How can ABC setup this scenario?
ABC has to setup one centralized VPC which will peer in to all the other VPCs of the tenants.
ABC should setup VPC peering with all the VPCs peering each other but block the IPs from CIDR of the tenant VPCs to deny them.
ABC should setup all the VPCs with the same CIDR but have a centralized VPC. This way only the centralized VPC can talk to the other VPCs using VPC peering.
ABC should setup all the VPCs meshed together with VPC peering for all VPCs.
Explanations:
Setting up a centralized VPC that peers with all tenant VPCs allows the centralized server to communicate with each tenant’s LMS while maintaining isolation between tenant VPCs. Each tenant VPC can only connect to the centralized VPC, ensuring that they cannot communicate with each other.
Establishing VPC peering among all tenant VPCs while blocking IPs from each other’s CIDR is not an effective solution. VPC peering establishes a direct network route between peered VPCs, allowing traffic to flow unless explicitly denied by security group rules or NACLs. This approach fails to ensure complete isolation as VPCs are still interconnected.
Having all VPCs with the same CIDR would lead to IP address conflicts, as CIDR blocks must be unique within a region. Additionally, this setup does not inherently provide security or isolation; it complicates routing and does not guarantee that only the centralized VPC can communicate with the tenant VPCs.
Meshing all VPCs together with VPC peering would create a fully interconnected network where each tenant VPC could communicate with every other tenant VPC. This directly contradicts the requirement for security isolation between tenants, making it an unsuitable choice for ABC’s scenario.
If I’m correct, the answer is:
ABC has to setup one centralized VPC which will peer in to all the other VPCs of the tenants.