Which set of steps should a solutions architect take to ensure production traffic and development traffic are completely isolated?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company has multiple AWS accounts as part of an organization created with AWS Organizations.Each account has a VPC in the us-east-2 Region and is used for either production or development workloads.Amazon EC2 instances across production accounts need to communicate with each other, and EC2 instances across development accounts need to communicate with each other, but production and development instances should not be able to communicate with each other.To facilitate connectivity, the company created a common network account.The company used AWS Transit Gateway to create a transit gateway in the us-east-2Region in the network account and shared the transit gateway with the entire organization by using AWS Resource Access Manager.Network administrators then attached VPCs in each account to the transit gateway, after which the EC2 instances were able to communicate across accounts.However, production and development accounts were also able to communicate with one another.

Which set of steps should a solutions architect take to ensure production traffic and development traffic are completely isolated?

Modify the security groups assigned to development EC2 instances to block traffic from production EC2 instances. Modify the security groups assigned to production EC2 instances to block traffic from development EC2 instances.

Create a tag on each VPC attachment with a value of either production or development, according to the type of account being attached. Using the Network Manager feature of AWS Transit Gateway, create policies that restrict traffic between VPCs based on the value of this tag.

Create separate route tables for production and development traffic. Delete each account’s association and route propagation to the default AWS Transit Gateway route table. Attach development VPCs to the development AWS Transit Gateway route table and production VPCs to the production route table, and enable automatic route propagation on each attachment.

Create a tag on each VPC attachment with a value of either production or development, according to the type of account being attached. Modify the AWS Transit Gateway routing table to route production tagged attachments to one another and development tagged attachments to one another.

Explanations:

Security groups alone cannot fully isolate traffic between production and development accounts at the VPC level in a shared Transit Gateway environment, as they do not manage routing within the Transit Gateway.

AWS Transit Gateway Network Manager policies do not support restricting traffic between VPC attachments based on tags; Network Manager policies are intended for monitoring and analyzing network activity, not controlling VPC attachment routing.

Creating separate route tables for production and development traffic and associating the correct VPC attachments ensures that production and development accounts have isolated routing. Route propagation enables each account to access only the routes relevant to its environment.

While tags can help identify production and development attachments, Transit Gateway routing tables cannot dynamically use tags to control or restrict specific routes between VPC attachments.

Leave a Reply

Your email address will not be published. Required fields are marked *

ten − four =