Which set of additional steps should the solutions architect take to meet these requirements?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A large company runs workloads in VPCs that are deployed across hundreds of AWS accounts.Each VPC consists of public subnets and private subnets that span across multiple Availability Zones.NAT gateways are deployed in the public subnets and allow outbound connectivity to the internet from the private subnets.A solutions architect is working on a hub-and-spoke design.All private subnets in the spoke VPCs must route traffic to the internet through an egress VPC.The solutions architect already has deployed a NAT gateway in an egress VPC in a central AWS account.

Which set of additional steps should the solutions architect take to meet these requirements?

Create peering connections between the egress VPC and the spoke VPCs. Configure the required routing to allow access to the internet.

Create a transit gateway, and share it with the existing AWS accounts. Attach existing VPCs to the transit gateway. Configure the required routing to allow access to the internet.

Create a transit gateway in every account. Attach the NAT gateway to the transit gateways. Configure the required routing to allow access to the internet.

Create an AWS PrivateLink connection between the egress VPC and the spoke VPCs. Configure the required routing to allow access to the internet.

Explanations:

Creating peering connections between the egress VPC and the spoke VPCs would require managing multiple peering connections as the number of spoke VPCs increases, making this approach cumbersome and less scalable. Additionally, peering connections do not automatically enable transit routing or share a single NAT gateway, which is needed for efficient internet access from multiple spokes.

A transit gateway provides a scalable way to connect multiple VPCs across different accounts. By creating a transit gateway and sharing it with the existing AWS accounts, the solutions architect can attach the spoke VPCs to this central hub. The transit gateway simplifies routing and allows all private subnets in the spoke VPCs to route internet-bound traffic through the NAT gateway in the egress VPC efficiently.

Creating a transit gateway in every account adds unnecessary complexity and overhead. This design does not leverage the benefits of a centralized transit gateway, resulting in more complicated routing configurations and NAT gateway management across multiple accounts. The NAT gateway would not be shared effectively across all spoke VPCs.

AWS PrivateLink is designed for providing secure access to services hosted in one VPC from another VPC without exposing them to the public internet. It does not facilitate internet access from private subnets. This approach would not meet the requirement of routing internet traffic through a central NAT gateway, as PrivateLink does not route traffic to the internet.

2025-10-18

1 Comment

  1. Danielle
    Author

    I arrange that the answer is:
    Create a transit gateway, and share it with the existing AWS accounts. Attach existing VPCs to the transit gateway. Configure the required routing to allow access to the internet.

Leave a Reply

Your email address will not be published. Required fields are marked *

7 + twenty =