company hosts a media processing solution across 40 VPCs distributed globally in multiple AWS Regions and accounts. One VPC is designated as a logging VPC, which aggregates audit logs from all other VPCs. The compute resources in the VPCs operate independently.
The company needs to ensure all 40 VPCs can communicate bidirectionally. Additionally, one-way access from each customer's VPC to the logging VPC is required to transmit logs. The logging VPC hosts a centralized logging service that processes and stores audit data.
The number of VPCs will expand as the company onboards new customers.
Which combination of steps will provide the required connectivity with the LEAST operational overhead? (Choose two.)
Establish VPC peering connections between every pair of company VPCs.
Create a transit gateway. Attach all company VPCs and relevant subnets to the transit gateway.
Deploy a Network Load Balancer (NLB) linked to the logging service. Create an AWS PrivateLink endpoint service accessible to customer VPCs and associate it with the NLB.
Configure a VPN gateway in each customer's VPC. Establish AWS Site-to-Site VPN connections between the logging VPC and each customer's VPC.
Create VPC peering connections between the logging VPC and each customer's VPC.
Explanation
Answer A (Transit Gateway) simplifies bidirectional communication across 40+ VPCs by centralizing routing, avoiding the O(n²) complexity of VPC peering (B/E). Answer C (PrivateLink) allows customer VPCs to securely access the logging VPC via endpoints, eliminating the need for per-VPC peering/VPNs (D/E). Together, A and C minimize operational overhead while ensuring scalability. B/D/E are incorrect due to high management costs (B/D) or limited scalability (E). Key points: Use Transit Gateway for large-scale VPC connectivity and PrivateLink for scalable, one-way access to shared services.
Answer
The correct answer is: AC