Which solution meets these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A solutions architect at a large company needs to set up network security for outbound traffic to the internet from all AWS accounts within an organization in AWS Organizations.The organization has more than 100 AWS accounts, and the accounts route to each other by using a centralized AWS Transit Gateway.Each account has both an internet gateway and a NAT gateway for outbound traffic to the internet.The company deploys resources only into a single AWS Region.The company needs the ability to add centrally managed rule-based filtering on all outbound traffic to the internet for all AWS accounts in the organization.The peak load of outbound traffic will not exceed 25 Gbps in each Availability Zone.

Which solution meets these requirements?

Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Create an Auto Scaling group of Amazon EC2 instances that run an open-source internet proxy for rule-based filtering across all Availability Zones in the Region. Modify all default routes to point to the proxy’s Auto Scaling group.

Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall firewall for rule-based filtering. Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints.

Create an AWS Network Firewall firewall for rule-based filtering in each AWS account. Modify all default routes to point to the Network Firewall firewalls in each account.

In each AWS account, create an Auto Scaling group of network-optimized Amazon EC2 instances that run an open-source internet proxy for rule-based filtering. Modify all default routes to point to the proxy’s Auto Scaling group.

Explanations:

While creating a centralized VPC with an EC2-based proxy allows for rule-based filtering, it introduces complexity in managing and scaling the EC2 instances, particularly under peak loads. This solution may not efficiently handle the required 25 Gbps load without significant operational overhead and is less integrated with AWS services.

This option utilizes AWS Network Firewall, which is a fully managed service designed for rule-based filtering at scale. By creating firewall endpoints in each Availability Zone and modifying default routes to point to these endpoints, it meets the requirements for centralized, efficient outbound traffic filtering without the overhead of managing EC2 instances.

Creating an AWS Network Firewall in each account increases management overhead and does not provide centralized control over outbound traffic for the entire organization. This solution also lacks scalability for managing multiple accounts efficiently, leading to potential inconsistencies in filtering rules across accounts.

Similar to option A, this approach involves deploying EC2 instances in each account for filtering, leading to higher management complexity and scaling challenges. This decentralized approach does not allow for centralized control over outbound traffic filtering, making it less efficient for an organization with more than 100 accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *

sixteen − eight =