Answer-first summary for fast verification
Answer: Deploy a transit gateway. Share the transit gateway with each of the other accounts by using AWS Resource Access Manager (AWS RAM). Create VPC attachments to the transit gateway from each service account. Add routes to the on-premises subnet in each of the service VPC route tables by using the attachment as the gateway. Create Site-to-Site VPN tunnel attachments with dynamic routing to the transit gateway. Enable the acceleration feature for the Site-to-Site VPN connection. Configure the VPN tunnels on the on-premises equipment. Configure BGP peering.
The correct solution must meet the requirements of encrypted transit, routing to the closest AWS edge location, high availability, and automatic failover. Option A is the correct choice because it uses a transit gateway, which is designed to simplify network architecture and scale connectivity across thousands of Amazon VPCs and on-premises networks. Sharing the transit gateway with other accounts via AWS Resource Access Manager (AWS RAM) allows for centralized management. VPC attachments to the transit gateway enable communication between VPCs and on-premises networks. The use of Site-to-Site VPN tunnel attachments with dynamic routing (BGP) ensures that the connections are highly available and can accommodate automatic failover. Enabling the acceleration feature for the Site-to-Site VPN connection improves performance by routing traffic through the AWS global network. Configuring BGP peering on the on-premises equipment allows for dynamic routing, which is essential for automatic failover and high availability. Options B and D are incorrect because deploying VPN gateways to each account does not provide the centralized management and simplified network architecture that a transit gateway offers. Additionally, they do not mention the use of dynamic routing (BGP), which is crucial for automatic failover. Option C is incorrect because it suggests using static routing instead of dynamic routing (BGP), which does not support automatic failover.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has infrastructure services deployed across multiple VPCs in the us-west-2 Region, with non-overlapping CIDR blocks, spanning multiple accounts. They aim to establish encrypted connections between these VPCs and their data centers using AWS Site-to-Site VPN tunnels. The connections must route traffic to the nearest AWS edge location from each data center, ensure high availability, and support automatic failover.
Which solution meets these requirements?
A
Deploy a transit gateway. Share the transit gateway with each of the other accounts by using AWS Resource Access Manager (AWS RAM). Create VPC attachments to the transit gateway from each service account. Add routes to the on-premises subnet in each of the service VPC route tables by using the attachment as the gateway. Create Site-to-Site VPN tunnel attachments with dynamic routing to the transit gateway. Enable the acceleration feature for the Site-to-Site VPN connection. Configure the VPN tunnels on the on-premises equipment. Configure BGP peering.
B
Deploy VPN gateways to each account. Enable the acceleration feature for VPN gateways on each account. Add routes to the on-premises subnet in each of the service VPC route tables. Use the VPNs as the gateway. Configure the VPN tunnels on the on-premises equipment. Configure BGP peering.
C
Deploy a transit gateway. Share the transit gateway with each of the other accounts by using AWS Resource Access Manager (AWS RAM). Create VPC attachments to the transit gateway from each service account. Add routes to the on-premises subnet in each of the service VPC route tables by using the attachment as the gateway. Create Site-to-Site VPN tunnel attachments with dynamic routing to the transit gateway. Enable the acceleration feature for the Site-to-Site VPN connection. Configure the VPN tunnels on the on-premises equipment. Configure static routing.
D
Deploy VPN gateways to each account. Enable the acceleration feature for VPN gateways on each account. Add routes to the on-premises subnet in each of the service VPC route tables. Use the VPNs as the gateway. Configure the VPN tunnels on the on-premises equipment. Configure static routing.