ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 630 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 630
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A solutions architect is designing a network for a new cloud deployment. Each account will need autonomy to modify route tables and make changes. Centralized and controlled egress internet connectivity is also needed. The cloud footprint is expected to grow to thousands of AWS accounts.
Which architecture will meet these requirements?

  • A. A centralized transit VPC with a VPN connection to a standalone VPC in each account. Outbound internet traffic will be controlled by firewall appliances.
  • B. A centralized shared VPC with a subnet for each account. Outbound internet traffic will be controlled through a fleet of proxy servers.
  • C. A shared services VPC to host central assets to include a fleet of firewalls with a route to the internet. Each spoke VPC will peer to the central VPC.
  • D. A shared transit gateway to which each VPC will be attached. Outbound internet access will route through a fleet of VPN-attached firewalls.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Gmail78 at Nov. 3, 2020, 10:09 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
MarkDillon1075
Highly Voted 3 years, 7 months ago
D - https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html
upvoted 25 times
...
kirrim
Highly Voted 3 years, 6 months ago
A would not scale beyond 100 VPN connections to a VPC B would not scale beyond 200 subnets in a single VPC (you can increase the subnet quota beyond 200, but ultimately this doesn't scale because your CIDR and minimum subnet size would limit you at some point) C would not scale beyond the VPC peering limit of 50 (you can increase this to 125, but not beyond that) D would scale the most, but even that is not infinite, you'd have a limit of 5,000 TGW attachments (can be increased), or 10k static routes per TGW (one for each VPC CIDR), or 50Gbps throughput, or the VPN throughput of your firewalls.
upvoted 14 times
Kopa
3 years, 5 months ago
good explanation
upvoted 2 times
...
...
Jesuisleon
Most Recent 1 year, 11 months ago
Selected Answer: D
I think D "VPN-attached firewalls" should be "VPC-attached firewalls" ? otherwise it makes no sense
upvoted 1 times
...
evargasbrz
2 years, 4 months ago
Selected Answer: D
D looks better
upvoted 1 times
...
kangtamo
2 years, 10 months ago
Selected Answer: D
Agree with D.
upvoted 1 times
...
AzureDP900
3 years, 5 months ago
I will go with D
upvoted 1 times
...
moon2351
3 years, 6 months ago
Answer is D
upvoted 1 times
...
andylogan
3 years, 6 months ago
It's D with shared transit gateway
upvoted 1 times
...
tgv
3 years, 6 months ago
DDD ---
upvoted 1 times
...
WhyIronMan
3 years, 6 months ago
I'll go with D
upvoted 2 times
...
student2020
3 years, 6 months ago
D looks good except "VPN-attached firewalls". What is this? Did they mean VPC attached firewalls?
upvoted 5 times
student2020
3 years, 6 months ago
Architecture for D is explained here: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html
upvoted 3 times
...
ryu10_09
3 years, 5 months ago
Using an EC2 instance for centralized outbound Using a software-based firewall appliance (on EC2) from AWS Marketplace as an egress point is similar to the NAT gateway setup. This option can be used if you want to leverage the layer 7 firewall/Intrusion Prevention/Detection System (IPS/IDS) capabilities of the various vendor offerings. In Figure 12, we replace NAT Gateway with an EC2 instance (with SNAT enabled on EC2 instance). There are few key considerations with this
upvoted 1 times
...
...
Waiweng
3 years, 6 months ago
it's D
upvoted 4 times
...
certainly
3 years, 7 months ago
I will go with B. https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-use-aws-privatelink-to-secure-and-scale-web-filtering-using-explicit-proxy/. D. how do you route internet traffic thru VPN connected firewall?
upvoted 2 times
nitinz
3 years, 6 months ago
Seems B to me.
upvoted 1 times
nitinz
3 years, 6 months ago
Changing to D
upvoted 1 times
...
...
certainly
3 years, 6 months ago
change my Answer to D. B says " A centralized shared VPC with a subnet for each account" this would not allow to grow to support 1000s AWS account
upvoted 1 times
...
...
Kian1
3 years, 7 months ago
going with D transit gateway
upvoted 2 times
...
Trap_D0_r
3 years, 7 months ago
D This is *THE* use case for a Transit Gateway. All the other information in answers is a distraction.
upvoted 3 times
...
Ebi
3 years, 7 months ago
I will go with D
upvoted 5 times
...
Bulti
3 years, 7 months ago
D is the correct answer as it is the only scalable option listed.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago