Which solution will meet these requirements MOST cost-effectively?
Create a peering connection between the VPCs. Add a route table entry for the peering connection in both VPCs. Configure an inbound rule for the ElastiCache cluster’s security group to allow inbound connection from the application’s security group.
Create a Transit VPC. Update the VPC route tables in the Cache VPC and the App VPC to route traffic through the Transit VPC. Configure an inbound rule for the ElastiCache cluster’s security group to allow inbound connection from the application’s security group.
Create a peering connection between the VPCs. Add a route table entry for the peering connection in both VPCs. Configure an inbound rule for the peering connection’s security group to allow inbound connection from the application’s security group.
Create a Transit VPC. Update the VPC route tables in the Cache VPC and the App VPC to route traffic through the Transit VPC. Configure an inbound rule for the Transit VPC’s security group to allow inbound connection from the application’s security group.
Explanations:
Creating a peering connection between the two VPCs allows direct communication between the EC2 instances and the ElastiCache cluster. Adding route table entries ensures that traffic can flow correctly, and configuring the security group for the ElastiCache cluster allows inbound connections specifically from the application’s security group, fulfilling the access requirement in a cost-effective manner without additional infrastructure.
A Transit VPC introduces additional complexity and cost, as it requires a separate VPC to manage the routing between the two VPCs. While it could facilitate communication, it is not necessary for a simple use case like this where a peering connection suffices. Additionally, the implementation of a Transit VPC involves more configuration and potential operational overhead.
While creating a peering connection is a valid approach, the mention of “the peering connection’s security group” is misleading. Peering connections do not have security groups; instead, security group rules must be set on the resources (like the ElastiCache cluster) that need to allow inbound traffic from the application’s security group. Therefore, this option is not correctly formulated despite having the right general idea of using peering.
Similar to option B, using a Transit VPC unnecessarily complicates the architecture and incurs additional costs. It requires modifying route tables to direct traffic through a Transit VPC and involves configuring security groups for the Transit VPC itself, which adds more points of potential failure and overhead compared to a direct peering connection. This makes it less cost-effective and more complex than necessary for providing access between the two VPCs.