- Newest
- Most votes
- Most comments
To provide the required VPC connectivity with the least operational overhead, considering the scale and the requirements, the most efficient approach would be:
A. Create a transit gateway. Attach all the company's VPCs and relevant subnets to the transit gateway.
Explanation: A transit gateway simplifies network management by acting as a central hub that connects multiple VPCs and allows them to communicate with each other. This solution scales well as the number of VPCs increases and provides a single point of management for inter-VPC communication.
C. Create a Network Load Balancer (NLB) that points to the compute resource for license validation. Create an AWS PrivateLink endpoint service that is available to each customer's VPC. Associate the endpoint service with the NLB.
Explanation: AWS PrivateLink provides private connectivity between VPCs and services across different accounts and VPCs. By creating an endpoint service and associating it with an NLB, you can enable secure and scalable one-way access from each customer's VPC to the management VPC without exposing the management VPC directly.
Edit Note: A Transit Gateway is a regional construct and cannot span multiple regions. Therefore, to connect Transit Gateways in different regions, Transit Gateway peering attachments are necessary (between the two transit gateway present in two different regions attached to the respective VPCs). Given the options above, only A and C are correct.
Hello,
To provide connectivity between multiple VPCs across various regions with minimal operational overhead, while also ensuring one-way access from each customer's VPC to the management VPC, follow these steps
1. Create a Transit Gateway.
Attach all VPCs to the Transit Gateway
-
Create a transit gateway in one of your AWS regions.
-
Attach each of the company's VPCs to this transit gateway.
-
Use VPC attachments to connect the VPCs to the transit gateway.
2. Establish Inter-Region Connectivity
Use Transit Gateway Inter-Region Peering
-
For VPCs in different regions, set up transit gateway inter-region peering connections.
-
This allows VPCs in different regions to communicate with each other through the transit gateway.
3. Provide One-Way Access to the Management VPC
Use AWS PrivateLink for One-Way Access
-
Create a Network Load Balancer (NLB) in the management VPC to handle requests.
-
Set up an AWS PrivateLink endpoint service that connects to the NLB in the management VPC.
-
Each customer’s VPC can create a VPC endpoint to access the endpoint service, providing controlled one-way access.
Why does this feel like a question from the networking speciality exam? Not really a question.
Relevant content
- Accepted Answerasked 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
Can transit gateway attach VPCs directly from other regions? I don't think so. It seems like a peering connection between transit gateways in different regions is the answer. https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html