Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 216 discussion

Centrally managed egress, so C/D are out. Both A and B are wrong, because 1. There isn’t internet gateway. 2. “Modify all default routes to point to the …”. A firewall or “proxy's Auto Scaling group” don’t have public IP, the default route must be pointing to the NAT gateway. And NAT gateway has a peer public IP configured on the IGW. The route should be: internet prefix of all the internal subnet-> NAT gateway -> firewall -> internet gateway, and reverse routing rules are also required. . Well, considering the persistent low quality of AWS Exam Questions, I vote B

b-b-b-b-b-b Create a new VPC specifically dedicated to outbound traffic to the internet. This helps isolate and manage the outbound traffic separately from other resources. Connect the existing transit gateway to the new VPC. This ensures that the VPC is connected to the centralized transit gateway that routes traffic between AWS accounts. Configure a new NAT gateway within the new VPC. This NAT gateway provides the necessary outbound connectivity to the internet for resources within the VPC. Use AWS Network Firewall, a managed firewall service, for rule-based filtering on the outbound traffic. Network Firewall allows you to define and enforce custom rules for traffic leaving the VPC. Create Network Firewall endpoints in each Availability Zone. These endpoints serve as the traffic inspection points where Network Firewall applies the filtering rules. Modify all default routes in the VPCs to point to the Network Firewall endpoints. This ensures that all outbound traffic from the VPCs flows through the Network Firewall for rule-based filtering.

c,d in each AWS account. wrong a: use third party solution, not as good as b (use aws service)

Option B

B. https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/using-nat-gateway-with-firewall.html

https://aws.amazon.com/blogs/security/hands-on-walkthrough-of-the-aws-network-firewall-flexible-rules-engine/

Given the available options and the requirements: B. Create an interface VPC endpoint for API Gateway, and set an endpoint policy to only allow access to the specific API. Add a resource policy to API Gateway to only allow access from the VPC endpoint. Change the API Gateway endpoint type to private. is the correct answer.

B for sure

centrally managed outbound traffic: tgw-> centralized VPC with network firewall with rules-> internet

vote for B. The keyword is "centrally managed rule-based filtering on outbound traffic to the internet for all AWS accounts...". Network Firewall can centrally manage network security policies.

B. Answer A is similar, but you have to deal with EC2 instances and dealing with 3rd party FW, not good - management overhead. C is impossible. D is waay to much hard to manage.

Correct answer is B

vote for B