Which solution meets these requirements?

By:
In: SAP-C01
Tagged:
With: 2 Comments
A solutions architect at a large company needs to set up network security for outbound traffic to the internet from all AWS accounts within an organization in AWSOrganizations.The organization has more than 100 AWS accounts, and the accounts route to each other by using a centralized AWS Transit Gateway.Each account has both an internet gateway and a NAT gateway for outbound traffic to the internet.The company deploys resources only into a single AWS Region.The company needs the ability to add centrally managed rule-based filtering on all outbound traffic to the internet for all AWS accounts in the organization.The peak load of outbound traffic will not exceed 25 Gbps in each Availability Zone.

Which solution meets these requirements?

Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Create an Auto Scaling group of Amazon EC2 instances that run an open-source internet proxy for rule-based filtering across all Availability Zones in the Region. Modify all default routes to point to the proxy’s Auto Scaling group.

Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall firewall for rule-based filtering. Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints.

Create an AWS Network Firewall firewall for rule-based filtering in each AWS account. Modify all default routes to point to the Network Firewall firewalls in each account.

In each AWS account, create an Auto Scaling group of network-optimized Amazon EC2 instances that run an open-source internet proxy for rule-based filtering. Modify all default routes to point to the proxy’s Auto Scaling group.

Explanations:

This option requires managing and scaling EC2 instances to handle the outbound traffic, which can be complex and inefficient. Using an open-source proxy solution lacks the scalability and managed nature that AWS Network Firewall can provide for this use case.

This option uses AWS Network Firewall in a centralized VPC for rule-based filtering, which simplifies management across accounts and provides a managed, scalable solution with dedicated endpoints in each Availability Zone to handle 25 Gbps traffic effectively.

Deploying AWS Network Firewall in each account would make management complex and require redundant configuration, rather than centralized control. This approach would be harder to maintain across 100+ accounts.

Like option A, this option requires managing individual EC2 instances in each account, which increases complexity and does not provide a centrally managed, scalable solution for rule-based filtering across multiple accounts.

2026-03-31

2 Comments

  1. Karen
    Author

    I categorize that the answer is:
    Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall firewall for rule-based filtering. Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints.

  2. Madison
    Author

    If memory serves me right, the answer is:
    Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall firewall for rule-based filtering. Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 + 18 =