Amazon SAP-C02: What should solutions architect do to meet these requirements to limit the traffic between the VPCs

Question

A company uses AWS CloudFormation to deploy applications within multiple VPCs that are all attached to a transit gateway. Each VPC that sends traffic to the public internet must send the traffic through a shared services VPC. Each subnet within a VPC uses the default VPC route table, and the traffic is routed to the transit gateway. The transit gateway uses its default route table for any VPC attachment.

A security audit reveals that an Amazon EC2 instance that is deployed within a VPC can communicate with an EC2 instance that is deployed in any of the company’s other VPCs. A solutions architect needs to limit the traffic between the VPCs. Each VPC must be able to communicate only with a predefined, limited set of authorized VPCs. What should the solutions architect do to meet these requirements?

A. Update the network ACL of each subnet within a VPC to allow outbound traffic only to the authorized VPCs. Remove all deny rules except the default deny rule.
B. Update all the security groups that are used within a VPC to deny outbound traffic to security groups that are used within the unauthorized VPCs.
C. Create a dedicated transit gateway route table for each VPC attachment. Route traffic only to the authorized VPCs.
D. Update the main route table of each VPC to route traffic only to the authorized VPCs through the transit gateway.

Answer

C. Create a dedicated transit gateway route table for each VPC attachment. Route traffic only to the authorized VPCs.

Explanation

The correct answer is C. Create a dedicated transit gateway route table for each VPC attachment. Route traffic only to the authorized VPCs.

A transit gateway is a network transit hub that allows you to interconnect multiple VPCs and on-premises networks. By default, a transit gateway has a single route table that applies to all VPC attachments, which means that any VPC can communicate with any other VPC through the transit gateway. To limit the traffic between the VPCs, you need to create a dedicated transit gateway route table for each VPC attachment and associate it with the corresponding VPC. Then, you need to add routes to the transit gateway route table that specify which VPCs are authorized to communicate with each other. This way, you can control the traffic flow between the VPCs using the transit gateway route tables.

Option A is incorrect because network ACLs are stateless and do not allow you to specify the destination VPC as a filter criterion. Network ACLs can only filter traffic based on IP addresses, protocols, and ports. Moreover, network ACLs apply to subnets, not VPCs, so you would need to update the network ACL of every subnet in every VPC, which is not scalable or efficient.

Option B is incorrect because security groups are stateful and do not allow you to deny outbound traffic based on security groups. Security groups can only allow or deny traffic based on IP addresses, protocols, ports, and security groups. Moreover, security groups apply to instances or network interfaces, not VPCs, so you would need to update the security group of every instance or network interface in every VPC, which is not scalable or efficient.

Option D is incorrect because updating the main route table of each VPC would not prevent the traffic between the VPCs through the transit gateway. The main route table of each VPC only controls the traffic within the VPC or between the VPC and other networks, such as the internet or a VPN connection. The transit gateway route table controls the traffic between the VPCs that are attached to the transit gateway. Therefore, updating the main route table of each VPC would not affect the transit gateway route table.

Reference

• What is a transit gateway? – Amazon VPC
• What is AWS CloudFormation? – AWS CloudFormation (amazon.com)
• AWS CloudFormation Documentation (amazon.com)
• Provision Infrastructure as Code – AWS CloudFormation – AWS (amazon.com)
• What is Amazon VPC? – Amazon Virtual Private Cloud
• What is a virtual private cloud (VPC)? | Cloudflare

Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.