Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 99 discussion

C. Have you guys worked in a place where the configuration of B works? The question clearly ask to design something scalable, and on C, the Transit Gateway serves as a network transit hub, allowing VPN connections to access resources across multiple VPCs in different AWS accounts. VPC peering connections do not support transitive peering relationships, which means that if a user is connected to one VPC via AWS Client VPN, they cannot access resources in another VPC that's connected via a peering connection.

https://www.examtopics.com/discussions/amazon/view/80782-exam-aws-certified-solutions-architect-professional-topic-1/ B. Create a Client VPN endpoint in the main AWS account. Configure required routing that allows access to internal applications is the MOST cost-effective solution that meets these requirements. This solution allows employees to connect to the main AWS account using a Client VPN endpoint, and then use peering connections established with other AWS accounts to access the internal applications. This eliminates the need for additional Client VPN endpoints in each AWS account, reducing costs. Option A, creating a Client VPN endpoint in each AWS account, would be more expensive as it would require multiple endpoints. Option C, creating a transit gateway, would also add unnecessary costs. Option D, connecting the Client VPN endpoint to the Site-to-Site VPN, may not provide a scalable solution for remote employees.

This provides a scalable and centralized routing solution to connect VPCs across multiple AWS accounts.

Option B is the most cost-effective solution as it only requires creating a single Client VPN endpoint in the main AWS account and configuring the required routing to access the internal applications across the VPC peering connections. Option C would involve additional costs for provisioning a transit gateway and connecting it to each AWS account, which is not necessary in this scenario since the VPCs are already peered.

Option B is the MOST cost-effective solution that meets the requirements.

VPC peering is enough

By choosing option B, you can provide a scalable and cost-effective solution for remote employees to access internal applications hosted in multiple AWS accounts, while leveraging the existing VPC peering connections and minimizing the number of AWS resources required. The other options are either more complex, less cost-effective, or introduce unnecessary components: A. Creating a Client VPN endpoint in each AWS account would be more expensive and harder to manage, as you would need to configure and maintain multiple endpoints. C. Provisioning a Transit Gateway in addition to the Client VPN endpoint would introduce an additional service and associated costs, which may not be necessary if the existing VPC peering connections are sufficient. D. Establishing connectivity between the Client VPN endpoint and the AWS Site-to-Site VPN would introduce unnecessary complexity, as the Site-to-Site VPN is intended for connecting the on-premises office network, not individual remote employees.

answer is B, should take advantage of existing VPC peering connections which works with current network topology

B. It asks for a scalable solution and it has to be cost effective. Adding Transit Gateway is not cost effective and also not required as the main AWS account has peering connections to VPCs in other accounts already.

No tgw needed

Always find possible solutions first. Then look for cost effective. A cost effective option that does not solve the requirements is by default the most expensive option. Requirement: most scalable option

B. Create a Client VPN endpoint in the main AWS account. Configure required routing that allows access to internal applications.

C introduces additional costs.

Answer is B, right now you have VPC Peering from main VPC to others account VPC, you can re-use that configuration, also transit-gateway has a cost based on connections and traffic and the solution must be MOST cost-effective

The current AWS S2S VPN works fine without a TGW for app access Only requirement is to have users use the Client VPN So just deploy it in the main account, where the S2S VPN terminates and users will have the same level of access they have from onprem using VPC peerings. That's the most cost effective way (even though client VPN is one expensive service for what it does...)

B is correct answer(Also gives scalable solution), aws transit gateway bit high cost

marszalekm gave the key AWS doc https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-peered.html