Learn the most efficient combination of steps to automate the deployment of common network components, including VPCs connected to a transit gateway, across new and existing member accounts in an AWS Control Tower based multi-account environment.
Table of Contents
Question
A network engineer is working on a large migration effort from an on-premises data center to an AWS Control Tower based multi-account environment. The environment has a transit gateway that is deployed to a central network services account. The central network services account has been shared with an organization in AWS Organizations through AWS Resource Access Manager (AWS RAM).
A shared services account also exists in the environment. The shared services account hosts workloads that need to be shared with the entire organization.
The network engineer needs to create a solution to automate the deployment of common network components across the environment. The solution must provision a VPC for application workloads to each new and existing member account. The VPCs must be connected to the transit gateway in the central network services account.
Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose three.)
A. Deploy an AWS Lambda function to the shared services account. Program the Lambda function to assume a role in the new and existing member accounts to provision the necessary network infrastructure.
B. Update the existing accounts with an Account Factory Customization (AFC). Select the same AFC when provisioning new accounts.
C. Create an AWS CloudFormation template that describes the infrastructure that needs to be created in each account. Upload the template as an AWS Service Catalog product to the shared services account.
D. Deploy an Amazon EventBridge rule on a default event bus in the shared services account. Configure the EventBridge rule to react to AWS Control Tower CreateManagedAccount lifecycle events and to invoke the AWS Lambda function.
E. Create an AWSControlTowerBiueprintAccess role in the shared services account.
F Create an AWSControlTowerBiueprintAccess role in each member account.
Answer
A. Deploy an AWS Lambda function to the shared services account. Program the Lambda function to assume a role in the new and existing member accounts to provision the necessary network infrastructure.
C. Create an AWS CloudFormation template that describes the infrastructure that needs to be created in each account. Upload the template as an AWS Service Catalog product to the shared services account.
D. Deploy an Amazon EventBridge rule on a default event bus in the shared services account. Configure the EventBridge rule to react to AWS Control Tower CreateManagedAccount lifecycle events and to invoke the AWS Lambda function.
Explanation
The most efficient combination of steps to automate the deployment of common network components across the AWS Control Tower based multi-account environment with the least operational overhead is:
1. (C) Create an AWS CloudFormation template that describes the infrastructure that needs to be created in each account. Upload the template as an AWS Service Catalog product to the shared services account. This allows for easy provisioning of the necessary network infrastructure in each account.
2. (A) Deploy an AWS Lambda function to the shared services account. Program the Lambda function to assume a role in the new and existing member accounts to provision the necessary network infrastructure. The Lambda function will use the AWS Service Catalog product to deploy the CloudFormation template in each account.
3. (D) Deploy an Amazon EventBridge rule on a default event bus in the shared services account. Configure the EventBridge rule to react to AWS Control Tower CreateManagedAccount lifecycle events and to invoke the AWS Lambda function. This automates the provisioning process whenever a new account is created.
By using AWS Service Catalog, a single CloudFormation template can be used to consistently provision the VPCs and connect them to the transit gateway across all accounts. The Lambda function assumes the necessary roles to deploy the template in each account, and EventBridge automates the process for new accounts. This combination of steps minimizes operational overhead while ensuring a scalable and consistent network infrastructure across the multi-account environment.
Amazon AWS Certified Advanced Networking – Specialty ANS-C01 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn Amazon AWS Certified Advanced Networking – Specialty ANS-C01 certification.