Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 11 discussion

A company has many AWS accounts and uses AWS Organizations to manage all of them. A solutions architect must implement a solution that the company can use to share a common network across multiple accounts.
The company’s infrastructure team has a dedicated infrastructure account that has a VPC. The infrastructure team must use this account to manage the network. Individual accounts cannot have the ability to manage their own networks. However, individual accounts must be able to create AWS resources within subnets.
Which combination of actions should the solutions architect perform to meet these requirements? (Choose two.)

  • A. Create a transit gateway in the infrastructure account.
  • B. Enable resource sharing from the AWS Organizations management account.
  • C. Create VPCs in each AWS account within the organization in AWS Organizations. Configure the VPCs to share the same CIDR range and subnets as the VPC in the infrastructure account. Peer the VPCs in each individual account with the VPC in the infrastructure account.
  • D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.
  • E. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each prefix list to associate with the resource share.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
masetromain
Highly Voted 1 year, 11 months ago
Selected Answer: BD
I go with BD
upvoted 29 times
masetromain
1 year, 9 months ago
Step B is needed because it enables the organization to share resources across accounts. Step D is needed because it allows the infrastructure account to share specific subnets with the other accounts in the organization, so that the other accounts can create resources within those subnets without having to manage their own networks.
upvoted 12 times
8693a49
3 months, 1 week ago
Note that B says it enables sharing from the management account, but the infrastructure team must use the infrastructure account to manage the network", so there is nothing to share form the management account. Also, options D and E also enable resource sharing (you don't need to enable it from the management account, other accounts can enable resource sharing too). VPCs can't talk to each other by default. You need to do something to 'glue' them together in a larger network.
upvoted 2 times
...
...
...
razguru
Highly Voted 1 year, 10 months ago
A - Doesn't seem correct as the question didnt state multiple VPs, so transit gateway is not relevant. I will go with B & D
upvoted 10 times
8693a49
3 months, 1 week ago
There are multiple VPCs because each account must have at least one.
upvoted 2 times
...
...
TariqKipkemei
Most Recent 1 day, 20 hours ago
Selected Answer: BD
Enable resource sharing from the AWS Organizations management account then, create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.
upvoted 1 times
...
Sin_Dan
3 weeks ago
The correct answer is A and D. B is a wrong option. While AWS Organizations is required to manage multiple accounts, enabling resource sharing through AWS RAM is done in the infrastructure account (where the VPC resides), not in the AWS Organizations management account. Resource sharing is configured via RAM in the account that owns the resources, not through Organizations directly.
upvoted 1 times
...
SkyZeroZx
1 month, 2 weeks ago
Selected Answer: BD
The correct answers are D and B. D will allow the infrastructure team to create a resource share in AWS Resource Access Manager in the infrastructure account. This will allow them to share the VPC with the other accounts in the organization. B will enable resource sharing from the AWS Organizations management account. This is required to allow the resource share to be created. C is not necessary, as the resource share will allow the other accounts to create resources in the shared VPC. A is not necessary, as the resource share will allow the other accounts to connect to the shared VPC through the transit gateway. E is not necessary, as the resource share will allow the other accounts to create resources in the shared VPC without the need for prefix lists.
upvoted 1 times
...
sreed77
1 month, 2 weeks ago
Selected Answer: BD
Option B allows the infrastructure team to manage the network in the infrastructure account. It also allows individual accounts to create AWS resources within subnets. This is done by creating a resource share in AWS Resource Access Manager (RAM) in the infrastructure account. The resource share is then associated with the specific AWS Organizations OU that will use the shared network. The subnets are then associated with the resource share. Option D is also necessary because it allows the infrastructure team to control who has access to the shared network. This is done by assigning permissions to the resource share. Here are the steps involved in implementing this solution: Create a resource share in RAM in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share. Assign permissions to the resource share.
upvoted 4 times
...
cnethers
1 month, 2 weeks ago
I would go BD When you share a subnet using AWS Resource Access Manager (RAM) with another AWS account, the resources within that shared subnet can communicate with each other and with the resources in the account that owns the subnet. However, for outbound network connectivity to other VPCs, on-premises networks, or the internet, you need to set up additional networking components.
upvoted 1 times
cnethers
1 month, 2 weeks ago
2. Inter-VPC Communication: o If the resources in the shared subnet need to communicate with resources in another VPC (either within the same AWS account or in a different AWS account), you can use VPC Peering or a Transit Gateway. o VPC Peering: Establish a peering connection between the VPCs and update the route tables accordingly. o Transit Gateway: Create a Transit Gateway, attach both VPCs to the Transit Gateway, and configure the necessary route tables and Transit Gateway route tables.
upvoted 1 times
...
cnethers
4 months, 3 weeks ago
Here's a breakdown of different scenarios and the required setup: 1. Internet Access: o If you need resources in the shared subnet to access the internet, ensure that the subnet is a public subnet with an associated Internet Gateway (IGW) and appropriate route table entries. o The account that owns the VPC will typically manage the IGW and the route tables.
upvoted 1 times
...
cnethers
4 months, 3 weeks ago
3. On-Premises Connectivity: o If the resources in the shared subnet need to communicate with an on-premises network, you can use AWS Direct Connect or a Site-to-Site VPN. o These connections can be routed through a Transit Gateway for more scalable and manageable network architecture.
upvoted 1 times
...
...
shaaam80
1 month, 2 weeks ago
Selected Answer: BD
Answer - B & D. A is wrong. No TGW needed as customer has just 1 VPC. E is wrong - can't share resources via RAM using prefix lists. C is wrong - talks about creating VPCs with same CIDR ranges and VPC peering (not possible with overlapping CIDRs and not needed for this solution as there is just 1 VPC).
upvoted 3 times
Sin_Dan
3 weeks ago
How do you think the Accounts got subnets without VPCs?
upvoted 1 times
...
...
severlight
1 month, 2 weeks ago
Selected Answer: BD
I don't see the way you can share a prefix list.
upvoted 2 times
mattfaz
3 weeks, 3 days ago
https://docs.aws.amazon.com/vpc/latest/userguide/sharing-managed-prefix-lists.html
upvoted 1 times
...
8693a49
3 months, 1 week ago
You don't share a prefix list, you associate it with the shared resource (which here is a TGW). The way you do it is you add the prefixes to the route tables inside the account's VPCs. The prefixes will point towards the TGW. This makes the network traffic destined to other account go through the TGW into these accounts based on the TGW routing table. The TGW routing table can only be controlled from the infrastructure account.
upvoted 2 times
...
...
AlbertS82
1 month, 2 weeks ago
Selected Answer: BD
B&D is the only correct answer
upvoted 2 times
...
atirado
1 month, 2 weeks ago
Selected Answer: BD
Option A - Does not assist with allowing OUs to create resources in the subnets Option B - Allows sharing resources across the entire organization Option C - This option does not work as a way to share subnets because it creates multiple VPCs and subnets in the accounts rather than allowing managing resources in shared subnets Option D - Directly shares the subnets Option E - Does not assist because it only shares pre-built CIDR blocks rather than subnets
upvoted 4 times
8693a49
3 months, 1 week ago
Subnets cannot be shared
upvoted 1 times
...
...
8693a49
1 month, 2 weeks ago
Selected Answer: AE
Voting A & E
upvoted 1 times
...
amministrazione
2 months, 1 week ago
B. Enable resource sharing from the AWS Organizations management account. D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.
upvoted 1 times
...
8693a49
3 months, 1 week ago
It's AD. To form a network between multiple accounts, each with their own VPCs, you can use VPC peering or Transit Gateway. But VPC peering is only suitable for a few acounts, and we have many, so we need to create a TGW (A). Then we need to associate it with the VPCs across all acounts, we do this through RAM, and we need to configure the route tables in all accounts to use the TGW, which is done through prefixes (D). See https://docs.aws.amazon.com/prescriptive-guidance/latest/integrate-third-party-services/architecture-3-1.html The question is a bit weird because the answer could allow accounts to manage the network inside their own VPCs, so probably some SCP policies are needed to prevent this. But the accounts cannot edit the TGW routing, so probably that's what they were trying to suggest.
upvoted 1 times
8693a49
3 months, 1 week ago
I meant to say AE, but I can't edit the post now.
upvoted 1 times
...
...
rapatajones
7 months, 1 week ago
Selected Answer: BE
B E correta
upvoted 1 times
...
rapatajones
7 months, 1 week ago
BE com certeza
upvoted 1 times
...
gofavad926
7 months, 3 weeks ago
Selected Answer: BD
BD, as mentioned in other comments
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...