exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 11 discussion

A company has many AWS accounts and uses AWS Organizations to manage all of them. A solutions architect must implement a solution that the company can use to share a common network across multiple accounts.
The company’s infrastructure team has a dedicated infrastructure account that has a VPC. The infrastructure team must use this account to manage the network. Individual accounts cannot have the ability to manage their own networks. However, individual accounts must be able to create AWS resources within subnets.
Which combination of actions should the solutions architect perform to meet these requirements? (Choose two.)

  • A. Create a transit gateway in the infrastructure account.
  • B. Enable resource sharing from the AWS Organizations management account.
  • C. Create VPCs in each AWS account within the organization in AWS Organizations. Configure the VPCs to share the same CIDR range and subnets as the VPC in the infrastructure account. Peer the VPCs in each individual account with the VPC in the infrastructure account.
  • D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.
  • E. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each prefix list to associate with the resource share.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
masetromain
Highly Voted 2 years, 2 months ago
Selected Answer: BD
I go with BD
upvoted 29 times
masetromain
2 years, 1 month ago
Step B is needed because it enables the organization to share resources across accounts. Step D is needed because it allows the infrastructure account to share specific subnets with the other accounts in the organization, so that the other accounts can create resources within those subnets without having to manage their own networks.
upvoted 13 times
8693a49
6 months, 3 weeks ago
Note that B says it enables sharing from the management account, but the infrastructure team must use the infrastructure account to manage the network", so there is nothing to share form the management account. Also, options D and E also enable resource sharing (you don't need to enable it from the management account, other accounts can enable resource sharing too). VPCs can't talk to each other by default. You need to do something to 'glue' them together in a larger network.
upvoted 2 times
Kirkster
1 month ago
In this case, there is actually only one VPC - the one in the infrastructure account. Users in other accounts deploy to subnets in that account, as those subnets are shared using resource sharing, as outlined in this blog: https://aws.amazon.com/blogs/networking-and-content-delivery/vpc-sharing-a-new-approach-to-multiple-accounts-and-vpc-management/
upvoted 1 times
...
...
...
...
razguru
Highly Voted 2 years, 1 month ago
A - Doesn't seem correct as the question didnt state multiple VPs, so transit gateway is not relevant. I will go with B & D
upvoted 11 times
8693a49
6 months, 3 weeks ago
There are multiple VPCs because each account must have at least one.
upvoted 3 times
...
...
Kirkster
Most Recent 1 month ago
Selected Answer: BD
The transit gateway is a red herring. Creating a resource share and then sharing out subnets is described in this AWS blog: https://aws.amazon.com/blogs/networking-and-content-delivery/vpc-sharing-a-new-approach-to-multiple-accounts-and-vpc-management/ To those who say there are multiple VPCs (one in each account), read the question more carefully - it never says that. It merely says that users in the other accounts need to be able to deploy resources to the shared subnets.
upvoted 1 times
...
_KBM
2 months ago
Selected Answer: AD
A. Create a transit gateway in the infrastructure account. A transit gateway allows the infrastructure account to centralize the network and connect multiple VPCs across accounts. It serves as the backbone for communication between the accounts. D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share. Using AWS Resource Access Manager (RAM), you can share the subnets of the infrastructure account's VPC with other accounts in the organization, enabling individual accounts to create resources in those subnets while centralizing network management in the infrastructure account.
upvoted 1 times
...
wem
2 months, 1 week ago
Selected Answer: AD
The following steps will meet the requirements for sharing a common network managed from the infrastructure account across multiple AWS accounts, with the least operational complexity and in line with best practices: A. Create a transit gateway in the infrastructure account. A transit gateway allows centralized routing and connectivity between multiple VPCs across different AWS accounts. This approach enables the infrastructure account to control network management while allowing other accounts to use the shared network. D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share. Using AWS Resource Access Manager (RAM) to share subnets from the infrastructure account allows individual accounts to create resources within those subnets. This aligns with the requirement that individual accounts can create resources but not manage the network.
upvoted 1 times
...
Heman31in
2 months, 1 week ago
Selected Answer: AD
Without Step A (transit gateway), the solution would lack a central mechanism for connecting VPCs across accounts, which is essential for a shared network. D because: AWS Resource Access Manager (RAM) allows you to share VPC subnets across accounts. By creating a resource share for specific subnets and associating it with the appropriate organizational units (OUs), individual accounts can launch resources in the shared subnets while the infrastructure account retains network control.
upvoted 1 times
...
TariqKipkemei
3 months, 2 weeks ago
Selected Answer: BD
Enable resource sharing from the AWS Organizations management account then, create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.
upvoted 1 times
...
Sin_Dan
4 months ago
The correct answer is A and D. B is a wrong option. While AWS Organizations is required to manage multiple accounts, enabling resource sharing through AWS RAM is done in the infrastructure account (where the VPC resides), not in the AWS Organizations management account. Resource sharing is configured via RAM in the account that owns the resources, not through Organizations directly.
upvoted 2 times
...
SkyZeroZx
4 months, 4 weeks ago
Selected Answer: BD
The correct answers are D and B. D will allow the infrastructure team to create a resource share in AWS Resource Access Manager in the infrastructure account. This will allow them to share the VPC with the other accounts in the organization. B will enable resource sharing from the AWS Organizations management account. This is required to allow the resource share to be created. C is not necessary, as the resource share will allow the other accounts to create resources in the shared VPC. A is not necessary, as the resource share will allow the other accounts to connect to the shared VPC through the transit gateway. E is not necessary, as the resource share will allow the other accounts to create resources in the shared VPC without the need for prefix lists.
upvoted 1 times
...
sreed77
4 months, 4 weeks ago
Selected Answer: BD
Option B allows the infrastructure team to manage the network in the infrastructure account. It also allows individual accounts to create AWS resources within subnets. This is done by creating a resource share in AWS Resource Access Manager (RAM) in the infrastructure account. The resource share is then associated with the specific AWS Organizations OU that will use the shared network. The subnets are then associated with the resource share. Option D is also necessary because it allows the infrastructure team to control who has access to the shared network. This is done by assigning permissions to the resource share. Here are the steps involved in implementing this solution: Create a resource share in RAM in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share. Assign permissions to the resource share.
upvoted 4 times
...
cnethers
4 months, 4 weeks ago
I would go BD When you share a subnet using AWS Resource Access Manager (RAM) with another AWS account, the resources within that shared subnet can communicate with each other and with the resources in the account that owns the subnet. However, for outbound network connectivity to other VPCs, on-premises networks, or the internet, you need to set up additional networking components.
upvoted 1 times
cnethers
4 months, 4 weeks ago
2. Inter-VPC Communication: o If the resources in the shared subnet need to communicate with resources in another VPC (either within the same AWS account or in a different AWS account), you can use VPC Peering or a Transit Gateway. o VPC Peering: Establish a peering connection between the VPCs and update the route tables accordingly. o Transit Gateway: Create a Transit Gateway, attach both VPCs to the Transit Gateway, and configure the necessary route tables and Transit Gateway route tables.
upvoted 1 times
...
cnethers
8 months ago
Here's a breakdown of different scenarios and the required setup: 1. Internet Access: o If you need resources in the shared subnet to access the internet, ensure that the subnet is a public subnet with an associated Internet Gateway (IGW) and appropriate route table entries. o The account that owns the VPC will typically manage the IGW and the route tables.
upvoted 1 times
...
cnethers
8 months ago
3. On-Premises Connectivity: o If the resources in the shared subnet need to communicate with an on-premises network, you can use AWS Direct Connect or a Site-to-Site VPN. o These connections can be routed through a Transit Gateway for more scalable and manageable network architecture.
upvoted 1 times
...
...
shaaam80
4 months, 4 weeks ago
Selected Answer: BD
Answer - B & D. A is wrong. No TGW needed as customer has just 1 VPC. E is wrong - can't share resources via RAM using prefix lists. C is wrong - talks about creating VPCs with same CIDR ranges and VPC peering (not possible with overlapping CIDRs and not needed for this solution as there is just 1 VPC).
upvoted 3 times
Sin_Dan
4 months ago
How do you think the Accounts got subnets without VPCs?
upvoted 1 times
...
...
severlight
4 months, 4 weeks ago
Selected Answer: BD
I don't see the way you can share a prefix list.
upvoted 2 times
mattfaz
4 months, 1 week ago
https://docs.aws.amazon.com/vpc/latest/userguide/sharing-managed-prefix-lists.html
upvoted 1 times
...
8693a49
6 months, 3 weeks ago
You don't share a prefix list, you associate it with the shared resource (which here is a TGW). The way you do it is you add the prefixes to the route tables inside the account's VPCs. The prefixes will point towards the TGW. This makes the network traffic destined to other account go through the TGW into these accounts based on the TGW routing table. The TGW routing table can only be controlled from the infrastructure account.
upvoted 2 times
...
...
AlbertS82
4 months, 4 weeks ago
Selected Answer: BD
B&D is the only correct answer
upvoted 3 times
...
atirado
4 months, 4 weeks ago
Selected Answer: BD
Option A - Does not assist with allowing OUs to create resources in the subnets Option B - Allows sharing resources across the entire organization Option C - This option does not work as a way to share subnets because it creates multiple VPCs and subnets in the accounts rather than allowing managing resources in shared subnets Option D - Directly shares the subnets Option E - Does not assist because it only shares pre-built CIDR blocks rather than subnets
upvoted 4 times
8693a49
6 months, 3 weeks ago
Subnets cannot be shared
upvoted 1 times
...
...
8693a49
4 months, 4 weeks ago
Selected Answer: AE
Voting A & E
upvoted 1 times
...
amministrazione
5 months, 3 weeks ago
B. Enable resource sharing from the AWS Organizations management account. D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago