Which solution will meet these requirements with the LEAST operational overhead?
Create an AWS CloudFormation stack set that establishes VPC peering between accounts in each OU. Provision the stack set in each OU.
In each OU, create a dedicated networking account that has a single VPC. Share this VPC with all the other accounts in the OU by using AWS Resource Access Manager (AWS RAM). Create a VPC peering connection between the networking account and each account in the OU.
Provision a transit gateway in an account in each OU. Share the transit gateway across the organization by using AWS Resource Access Manager (AWS RAM). Create transit gateway VPC attachments for each VPC.
In each OU, create a dedicated networking account that has a single VPC. Establish a VPN connection between the networking account and the other accounts in the OU. Use third-party routing software to route transitive traffic between the VPCs.
Explanations:
While creating a CloudFormation stack set to establish VPC peering would allow communication between VPCs, managing a large number of peering connections across over 100 accounts per OU would become operationally cumbersome and complex, leading to potential challenges in scalability and maintenance.
Creating a dedicated networking account and sharing its VPC using AWS RAM allows for some centralized management, but establishing individual VPC peering connections from the networking account to each of the other accounts would still require significant management overhead. This does not provide a scalable or efficient solution for multi-account networking.
Provisioning a transit gateway in each OU and sharing it via AWS RAM allows for efficient communication among all VPCs within the OU while isolating them from other OUs. Transit gateways simplify network management by allowing transitive routing and reducing the need for multiple peering connections, thus minimizing operational overhead.
Establishing a VPN connection with third-party routing software adds unnecessary complexity and operational overhead. VPNs are typically more suited for connecting on-premises networks to AWS or for remote access, and they do not facilitate easy VPC-to-VPC communication within an AWS environment. This approach would be inefficient and harder to manage than using transit gateways.