Which network configuration should a solutions architect use to provide connectivity from the client applications in the business unit VPCs to the centralized application in the shared VPC?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company provides a centralized Amazon EC2 application hosted in a single shared VPC.The centralized application must be accessible from client applications running in the VPCs of other business units.The centralized application front end is configured with a Network Load Balancer (NLB) for scalability.Up to 10 business unit VPCs will need to be connected to the shared VPC.Some of the business unit VPC CIDR blocks overlap with the shared VPC, and some overlap with each other.Network connectivity to the centralized application in the shared VPC should be allowed from authorized business unit VPCs only.

Which network configuration should a solutions architect use to provide connectivity from the client applications in the business unit VPCs to the centralized application in the shared VPC?

Create an AWS Transit Gateway. Attach the shared VPC and the authorized business unit VPCs to the transit gateway. Create a single transit gateway route table and associate it with all of the attached VPCs. Allow automatic propagation of routes from the attachments into the route table. Configure VPC routing tables to send traffic to the transit gateway.

Create a VPC endpoint service using the centralized application NLB and enable the option to require endpoint acceptance. Create a VPC endpoint in each of the business unit VPCs using the service name of the endpoint service. Accept authorized endpoint requests from the endpoint service console.

Create a VPC peering connection from each business unit VPC to the shared VPC. Accept the VPC peering connections from the shared VPC console. Configure VPC routing tables to send traffic to the VPC peering connection.

Configure a virtual private gateway for the shared VPC and create customer gateways for each of the authorized business unit VPCs. Establish a Site-to-Site VPN connection from the business unit VPCs to the shared VPC. Configure VPC routing tables to send traffic to the VPN connection.

Explanations:

AWS Transit Gateway does not support overlapping CIDR blocks between attached VPCs, which is a requirement for this scenario. Therefore, it cannot facilitate connectivity between the shared VPC and overlapping business unit VPCs.

A VPC endpoint service with a Network Load Balancer allows authorized connections from multiple VPCs, including those with overlapping CIDR blocks, by providing access via private endpoints instead of direct IP routing.

VPC peering does not support overlapping CIDR blocks between VPCs, making it unsuitable for this scenario where some business unit VPCs have overlapping IP ranges with the shared VPC and with each other.

Site-to-Site VPN connections do not natively support routing between overlapping CIDR blocks and are not optimal for intra-AWS VPC communication due to added complexity and potential latency.

2025-10-02

1 Comment

  1. William
    Author

    I figure that the answer is:
    Create a VPC endpoint service using the centralized application NLB and enable the option to require endpoint acceptance. Create a VPC endpoint in each of the business unit VPCs using the service name of the endpoint service. Accept authorized endpoint requests from the endpoint service console.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × two =