AWS Certified Solutions Architect - Professional
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
A solutions architect at a large company is tasked with establishing network security for outbound internet traffic from all AWS accounts within an AWS Organizations setup. The organization comprises over 100 AWS accounts, interconnected via a centralized AWS Transit Gateway. Each account is equipped with both an internet gateway and a NAT gateway for managing outbound internet traffic. The company's operations are confined to a single AWS Region. The requirement is to implement a centralized, rule-based filtering mechanism for all outbound internet traffic across all AWS accounts in the organization, with the constraint that the peak outbound traffic load per Availability Zone does not surpass 25 Gbps. Which solution effectively fulfills these requirements?
Explanation:
The correct answer is B: 'Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall for rule-based filtering. Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints.' This solution leverages AWS Network Firewall, an AWS-managed service that provides enhanced security capabilities and centralized management of rule-based filtering for outbound internet traffic. It scales effectively with the organization's requirements and integrates seamlessly with AWS infrastructure. Options A and D involve using an open-source internet proxy on EC2 instances, which may introduce operational overhead and complexity. Option C suggests deploying separate firewalls in each AWS account, complicating centralized management and potentially increasing costs.