Which solution will meet this requirement with the LEAST operational effort?

By:
In: SAP-C02
Tagged:
With: 1 Comment
Example Corp. has an on-premises data center and a VPC named VPC A in the Example Corp. AWS account. The on-premises network connects to VPC A through an AWS Site-To-Site VPN. The on-premises servers can properly access VPC A. Example Corp. just acquired AnyCompany, which has a VPC named VPC B. There is no IP address overlap among these networks. Example Corp. has peered VPC A and VPC B.Example Corp. wants to connect from its on-premise servers to VPC B. Example Corp. has properly set up the network ACL and security groups.

Which solution will meet this requirement with the LEAST operational effort?

Create a transit gateway. Attach the Site-to-Site VPN, VPC A, and VPC B to the transit gateway. Update the transit gateway route tables for all networks to add IP range routes for all other networks.

Create a transit gateway. Create a Site-to-Site VPN connection between the on-premises network and VPC B, and connect the VPN connection to the transit gateway. Add a route to direct traffic to the peered VPCs, and add an authorization rule to give clients access to the VPCs A and B.

Update the route tables for the Site-to-Site VPN and both VPCs for all three networks. Configure BGP propagation for all three networks. Wait for up to 5 minutes for BGP propagation to finish.

Modify the Site-to-Site VPN’s virtual private gateway definition to include VPC A and VPC B. Split the two routers of the virtual private getaway between the two VPCs.

Explanations:

Creating a transit gateway to connect the Site-to-Site VPN, VPC A, and VPC B allows for a centralized connection point. This setup simplifies routing and management, as all routes can be managed in one place. Updating the route tables to direct traffic appropriately ensures that on-premises servers can access both VPCs with minimal operational effort.

While creating a transit gateway and a new Site-to-Site VPN connection to VPC B is a valid approach, it adds unnecessary complexity. The transit gateway should ideally manage existing connections rather than requiring additional VPNs, which increases operational overhead.

Updating the route tables and configuring BGP propagation for all three networks can work, but it is more complex and involves manual route management. BGP setup requires more operational effort and monitoring compared to using a transit gateway.

Modifying the Site-to-Site VPN’s virtual private gateway to include both VPCs complicates the architecture. This approach does not leverage the advantages of a transit gateway, which is designed for better scalability and management of multiple VPC connections. Additionally, splitting routers across VPCs adds unnecessary complexity.

2025-10-17

1 Comment

  1. Jeremy
    Author

    I believe the answer is:
    Create a transit gateway. Attach the Site-to-Site VPN, VPC A, and VPC B to the transit gateway. Update the transit gateway route tables for all networks to add IP range routes for all other networks.

Leave a Reply

Your email address will not be published. Required fields are marked *

13 − 3 =