Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 215 discussion

BD they need a (one) VPC, no need for TGW. Use case for subnet sharing via RAM

They are designing an account structure. This means multiple accounts, implicitly multiple VPCs. So A will take care of account provisioning. (B is incorrect, subnets cannot be shared). To connect to on-prem, site-to-site VPN is sufficient and most cost-effective, and we also need to give access to it from all accounts, so we need a Transit Gateway. Therefore C is the other correct answer. (D is incorrect because it only works for one VPC, one account, and E is incorrect because is more expensive than VPN and not necessary)

B, D for sure. No need for a TGW

Selected Answer: BE Why is nobody considering Direct Connect, it is cheaper than Site to Site VPN.

If you have one VPC why you need to share the subnets ?

Option BC & NOT C - The MOST cost effective option: AWS Site-to-Site VPN connection pricing still applies in addition to AWS Transit Gateway VPN attachment pricing. So you will be additional cost with both option https://aws.amazon.com/transit-gateway/pricing/

The problem did not say how many VPC. @@@

B+C in my humble opinion. Reason for C is that this is a design for a company with "multiple teams" so it is only logical that these teams will want to have at some stage independent accounts from one another and different accounts within the same teams. Thinking about a single VPC would be a bit short sighted.

B and D is right choice.

Most Cost Effective...

You need to create a singe VPC and a single Account.

Direct Connect may be an overkill with 1GBPs

Other problem with VPN is 1.25 Gb limitation.

Correct AD. I think A is correct because you can connect the VPN to each VPC by using a VPN connection resource in each AWS account. You do not need a shared network account for that. You can refer to this documentation for more details: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html B is not correct because it will create a single VPC for all the AWS accounts, which will reduce the isolation and security for the different teams. It will also require sharing the subnets by using AWS Resource Access Manager, which will add complexity and overhead.

Tgw is for VPCs communication.

BC. There are multiple teams and accounts.

BD? dont think we need tgw here.