Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 181 discussion

Fits the use case https://aws.amazon.com/transit-gateway/

Option C is very poorly worded: "Provision a transit gateway in an account in each OU" to me this results in having 3 Transit Gateways, but then it go ahead just referring to a single Transit Gateway "Share the transit gateway across the organization ..."

TGW would be used to create hub and spoke. VPCs are in same region so tgw can be shared via RAM. Answer is C

Typical transit gateway use case

The question is asking “a solution in which VPCs in the same OU can communicate with each other but cannot communicate with VPCs in other OUs”. A: it works. But it may create 2500+ VPC peering in each OU B: It works. But it may create 2500+ VPC peering in each OU C: This is wrong, cause it is sharing the transit gateway to all the account in the organization instead of sharing to all the account in that OU. D: That means 2500+ VPN connections in each OU and cost a lot of internet bandwidth. I guess the C was worded with mistake. It should be sharing the transit gateway to the accounts in each OU and create VPC attachment for each VPC in that OU.

The requirement said, "VPCs in the same OU can communicate with each other but cannot communicate with VPCs in other OUs". There is no reason to share the TGW across the organisation with RAM because it will enable cross OUs communication.

"Least operational overhead" A is correct. C creating Transit Gateway in each account.. and there are more than 100 accounts in each OU. Which is time consuming and requires lot of efforts.

typical use case of intra region peering with transit gateway.

Option C

C. Transit gateway and RAM is a regional service. AWS RAM is a Regional service, and a resource share is Regional. Therefore, a resource share can contain resources from the same AWS Region as the resource share, and any supported global resources. https://docs.aws.amazon.com/ram/latest/userguide/working-with-regional-vs-global.html https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs

A for two reasons: 1. Sharing the TGW with the entire organization (C) will make every VPC in every account propagate its subnet in the default TGW route table which will enable organization-wide communication which is categorically prohibited by the question. 2. The question only says more than 100 accounts and 1 VPC per account. It does not mention anything about 125+ VPCs. Plus the peerings are being created by stack sets so there's automation involved. So I believe A is the only solution here.

I thik C

C. Yes, because, Transit Gateway is a managed service from AWS that acts as a hub interconnecting VPCs and VPN connections within a single region. It allows you to build more complex networks without the need for VPC peering. Similar to: https://aws.amazon.com/blogs/networking-and-content-delivery/automating-aws-transit-gateway-attachments-to-a-transit-gateway-in-a-central-account/ A,B. No, because a VPC peering connection has a limit of 125 Active VPC peering connections per VPC. In this case, each OU contains MORE THAN 100 AWS accounts -- this could mean 101 accounts or 10001 accounts. D. No, because this is not the answer choice with the LEAST operational overhead. Third-party routing software is not required to route transitive traffic between the VPCs.

A separate transit GW for each OU.

The answer should be C. Since VPC peering is not transitive then for 100+ accounts in OU then we'll breach the limit of 125. As for VPN - I wouldn't use VPN to connect AWS resources - I don't know even if that's possible

Olabiba.ai says C.

Answer : C Reference : https://catalog.workshops.aws/networking/en-US/intermediate/6-vpc-peering/10-vpc-peering-overview