What should a solutions architect do to meet these requirements?
Create an AWS Site-to-Site VPN connection. Configure integration between a VPN and AD DS. Use an Amazon WorkSpaces client with MFA support enabled to establish a VPN connection.
Create an AWS Client VPN endpoint. Create an AD Connector directory for integration with AD DS. Enable MFA for AD Connector. Use AWS Client VPN to establish a VPN connection.
Create multiple AWS Site-to-Site VPN connections by using AWS VPN CloudHub. Configure integration between AWS VPN CloudHub and AD DS. Use AWS Copilot to establish a VPN connection.
Create an Amazon WorkLink endpoint. Configure integration between Amazon WorkLink and AD DS. Enable MFA in Amazon WorkLink. Use AWS Client VPN to establish a VPN connection.
Explanations:
AWS Site-to-Site VPN is primarily for connecting on-premises networks to AWS, not for remote user access. Additionally, using an Amazon WorkSpaces client does not inherently provide VPN functionality.
AWS Client VPN is designed for remote access, allows integration with AD DS via an AD Connector, and supports MFA, which aligns with the company’s security policy for remote access to internal services.
AWS VPN CloudHub is intended for connecting multiple on-premises networks, not remote users. It does not provide the necessary MFA or integration with AD DS for individual user access.
Amazon WorkLink is a service for providing secure access to internal applications through web browsers on mobile devices, not a VPN solution. It does not fulfill the requirement for a VPN access method.