AWS Certified Solutions Architect - Professional

Get started today

Ultimate access to all questions.

Explanation:

The correct answer is C.

Explanation of Requirements

The scenario has these key needs:

Multi-account AWS environment — All application workloads (in different AWS accounts) must communicate with each other.
Connectivity to on-premises legacy system — Deployed across two separate physical locations; highly available connection required.
Minimum 5 Gbps bandwidth to the legacy system.
Workloads serve users in a single geographic region (so intra-Region focus, no multi-Region complexity needed).
High availability and redundancy are critical (avoid single points of failure).

This calls for a hub-and-spoke model using a central network account for shared networking resources.

Why Option C is Correct

Option C combines AWS Transit Gateway (for inter-VPC/multi-account connectivity inside AWS) with AWS Direct Connect Gateway + transit virtual interfaces (for secure, private, high-bandwidth on-premises connectivity):

Multiple 10 Gbps dedicated DX connections from two different DX partners at each of the two on-premises locations → Provides redundancy (diverse partners + locations) and exceeds the 5 Gbps minimum (each connection offers 10 Gbps; total capacity is much higher with HA).
Transit Gateway in a central network account, associated with virtual private gateways (VGWs) attached to each workload VPC → Enables full any-to-any connectivity between all VPCs across accounts (satisfies "All application workloads within AWS must have connectivity with one another").
DX Gateway in the same central network account.
Transit virtual interface (transit VIF) on each DX connection, associated with the DX Gateway, then gateway association between the DX Gateway and the Transit Gateway → This routes on-premises traffic privately into the Transit Gateway (and thus to all attached VPCs) using private IP addressing. Transit VIFs are designed exactly for connecting to Transit Gateways.

This architecture is highly available, scalable, uses private connectivity (no public VIFs), centralizes management, and meets the bandwidth and redundancy needs without operational complexity.

Why Not the Other Options?

Option A: Uses only one DX partner (less redundancy) and transit VIFs attached directly to the Transit Gateway. While transit VIFs can attach to a Transit Gateway, the standard recommended pattern for multi-account + DX is to use a DX Gateway as an intermediary for better management and association flexibility. Single partner reduces HA compared to two partners. No explicit gateway association step.
Option B: Uses a DX Gateway with public virtual interfaces. Public VIFs are for accessing public AWS services (e.g., S3, DynamoDB) over DX, not for private connectivity to VPCs or Transit Gateways. This would not provide secure private IP routing to the legacy system or VPCs. Incorrect for this use case.
Option D: Uses private VIFs directly associated with individual virtual private gateways per VPC/account. This creates a point-to-point model (no central hub). It does not scale well for multi-account environments (management nightmare as accounts grow) and does not easily provide full any-to-any connectivity between all AWS workloads. Redundancy across two locations/partners is also weaker.

Recommended Architecture Summary (SAP Exam Tip)

For hybrid connectivity with multi-account/multi-VPC + on-premises in a single Region:

Central network account:
- One Transit Gateway (attach all workload VPCs via their VGWs or direct attachments).
- One DX Gateway.
At each on-premises site: Redundant 10 Gbps DX connections (diverse partners/locations for HA).
Create transit VIFs → Associate with DX Gateway → Associate DX Gateway with Transit Gateway.

This is the modern, scalable pattern (Transit Gateway + DX Gateway + transit VIF). Direct Connect supports up to 100 Gbps per connection, but 10 Gbps × multiples easily satisfies ≥5 Gbps with headroom.

Key exam concepts tested here:

Difference between private VIF (to VGW), transit VIF (to Transit Gateway), and public VIF.
When to use DX Gateway vs. direct attachment.
High availability for DX (multiple locations/partners + redundant connections).
Centralizing networking with Transit Gateway for multi-account setups.

This solution minimizes operational overhead while meeting all stated requirements for bandwidth, availability, and connectivity.

Explanation:

The correct answer is C.

Explanation of Requirements

The scenario has these key needs:

Multi-account AWS environment — All application workloads (in different AWS accounts) must communicate with each other.
Connectivity to on-premises legacy system — Deployed across two separate physical locations; highly available connection required.
Minimum 5 Gbps bandwidth to the legacy system.
Workloads serve users in a single geographic region (so intra-Region focus, no multi-Region complexity needed).
High availability and redundancy are critical (avoid single points of failure).

This calls for a hub-and-spoke model using a central network account for shared networking resources.

Why Option C is Correct

Multiple 10 Gbps dedicated DX connections from two different DX partners at each of the two on-premises locations → Provides redundancy (diverse partners + locations) and exceeds the 5 Gbps minimum (each connection offers 10 Gbps; total capacity is much higher with HA).
Transit Gateway in a central network account, associated with virtual private gateways (VGWs) attached to each workload VPC → Enables full any-to-any connectivity between all VPCs across accounts (satisfies "All application workloads within AWS must have connectivity with one another").
DX Gateway in the same central network account.
Transit virtual interface (transit VIF) on each DX connection, associated with the DX Gateway, then gateway association between the DX Gateway and the Transit Gateway → This routes on-premises traffic privately into the Transit Gateway (and thus to all attached VPCs) using private IP addressing. Transit VIFs are designed exactly for connecting to Transit Gateways.

This architecture is highly available, scalable, uses private connectivity (no public VIFs), centralizes management, and meets the bandwidth and redundancy needs without operational complexity.

Why Not the Other Options?

Option A: Uses only one DX partner (less redundancy) and transit VIFs attached directly to the Transit Gateway. While transit VIFs can attach to a Transit Gateway, the standard recommended pattern for multi-account + DX is to use a DX Gateway as an intermediary for better management and association flexibility. Single partner reduces HA compared to two partners. No explicit gateway association step.
Option B: Uses a DX Gateway with public virtual interfaces. Public VIFs are for accessing public AWS services (e.g., S3, DynamoDB) over DX, not for private connectivity to VPCs or Transit Gateways. This would not provide secure private IP routing to the legacy system or VPCs. Incorrect for this use case.
Option D: Uses private VIFs directly associated with individual virtual private gateways per VPC/account. This creates a point-to-point model (no central hub). It does not scale well for multi-account environments (management nightmare as accounts grow) and does not easily provide full any-to-any connectivity between all AWS workloads. Redundancy across two locations/partners is also weaker.

Recommended Architecture Summary (SAP Exam Tip)

For hybrid connectivity with multi-account/multi-VPC + on-premises in a single Region:

Central network account:
- One Transit Gateway (attach all workload VPCs via their VGWs or direct attachments).
- One DX Gateway.
At each on-premises site: Redundant 10 Gbps DX connections (diverse partners/locations for HA).
Create transit VIFs → Associate with DX Gateway → Associate DX Gateway with Transit Gateway.

Key exam concepts tested here:

Difference between private VIF (to VGW), transit VIF (to Transit Gateway), and public VIF.
When to use DX Gateway vs. direct attachment.
High availability for DX (multiple locations/partners + redundant connections).
Centralizing networking with Transit Gateway for multi-account setups.

This solution minimizes operational overhead while meeting all stated requirements for bandwidth, availability, and connectivity.

Comments (0)

No comments yet.

A company is configuring connectivity to a multi-account AWS environment to support application workloads fiat serve users in a single geographic region. The workloads depend on a highly available, on premises legacy system deployed across two locations It is critical for the AWS workloads to manias connectivity to the legacy system, and a minimum of 5 Gbps of bandwidth is required All application workloads within AWS must have connectivity with one another. Which solution will meet these requirements?

Exam-Like

Last updated: April 14, 2026 at 13:14

Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from a DX partner for each onpremises location Create and attach a virtual private gateway for each AWS account VPC. Create a transit gateway in a central network account and associate It with the virtual private gateways Create a transit virtual interface on each DX connection and attach the interface to the transit gateway.

7.7%

Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from two DX partners for each onpremises location Create and attach a virtual private gateway for each AWS account VPC. Create a DX gateway m a central network account and associate it with the virtual private gateways Create a public virtual interface on each DX connection and associate the interface with me DX gateway.

53.8%