Transit gateway inter-region VPC connection, can it directly attach VPCs from other regions?

0

A software as a service (SaaS) company provides a media software solution to customers. The solution is hosted on 50 VPCs across various AWS Regions and AWS accounts. One of the VPCs is designated as a management VPC. The compute resources in the VPCs work independently.

The company has developed a new feature that requires all 50 VPCs to be able to communicate with each other. The new feature also requires one-way access from each customer's VPC to the company's management VPC. The management VPC hosts a compute resource that validates licenses for the media software solution.

The number of VPCs that the company will use to host the solution will continue to increase as the solution grows.

Which combination of steps will provide the required VPC connectivity with the LEAST operational overhead? (Choose two.)

A. Create a transit gateway. Attach all the company's VPCs and relevant subnets to the transit gateway.

B. Create VPC peering connections between all the company's VPCs.

C. Create a Network Load Balancer (NLB) that points to the compute resource for license validation. Create an AWS PrivateLink endpoint service that is available to each customer's VPC. Associate the endpoint service with the NLB.

D. Create a VPN appliance in each customer's VPC. Connect the company's management VPC to each customer's VPC by using AWS Site-to-Site VPN.

E. Create a VPC peering connection between the company's management VPC and each customer's VPC.

Isaac
asked a month ago77 views
3 Answers
1

To provide the required VPC connectivity with the least operational overhead, considering the scale and the requirements, the most efficient approach would be:

A. Create a transit gateway. Attach all the company's VPCs and relevant subnets to the transit gateway.

Explanation: A transit gateway simplifies network management by acting as a central hub that connects multiple VPCs and allows them to communicate with each other. This solution scales well as the number of VPCs increases and provides a single point of management for inter-VPC communication.

C. Create a Network Load Balancer (NLB) that points to the compute resource for license validation. Create an AWS PrivateLink endpoint service that is available to each customer's VPC. Associate the endpoint service with the NLB.

Explanation: AWS PrivateLink provides private connectivity between VPCs and services across different accounts and VPCs. By creating an endpoint service and associating it with an NLB, you can enable secure and scalable one-way access from each customer's VPC to the management VPC without exposing the management VPC directly.

Edit Note: A Transit Gateway is a regional construct and cannot span multiple regions. Therefore, to connect Transit Gateways in different regions, Transit Gateway peering attachments are necessary (between the two transit gateway present in two different regions attached to the respective VPCs). Given the options above, only A and C are correct.

AWS
answered a month ago
profile picture
EXPERT
reviewed a month ago
1

Hello,

To provide connectivity between multiple VPCs across various regions with minimal operational overhead, while also ensuring one-way access from each customer's VPC to the management VPC, follow these steps

1. Create a Transit Gateway.

Attach all VPCs to the Transit Gateway

  • Create a transit gateway in one of your AWS regions.

  • Attach each of the company's VPCs to this transit gateway.

  • Use VPC attachments to connect the VPCs to the transit gateway.

2. Establish Inter-Region Connectivity

Use Transit Gateway Inter-Region Peering

  • For VPCs in different regions, set up transit gateway inter-region peering connections.

  • This allows VPCs in different regions to communicate with each other through the transit gateway.

3. Provide One-Way Access to the Management VPC

Use AWS PrivateLink for One-Way Access

  • Create a Network Load Balancer (NLB) in the management VPC to handle requests.

  • Set up an AWS PrivateLink endpoint service that connects to the NLB in the management VPC.

  • Each customer’s VPC can create a VPC endpoint to access the endpoint service, providing controlled one-way access.

https://medium.com/@laksmikanthreddy22/transit-gateway-peering-connecting-vpcs-across-regional-boundaries-a2a6a6dcaed9

https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#:~:text=A%20transit%20gateway%20enables%20you%20to%20attach%20VPCs,can%20attach%20their%20VPCs%20to%20your%20transit%20gateway.

EXPERT
answered a month ago
0

Why does this feel like a question from the networking speciality exam? Not really a question.

xanthic
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions