What should the solutions architect do to meet these requirements?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company uses AWS CloudFormation to deploy applications within multiple VPCs that are all attached to a transit gateway.Each VPC that sends traffic to the public internet must send the traffic through a shared services VPC.Each subnet within a VPC uses the default VPC route table, and the traffic is routed to the transit gateway.The transit gateway uses its default route table for any VPC attachment.A security audit reveals that an Amazon EC2 instance that is deployed within a VPC can communicate with an EC2 instance that is deployed in any of the company’s other VPCs.A solutions architect needs to limit the traffic between the VPCs.Each VPC must be able to communicate only with a predefined, limited set of authorized VPCs.

What should the solutions architect do to meet these requirements?

Update the network ACL of each subnet within a VPC to allow outbound traffic only to the authorized VPCs. Remove all deny rules except the default deny rule.

Update all the security groups that are used within a VPC to deny outbound traffic to security groups that are used within the unauthorized VPCs.

Create a dedicated transit gateway route table for each VPC attachment. Route traffic only to the authorized VPCs.

Update the main route table of each VPC to route traffic only to the authorized VPCs through the transit gateway.

Explanations:

Updating the network ACLs can help control traffic flow, but since network ACLs are stateless, managing them for specific authorized VPCs can be cumbersome and does not provide fine-grained control over the authorized communications. Network ACLs would not be the most effective or scalable solution for limiting inter-VPC traffic in this scenario.

While updating security groups to deny outbound traffic to unauthorized VPCs can help control traffic, this approach does not address the potential for other VPCs to initiate traffic towards the current VPC. It also complicates management, as it would require constant updates whenever security groups or VPCs change. Moreover, security groups alone do not provide a comprehensive solution for inter-VPC communication restrictions.

Creating a dedicated transit gateway route table for each VPC attachment allows for precise control over which VPCs can communicate with each other. By defining specific routes to only the authorized VPCs, traffic can be effectively limited and managed according to organizational policies, ensuring compliance with the requirements of the security audit.

Updating the main route table of each VPC to route traffic only to authorized VPCs through the transit gateway would not work effectively. Route tables determine the next hop for outbound traffic but do not prevent inbound traffic from unauthorized VPCs, which could still initiate communication. This would not achieve the goal of limiting traffic between VPCs.

Leave a Reply

Your email address will not be published. Required fields are marked *

five × four =