Logo
AWS Certified Solutions Architect - Professional / Question #652 of 529

Question #652

A company is migrating its applications to AWS and anticipates having hundreds of AWS accounts and VPCs. The company requires seamless access from its corporate network to AWS resources and full VPC communication. Additionally, all internet-bound traffic from cloud resources must route through the on-premises data center. The company has established an AWS Direct Connect connection in a central network account.

Which combination of steps will fulfill these requirements? (Choose three.)

A

Create a Direct Connect gateway in the central account. In each account, create a virtual private gateway and associate it with the Direct Connect gateway via an association proposal.
B

Set up a Direct Connect gateway and transit gateway in the central account. Link them using a transit VIF.
C

Deploy an internet gateway in each VPC and update route tables to direct internet traffic through it.
D

Use AWS Resource Access Manager to share the transit gateway with other accounts. Attach all VPCs to the shared transit gateway.
E

Establish VPC peering connections between all VPCs.
F

Configure VPC route tables to send default traffic to the transit gateway. Set up on-premises NAT gateways to handle internet traffic.

Explanation

The solution requires scalable connectivity across hundreds of accounts/VPCs and routing internet traffic through on-premises.

- B: A Direct Connect Gateway and Transit Gateway linked via a Transit VIF enable connectivity between on-premises and AWS. The Transit VIF connects Direct Connect to the Transit Gateway, centralizing traffic.
- D: Sharing the Transit Gateway via AWS RAM allows all accounts to attach their VPCs, enabling seamless VPC-to-VPC communication without complex peering.
- F: Configuring VPC route tables to send default traffic to the Transit Gateway ensures internet-bound traffic routes through the on-premises data center via Direct Connect.

Why others are incorrect:
- A: Managing individual VGWs per account isn't scalable. It lacks VPC-to-VPC routing.
- C: Internet gateways bypass on-premises routing, violating requirements.
- E: VPC peering isn't scalable for hundreds of VPCs.

Key Points: Use Transit Gateway for scalable VPC connectivity, Direct Connect Gateway for hybrid networking, and route tables to enforce traffic policies.

Answer

The correct answer is: BDF