Question #628
A company uses a transit gateway in their main AWS account to connect VPCs across multiple AWS accounts. Their on-premises network is connected via an AWS Site-to-Site VPN through the transit gateway. The company wants to implement a scalable AWS Client VPN solution for remote employees. What is the MOST cost-effective solution?
Create a Client VPN endpoint in the main account and configure routing through VPC peering connections.
Create a Client VPN endpoint in each AWS account and configure routing to allow access.
Create a Client VPN endpoint in the main account, attach it to the existing transit gateway, and configure routing.
Establish connectivity between a Client VPN endpoint in the main account and the AWS Site-to-Site VPN.
Explanation
Option C is correct because the transit gateway already connects VPCs across accounts and the on-premises network via Site-to-Site VPN. By attaching the Client VPN endpoint to the transit gateway, remote users can access all connected networks through centralized routing, avoiding redundant infrastructure.
- Why not A? Creating endpoints in each account is costly and complex, as it requires managing multiple endpoints and routing configurations.
- Why not B? VPC peering is not scalable for multi-account setups and does not integrate with the transit gateway, leading to fragmented routing.
- Why not D? Connecting Client VPN to Site-to-Site VPN would not inherently provide access to VPCs across accounts, requiring additional routing steps.
Key Points: Transit Gateway centralizes network routing; AWS Client VPN can attach to Transit Gateway for seamless access to all connected resources; reusing existing infrastructure reduces costs and complexity.
Answer
The correct answer is: C