Visit here for our full Amazon AWS Certified Advanced Networking – Specialty ANS-C01 exam dumps and practice test questions.
Question 61
A global enterprise needs to design a highly available, low-latency network architecture across multiple AWS regions and accounts. They require centralized routing, automated failover, end-to-end encryption, and monitoring for compliance and operational metrics. Which solution is the most suitable for their requirements?
A) VPC Peering with individual firewalls in each VPC
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and individual monitoring agents
D) Direct Connect circuits to each VPC with separate routing tables and monitoring
Answer: B
Explanation:
Designing a multi-region, multi-account enterprise network in AWS requires balancing performance, security, centralized management, and scalability. AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging offers a comprehensive solution for these requirements.
AWS Transit Gateway acts as a centralized hub connecting multiple VPCs and on-premises networks in a hub-and-spoke topology. This architecture supports transitive routing, eliminating the need for complex and unmanageable VPC Peering meshes. Transitive routing ensures that any connected VPC can communicate with others efficiently, reducing network complexity and simplifying management. Inter-region peering ensures low-latency communication between VPCs in different regions using AWS’s private backbone, avoiding the unpredictability and latency of internet-based VPNs.
AWS Network Firewall provides centralized security enforcement, including traffic inspection, intrusion detection, and policy enforcement across multiple VPCs. Centralized firewall management reduces the risk of inconsistent security policies, simplifies compliance management, and allows enterprises to enforce encryption, access controls, and segmentation consistently. Individual firewalls per VPC (option A) increase operational overhead and are prone to configuration errors that could expose the network to threats.
CloudWatch centralized logging and monitoring aggregates metrics, logs, and alarms from Transit Gateway, Network Firewall, and connected VPCs, enabling real-time monitoring, alerting, and operational insights. This ensures compliance with enterprise policies and regulatory requirements while providing actionable intelligence for performance optimization. Using separate monitoring agents per VPN connection or VPC (option C) or relying on Direct Connect without centralized logging (option D) increases complexity and reduces visibility.
Option A), individual VPC Peering with per-VPC firewalls, does not scale efficiently across multiple accounts and regions. Option C), multiple Site-to-Site VPNs, relies on public internet connectivity, introducing latency variability and complex failover mechanisms. Option D), Direct Connect circuits without centralized routing and monitoring, provides dedicated connectivity but lacks the operational simplicity, centralized policy enforcement, and monitoring needed for enterprise-scale networks.
Implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging ensures a scalable, resilient, and secure global network. It enables centralized routing, automated failover, end-to-end encryption, low-latency inter-region communication, and comprehensive monitoring, meeting the operational, compliance, and performance requirements of global enterprises. This approach provides a unified architecture that reduces administrative burden while enhancing security, visibility, and performance.
Question 62
An enterprise wants to deploy a hybrid cloud network connecting multiple AWS accounts, VPCs across regions, and on-premises data centers. They need centralized routing, automated failover, traffic inspection, encryption, and centralized monitoring. Which architecture is most appropriate for these requirements?
A) VPC Peering with individual firewalls and per-VPC logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and independent monitoring
D) Direct Connect circuits to each VPC with separate routing and monitoring
Answer: B
Explanation:
Implementing a hybrid cloud network that spans multiple AWS accounts, regions, and on-premises environments requires a solution that addresses centralized routing, high availability, traffic inspection, encryption, and centralized monitoring. The most suitable solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway provides a centralized hub connecting multiple VPCs and on-premises networks, supporting transitive routing that enables VPCs and on-premises networks to communicate without complex VPC Peering meshes. This hub-and-spoke model simplifies routing management, ensures high availability, and supports automated failover. Inter-region peering allows for low-latency, high-throughput communication between VPCs in different regions using AWS’s private backbone, avoiding the performance and security limitations of internet-based VPNs.
AWS Network Firewall enables centralized traffic inspection, policy enforcement, intrusion detection, and segmentation, ensuring consistent application of security policies across multiple accounts and regions. Centralized security reduces operational overhead and ensures regulatory compliance by preventing misconfigurations that could compromise sensitive data or workloads. Deploying individual firewalls per VPC or region introduces operational complexity and increases the risk of inconsistent enforcement.
CloudWatch centralized logging aggregates metrics, logs, and alarms from Transit Gateway, Network Firewall, and all connected VPCs, enabling real-time alerting, operational insights, troubleshooting, and compliance auditing. Centralized monitoring ensures that security incidents or operational issues are detected quickly and remediated efficiently. Independent monitoring per VPN or VPC, as in option C, leads to fragmented visibility and delays in detecting anomalies.
Option A), VPC Peering with individual firewalls, does not scale well and increases configuration complexity. Option D), Direct Connect circuits without centralized routing and monitoring, provides dedicated connectivity but lacks centralized traffic inspection and monitoring capabilities. Multiple Site-to-Site VPNs (option C) introduce latency variability, bandwidth limitations, and complex failover management.
Using AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging enables enterprises to build a secure, scalable, resilient, and fully monitored hybrid network. It ensures centralized routing, automated failover, consistent traffic inspection, end-to-end encryption, low-latency inter-region communication, and comprehensive monitoring, making it the most appropriate solution for complex multi-account, multi-region hybrid architectures.
Question 63
A company is deploying multiple VPCs in different AWS regions with interconnections to on-premises data centers. The network must provide centralized routing, automated failover, traffic inspection, encryption, and compliance monitoring. Which architecture best meets these requirements?
A) VPC Peering with individual firewalls in each region
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and local monitoring
D) Direct Connect circuits to each VPC with separate routing and monitoring
Answer: B
Explanation:
Designing a multi-region, hybrid enterprise network with multiple VPCs and on-premises connectivity requires a solution that provides centralized routing, high availability, automated failover, traffic inspection, encryption, and centralized monitoring for compliance. The optimal solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway centralizes connectivity by acting as a hub for multiple VPCs and on-premises networks in a hub-and-spoke topology. This enables transitive routing, allowing any connected network to communicate with others without creating numerous VPC Peering connections. Inter-region peering ensures low-latency, high-throughput connectivity between VPCs in different regions, leveraging AWS’s private backbone and avoiding public internet variability. This setup also supports automated failover, maintaining high availability in case of network disruptions.
AWS Network Firewall provides centralized traffic inspection, intrusion detection, segmentation, and policy enforcement across accounts and regions. Centralized enforcement simplifies compliance and reduces operational risk by preventing inconsistent policies or misconfigurations. Deploying individual firewalls per VPC increases complexity and operational overhead.
CloudWatch centralized logging aggregates metrics, logs, and alarms from Transit Gateway, Network Firewall, and connected VPCs. This enables real-time monitoring, alerting, troubleshooting, and compliance auditing, ensuring that security and operational metrics are visible from a centralized console. Without centralized logging, teams must manually consolidate logs from multiple accounts, increasing risk and reducing operational efficiency.
Option A), VPC Peering with per-VPC firewalls, scales poorly and increases complexity. Option C), multiple Site-to-Site VPNs with static routing, relies on the public internet, introducing latency, bandwidth variability, and complex failover requirements. Option D), Direct Connect circuits without centralized routing or monitoring, provides private connectivity but lacks centralized traffic inspection, routing, and monitoring capabilities.
Implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging provides a secure, scalable, and resilient network architecture. It ensures centralized routing, automated failover, consistent traffic inspection, end-to-end encryption, and compliance monitoring, making it ideal for enterprises deploying multi-region VPCs and hybrid connectivity.
Question 64
An organization requires a global, multi-region network that interconnects multiple AWS accounts, VPCs, and on-premises environments. The design must include centralized routing, automated failover, traffic inspection, encryption, and centralized logging for compliance. Which solution meets these criteria?
A) VPC Peering with individual firewalls per VPC
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and independent monitoring
D) Direct Connect circuits to each VPC with separate routing and logging
Answer: B
Explanation:
Creating a global, multi-region enterprise network requires a solution that provides centralized routing, high availability, automated failover, traffic inspection, encryption, and centralized monitoring. The recommended architecture is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway enables a hub-and-spoke topology, connecting multiple VPCs and on-premises networks while supporting transitive routing. This simplifies network management by removing the need for multiple VPC Peering connections, reducing operational complexity. Inter-region peering ensures low-latency, high-bandwidth communication between regions using AWS’s private backbone. This provides consistent network performance and avoids reliance on public internet paths, which may introduce latency or unpredictability.
AWS Network Firewall centralizes traffic inspection, intrusion detection, and policy enforcement across accounts and regions. Centralized firewall management ensures consistent policy enforcement and compliance while reducing operational risks. Deploying individual firewalls in each VPC increases complexity and the potential for configuration inconsistencies.
CloudWatch centralized logging aggregates logs, metrics, and alarms from Transit Gateway, Network Firewall, and connected VPCs, enabling real-time monitoring, troubleshooting, and compliance auditing. Centralized logging ensures that operational and security metrics are visible from one location, simplifying detection of anomalies and accelerating incident response. Independent monitoring per VPN or VPC introduces fragmented visibility and delays response times.
Option A), VPC Peering with per-VPC firewalls, does not scale efficiently in multi-account and multi-region environments. Option C), multiple Site-to-Site VPNs, relies on public internet connectivity, which can be unpredictable, introducing latency and bandwidth variability. Option D), Direct Connect circuits without centralized routing or monitoring, lacks centralized policy enforcement and monitoring capabilities, complicating network operations.
Deploying AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging enables a resilient, scalable, secure, and fully monitored global network. This architecture ensures centralized routing, automated failover, traffic inspection, encryption, and compliance monitoring, fulfilling the operational, security, and performance requirements of global enterprises.
Question 65
A multinational enterprise is building a multi-region network that includes multiple AWS accounts, VPCs, and on-premises networks. The network must support centralized routing, automated failover, traffic inspection, encryption, and centralized monitoring for compliance. Which architecture is optimal?
A) VPC Peering with individual firewalls and local logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect circuits to each VPC with separate routing and logging
Answer: B
Explanation:
Deploying a multi-region, multi-account enterprise network with on-premises integration requires a solution that addresses centralized routing, high availability, automated failover, traffic inspection, encryption, and centralized monitoring for compliance. The optimal solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway serves as a central hub for connecting multiple VPCs and on-premises networks in a hub-and-spoke topology. This architecture supports transitive routing, allowing communication between connected networks without needing multiple VPC Peering connections, which simplifies management and scales effectively. Inter-region peering provides low-latency, high-throughput connectivity between VPCs in different regions over AWS’s private backbone, ensuring predictable performance and reliability.
AWS Network Firewall provides centralized traffic inspection, intrusion detection, policy enforcement, and segmentation across multiple accounts and regions. Centralized firewall management ensures consistent security policy enforcement and compliance while reducing operational risks. Individual firewalls in each VPC or region increase complexity and operational overhead, making it difficult to maintain consistency.
CloudWatch centralized logging aggregates metrics, logs, and alarms from Transit Gateway, Network Firewall, and connected VPCs. This allows real-time alerting, operational monitoring, troubleshooting, and compliance auditing. Without centralized logging, teams must consolidate logs manually from multiple accounts and regions, which increases risk and operational effort.
Option A), VPC Peering with per-VPC firewalls, does not scale efficiently across multiple regions and accounts. Option C), multiple Site-to-Site VPNs with static routing, relies on the public internet, introducing latency, bandwidth variability, and complex failover. Option D), Direct Connect circuits without centralized routing and monitoring, provides private connectivity but lacks the operational simplicity, centralized policy enforcement, and monitoring required for enterprise-scale networks.
Implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging ensures a highly available, secure, scalable, and fully monitored network architecture. This solution provides centralized routing, automated failover, traffic inspection, encryption, low-latency inter-region communication, and comprehensive monitoring, fulfilling the needs of multinational enterprises deploying complex hybrid cloud networks.
Question 66
A company is designing a global, multi-account AWS network that needs to support multi-region VPC connectivity, centralized security policies, automated failover, and centralized logging for compliance. Which AWS solution combination is most suitable for these requirements?
A) VPC Peering with separate firewalls and independent monitoring per VPC
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect circuits to each VPC with individual routing and monitoring
Answer: B
Explanation:
Designing a global, multi-account AWS network requires a comprehensive solution that supports centralized routing, security enforcement, automated failover, encryption, and centralized monitoring. The combination of AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging meets these requirements most effectively.
AWS Transit Gateway functions as a centralized hub connecting multiple VPCs and on-premises networks in a hub-and-spoke topology. This enables transitive routing, meaning all connected VPCs can communicate through the hub without the need for a complex mesh of VPC Peering connections. This approach scales efficiently, especially for enterprises managing dozens or hundreds of VPCs across multiple AWS accounts. Inter-region peering allows low-latency, high-throughput communication between regions using AWS’s private backbone rather than the public internet, providing predictable performance and enhanced security.
AWS Network Firewall ensures centralized policy enforcement, traffic inspection, intrusion detection, and segmentation. Deploying a centralized firewall reduces operational complexity and ensures that security policies are consistently applied across accounts and regions. If individual firewalls are used in each VPC (option A), it increases the risk of misconfigurations, inconsistent security enforcement, and higher management overhead.
CloudWatch centralized logging aggregates logs, metrics, and alarms from Transit Gateway and Network Firewall, enabling real-time monitoring, auditing, compliance reporting, and operational insights. This centralized approach improves security visibility, simplifies troubleshooting, and accelerates incident response. Decentralized monitoring (option C) or per-VPC logging (option A) fragments visibility and reduces operational efficiency.
Option D), Direct Connect to each VPC, provides dedicated connectivity but lacks centralized routing, policy enforcement, and centralized monitoring, which complicates management at scale. Multiple Site-to-Site VPNs (option C) introduce unpredictable latency, bandwidth variability, and complex failover requirements.
By leveraging AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging, organizations achieve a resilient, secure, and fully monitored multi-region network. This architecture supports automated failover, low-latency global communication, consistent policy enforcement, centralized monitoring, and compliance reporting, making it ideal for enterprise-scale global networks spanning multiple AWS accounts and regions.
Question 67
An enterprise wants to connect multiple AWS VPCs across regions and accounts with centralized routing, automated failover, encryption, and monitoring for compliance. They also require traffic inspection and enforcement of security policies at a central point. Which architecture should they implement?
A) VPC Peering with firewalls in each VPC and separate logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and local monitoring agents
D) Direct Connect circuits to each VPC with independent routing and monitoring
Answer: B
Explanation:
For a multi-region, multi-account enterprise network, the architecture must handle centralized routing, high availability, security enforcement, automated failover, encryption, traffic inspection, and centralized monitoring. The most appropriate solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway provides a centralized hub for connecting VPCs and on-premises networks. This hub-and-spoke topology allows transitive routing, enabling any connected VPC to communicate with others without requiring a mesh of VPC Peering connections. This dramatically reduces operational complexity and improves scalability. Inter-region peering ensures low-latency, high-bandwidth communication between regions, utilizing AWS’s private backbone instead of relying on the public internet. This provides predictable performance, security, and automated failover in the event of network disruptions.
AWS Network Firewall provides centralized security inspection and enforcement, including intrusion detection, policy enforcement, segmentation, and logging. Centralized firewall management ensures consistent security policy application across multiple accounts and regions, reducing risk and simplifying compliance audits. Deploying firewalls in each VPC (option A) increases administrative overhead and the chance of misconfigurations, making centralized enforcement much more practical for enterprises.
CloudWatch centralized logging aggregates metrics, alarms, and logs from Transit Gateway and Network Firewall, providing real-time operational visibility, troubleshooting, alerting, and compliance monitoring. Centralized logging ensures enterprises can quickly detect anomalies, monitor policy adherence, and provide auditors with consistent reporting. Decentralized monitoring or per-VPC logging (options A and C) fragments visibility and delays operational insights.
Option D), Direct Connect circuits to each VPC, provides dedicated connectivity but lacks centralized routing, traffic inspection, and centralized monitoring, making it difficult to manage security and compliance at scale. Multiple Site-to-Site VPNs (option C) introduce latency variability and complex failover requirements.
By using AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging, enterprises achieve a secure, scalable, resilient, and fully monitored multi-region network. This approach provides centralized routing, automated failover, encryption, centralized security enforcement, traffic inspection, low-latency inter-region communication, and comprehensive monitoring, making it ideal for complex enterprise deployments across AWS regions and accounts.
Question 68
A global enterprise needs a network design connecting multiple AWS accounts, VPCs, and on-premises data centers. Requirements include centralized routing, automated failover, traffic inspection, encryption, and centralized logging for compliance. Which AWS services and architecture combination is most appropriate?
A) VPC Peering with individual firewalls per VPC
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect circuits to each VPC with individual routing and monitoring
Answer: B
Explanation:
Designing a global enterprise network across multiple AWS accounts, regions, and on-premises environments requires a solution that provides centralized routing, high availability, automated failover, traffic inspection, encryption, and centralized logging for compliance. The ideal architecture is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway acts as a centralized hub, connecting multiple VPCs and on-premises networks. It supports transitive routing, which allows VPCs to communicate through a central hub rather than requiring a full mesh of VPC Peering connections. This significantly reduces operational complexity and scales efficiently across multiple accounts and regions. Inter-region peering provides low-latency, high-bandwidth connectivity between regions, leveraging AWS’s private backbone instead of the public internet. This ensures predictable network performance, high availability, and automated failover in the event of outages or disruptions.
AWS Network Firewall provides centralized traffic inspection, intrusion detection, policy enforcement, and segmentation. Centralized firewall management ensures consistent security policy application across all VPCs and accounts, reducing operational risk and simplifying compliance audits. Deploying firewalls individually in each VPC (option A) increases administrative overhead and introduces the risk of misconfigurations that could lead to vulnerabilities.
CloudWatch centralized logging aggregates logs, metrics, and alarms from Transit Gateway and Network Firewall, enabling real-time monitoring, alerting, troubleshooting, and compliance reporting. Centralized logging ensures that operational and security data is collected consistently across all connected environments, facilitating audit readiness and operational efficiency. Decentralized logging (options A and C) fragments visibility and increases operational complexity.
Option D), Direct Connect circuits to each VPC, provides dedicated connectivity but lacks centralized routing, centralized traffic inspection, and unified monitoring, complicating management. Multiple Site-to-Site VPNs (option C) rely on the public internet, introducing variable latency, bandwidth constraints, and complex failover mechanisms.
By implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging, enterprises achieve a secure, scalable, resilient, and fully monitored multi-region network. This architecture ensures centralized routing, automated failover, encryption, consistent traffic inspection, policy enforcement, low-latency inter-region communication, and comprehensive monitoring, satisfying the operational, security, and compliance needs of a global enterprise.
Question 69
A company is architecting a multi-region, multi-account AWS network with hybrid connectivity to on-premises data centers. The network must support centralized routing, automated failover, traffic inspection, encryption, and centralized logging. Which design provides the most scalable, secure, and compliant solution?
A) VPC Peering with firewalls in each VPC and per-VPC logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect circuits to each VPC with separate routing and logging
Answer: B
Explanation:
A multi-region, multi-account AWS network with hybrid on-premises connectivity requires a solution that ensures centralized routing, high availability, automated failover, security enforcement, encryption, and centralized monitoring. The recommended solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway serves as a centralized hub connecting multiple VPCs and on-premises networks in a hub-and-spoke topology. This hub supports transitive routing, enabling VPCs and on-premises networks to communicate without creating a complex mesh of VPC Peering connections. Inter-region peering ensures low-latency, high-bandwidth connectivity between regions via AWS’s private backbone, enhancing performance, resilience, and automated failover in case of network disruptions.
AWS Network Firewall provides centralized traffic inspection, policy enforcement, intrusion detection, and segmentation. Centralized firewall management ensures consistent security policy application, reducing risk and simplifying compliance audits. Deploying firewalls individually in each VPC increases operational overhead and the potential for inconsistent security configurations.
CloudWatch centralized logging aggregates metrics, logs, and alarms from Transit Gateway and Network Firewall, enabling real-time monitoring, alerting, troubleshooting, and compliance reporting. Centralized logging ensures operational visibility across all accounts and regions, providing audit-ready compliance data and facilitating rapid response to security incidents. Decentralized monitoring (options A and C) fragments visibility and increases operational effort.
Option D), Direct Connect circuits to each VPC, provides dedicated connectivity but lacks centralized routing, traffic inspection, and monitoring, complicating management at scale. Multiple Site-to-Site VPNs (option C) introduce latency variability, bandwidth limitations, and complex failover management.
Implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging provides a secure, scalable, resilient, and fully monitored multi-region and multi-account network. This solution guarantees centralized routing, automated failover, encryption, centralized security enforcement, traffic inspection, low-latency global communication, and compliance monitoring, making it the most suitable choice for complex enterprise hybrid cloud architectures.
Question 70
A multinational organization is building a global AWS network that includes multiple accounts, VPCs, and on-premises environments. The architecture must provide centralized routing, automated failover, traffic inspection, encryption, and centralized monitoring for compliance. Which solution best meets these requirements?
A) VPC Peering with firewalls in each VPC and separate logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect circuits to each VPC with independent routing and logging
Answer: B
Explanation:
Designing a global AWS network spanning multiple accounts, VPCs, and on-premises environments requires a solution that addresses centralized routing, high availability, automated failover, security enforcement, encryption, traffic inspection, and centralized logging. The optimal solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway acts as a centralized hub, connecting multiple VPCs and on-premises networks in a hub-and-spoke topology. This topology allows transitive routing, eliminating the need for multiple VPC Peering connections and reducing operational complexity. Inter-region peering provides low-latency, high-bandwidth connectivity between regions using AWS’s private backbone, ensuring predictable performance, high availability, and automated failover in case of network disruptions.
AWS Network Firewall centralizes traffic inspection, policy enforcement, intrusion detection, and segmentation, ensuring that security policies are consistently applied across all accounts and regions. Deploying firewalls individually in each VPC increases operational overhead and introduces the risk of misconfigurations, which could compromise security and compliance.
CloudWatch centralized logging aggregates metrics, logs, and alarms from Transit Gateway and Network Firewall, providing real-time monitoring, alerting, troubleshooting, and audit-ready compliance reporting. Centralized monitoring improves operational visibility, accelerates incident response, and ensures consistent reporting across accounts and regions. Decentralized monitoring or per-VPC logging (options A and C) fragments visibility, complicating security operations and compliance efforts.
Option D), Direct Connect circuits to each VPC, provides dedicated connectivity but lacks centralized routing, traffic inspection, and monitoring, which complicates enterprise-scale management. Multiple Site-to-Site VPNs (option C) introduce latency variability, bandwidth limitations, and complex failover management.
Using AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging ensures a secure, scalable, resilient, and fully monitored global network architecture. This design supports centralized routing, automated failover, encryption, traffic inspection, centralized security enforcement, low-latency inter-region communication, and comprehensive compliance monitoring, making it ideal for multinational organizations operating complex hybrid cloud environments.
Question 71
A company wants to deploy a global AWS network with multiple VPCs across different regions. The network must ensure centralized routing, high availability, automated failover, traffic inspection, encryption, and centralized logging for compliance audits. Which combination of AWS services and architecture should be implemented?
A) VPC Peering with firewalls deployed in each VPC and per-VPC logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPN connections with static routing and decentralized monitoring
D) Direct Connect circuits to each VPC with independent routing and logging
Answer: B
Explanation:
When designing a global AWS network spanning multiple regions and accounts, organizations must focus on centralized routing, traffic inspection, high availability, automated failover, encryption, and centralized monitoring for compliance. The architecture that best meets these requirements is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway serves as a centralized hub connecting multiple VPCs and on-premises networks using a hub-and-spoke model. This enables transitive routing, allowing all connected networks to communicate without creating a complex mesh of VPC Peering connections, which would otherwise scale poorly. Inter-region peering facilitates high-speed, low-latency communication between VPCs in different AWS regions using AWS’s private backbone. This ensures consistent network performance and provides automated failover if a regional VPC becomes unavailable.
AWS Network Firewall provides centralized security enforcement, including intrusion detection, traffic inspection, filtering, and segmentation. A centralized firewall ensures that security policies are uniformly applied across all VPCs and regions, reducing the risk of misconfigurations that could occur if firewalls were deployed individually in each VPC (option A). Centralized security also simplifies auditing, compliance verification, and incident response, as logs and alerts can be aggregated for a single source of truth.
CloudWatch centralized logging collects metrics, logs, and alarms from both Transit Gateway and Network Firewall, allowing real-time monitoring, auditing, compliance reporting, and operational insights. Centralized logging eliminates fragmentation, which is common in decentralized monitoring setups (options A and C), where logs are scattered across multiple accounts or VPCs. By consolidating logs, organizations can quickly detect anomalies, enforce compliance, and maintain operational continuity.
Option D), using Direct Connect circuits to each VPC, provides dedicated connectivity but lacks centralized routing, centralized security, and consolidated logging, resulting in higher operational overhead and complexity. Multiple Site-to-Site VPNs (option C) rely on the public internet, leading to unpredictable latency, bandwidth constraints, and more complex failover and routing configurations.
Implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging creates a resilient, secure, scalable, and fully monitored global network. This solution addresses centralized routing, automated failover, encryption, policy enforcement, traffic inspection, and compliance-ready centralized logging, making it the optimal architecture for multinational enterprises leveraging multiple AWS regions and accounts.
Question 72
An enterprise wants a secure and resilient network architecture connecting multiple AWS accounts and regions, with hybrid connectivity to on-premises environments. The solution must include centralized routing, automated failover, traffic inspection, encryption, and centralized monitoring for compliance. Which AWS architecture should be implemented?
A) VPC Peering with individual firewalls and per-VPC logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect circuits to each VPC with separate routing and logging
Answer: B
Explanation:
Designing a resilient, multi-account, multi-region network with hybrid connectivity requires a solution that integrates centralized routing, traffic inspection, encryption, automated failover, and centralized logging. The recommended architecture is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway functions as a hub connecting multiple VPCs and on-premises networks. Its hub-and-spoke topology enables transitive routing, so VPCs and on-premises networks can communicate without building a complex mesh of VPC Peering connections, which becomes unmanageable at scale. Inter-region peering ensures low-latency, high-bandwidth connectivity between regions using AWS’s private backbone, guaranteeing predictable performance, reliability, and automated failover during outages.
AWS Network Firewall enforces centralized security policies, traffic inspection, segmentation, and intrusion detection. Centralized firewall deployment ensures consistent policy enforcement across all accounts and regions, reducing operational overhead and risk of misconfiguration. Deploying separate firewalls in each VPC (option A) increases administrative complexity and can fragment security visibility.
CloudWatch centralized logging collects and consolidates logs, metrics, and alarms from Transit Gateway and Network Firewall. This approach provides real-time monitoring, compliance auditing, alerting, and troubleshooting capabilities from a single pane of glass. Decentralized logging (options A and C) can fragment operational visibility, delay incident response, and complicate compliance reporting.
Option D), Direct Connect to each VPC, offers dedicated connectivity but does not provide centralized routing, centralized traffic inspection, or consolidated monitoring, making operational management at scale complex. Multiple Site-to-Site VPNs (option C) are dependent on the public internet, which introduces unpredictable latency, bandwidth variability, and manual failover complexity.
By using AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging, enterprises achieve a highly scalable, secure, resilient, and fully monitored global network architecture. This design ensures centralized routing, automated failover, encryption, policy enforcement, traffic inspection, and compliance-ready monitoring, making it optimal for organizations with multi-region, multi-account, and hybrid AWS deployments.
Question 73
A multinational organization needs a global AWS network connecting multiple accounts and regions with hybrid links to on-premises data centers. The architecture must provide centralized routing, automated failover, traffic inspection, encryption, and centralized monitoring for compliance purposes. Which solution is most suitable?
A) VPC Peering with firewalls per VPC and individual logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPN connections with static routing and decentralized monitoring
D) Direct Connect to each VPC with independent routing and logging
Answer: B
Explanation:
For a global AWS network spanning multiple accounts and regions, including hybrid connectivity, a solution must meet requirements for centralized routing, automated failover, traffic inspection, encryption, and centralized monitoring. The ideal architecture is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway provides centralized routing and connectivity for multiple VPCs and on-premises environments using a hub-and-spoke model. This design supports transitive routing, reducing the complexity associated with maintaining VPC Peering connections between all VPCs. Inter-region peering enables low-latency, high-bandwidth inter-region communication using AWS’s private backbone, ensuring reliable and predictable connectivity. This approach supports automated failover, providing network resilience if a region or VPC becomes unavailable.
AWS Network Firewall enforces centralized traffic inspection, intrusion detection, and segmentation, ensuring that security policies are consistently applied across all accounts and regions. Centralized security management reduces the risk of misconfigurations and simplifies compliance audits. Firewalls deployed individually per VPC (option A) fragment policy enforcement and create operational inefficiencies.
CloudWatch centralized logging aggregates metrics, alarms, and logs from Transit Gateway and Network Firewall into a single platform for real-time monitoring, troubleshooting, alerting, and compliance reporting. Centralized logging provides audit-ready reporting and operational visibility, which is challenging to achieve with decentralized monitoring or per-VPC logging (options A and C).
Option D), Direct Connect circuits to each VPC, provides dedicated connectivity but lacks centralized routing, centralized security enforcement, and consolidated monitoring, which complicates management and scaling. Multiple Site-to-Site VPNs (option C) introduce variable latency, bandwidth constraints, and complex failover requirements.
Implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging creates a scalable, secure, resilient, and fully monitored global network. This architecture ensures centralized routing, automated failover, encryption, traffic inspection, policy enforcement, low-latency inter-region connectivity, and compliance-ready monitoring, making it ideal for multinational organizations operating hybrid cloud networks across AWS accounts and regions.
Question 74
An enterprise plans to deploy a secure, multi-region AWS network connecting several accounts and on-premises data centers. The design must include centralized routing, automated failover, traffic inspection, encryption, and centralized logging to meet compliance requirements. Which architecture best fits these criteria?
A) VPC Peering with separate firewalls and per-VPC logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect to each VPC with individual routing and logging
Answer: B
Explanation:
Deploying a multi-region AWS network with hybrid connectivity requires a solution that ensures centralized routing, automated failover, security enforcement, encryption, and centralized monitoring for compliance. The recommended architecture is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway serves as a centralized hub connecting VPCs and on-premises networks in a hub-and-spoke topology. This architecture provides transitive routing, enabling VPCs and on-premises networks to communicate without requiring complex meshes of VPC Peering connections, which are difficult to scale. Inter-region peering enables high-speed, low-latency connectivity between regions using AWS’s private backbone, ensuring predictable network performance and automated failover in case of regional or VPC outages.
AWS Network Firewall enforces centralized traffic inspection, segmentation, and security policies. Centralized firewall deployment ensures consistent policy enforcement across multiple accounts and regions, reducing operational risk and simplifying auditing. Deploying individual firewalls per VPC (option A) increases administrative complexity and can result in fragmented security enforcement.
CloudWatch centralized logging consolidates logs, metrics, and alarms from Transit Gateway and Network Firewall into a unified platform, enabling real-time monitoring, alerting, troubleshooting, and compliance reporting. Centralized logging ensures operational visibility and audit-ready reporting, which is challenging with decentralized monitoring (options A and C) or per-VPC logging.
Option D), Direct Connect to each VPC, provides dedicated connectivity but lacks centralized routing, centralized traffic inspection, and consolidated monitoring, resulting in higher operational overhead. Multiple Site-to-Site VPNs (option C) are prone to latency variability, bandwidth constraints, and manual failover challenges.
By implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging, organizations achieve a secure, scalable, resilient, and fully monitored global network architecture. This design supports centralized routing, automated failover, encryption, traffic inspection, policy enforcement, low-latency inter-region connectivity, and compliance-ready monitoring, making it ideal for complex enterprise cloud networks.
Question 75
A multinational company needs to architect a global AWS network connecting multiple accounts, VPCs, and on-premises data centers. Requirements include centralized routing, automated failover, traffic inspection, encryption, and centralized logging for compliance. Which AWS design should be adopted?
A) VPC Peering with per-VPC firewalls and separate logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect circuits to each VPC with independent routing and logging
Answer: B
Explanation:
Designing a global AWS network with multiple accounts, regions, and hybrid connections requires a solution that ensures centralized routing, automated failover, traffic inspection, encryption, and centralized monitoring. The ideal solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway functions as a central hub connecting multiple VPCs and on-premises networks. Its hub-and-spoke model allows transitive routing, eliminating the need for a complex mesh of VPC Peering connections, which can be operationally intensive and difficult to scale. Inter-region peering ensures low-latency, high-throughput communication between regions using AWS’s private backbone, which enhances performance and supports automated failover during outages.
AWS Network Firewall provides centralized security enforcement, traffic inspection, intrusion detection, and segmentation. Centralized firewall management ensures uniform security policy application across all accounts and regions, reducing operational risk and simplifying compliance audits. Deploying firewalls individually per VPC (option A) increases operational complexity and risks inconsistent enforcement.
CloudWatch centralized logging aggregates metrics, alarms, and logs from Transit Gateway and Network Firewall into a centralized dashboard for real-time monitoring, alerting, troubleshooting, and compliance reporting. Centralized monitoring ensures operational visibility and audit-ready reporting, which is difficult with decentralized monitoring (options A and C) or per-VPC logging.
Option D), Direct Connect circuits to each VPC, provides dedicated connectivity but lacks centralized routing, centralized traffic inspection, and consolidated monitoring, increasing operational overhead. Multiple Site-to-Site VPNs (option C) rely on the public internet, leading to variable latency, bandwidth constraints, and complex failover management.
Implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging creates a secure, scalable, resilient, and fully monitored global network. This architecture provides centralized routing, automated failover, encryption, traffic inspection, policy enforcement, low-latency inter-region communication, and compliance-ready monitoring, making it the optimal design for multinational enterprises managing complex hybrid cloud environments.
Question 76
A multinational organization wants to deploy a hybrid network using AWS with multiple VPCs in different regions. The solution must provide centralized routing, automated failover, traffic inspection, encryption, centralized logging, and comply with regulatory standards. Which architecture best satisfies these requirements?
A) VPC Peering with individual firewalls and per-VPC logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect circuits to each VPC with independent routing and logging
Answer: B
Explanation:
When deploying a hybrid AWS network across multiple regions, organizations face challenges like centralized routing, traffic inspection, encryption, failover, and compliance-ready logging. The optimal solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway acts as a centralized hub connecting multiple VPCs and on-premises networks using a hub-and-spoke topology. This design allows transitive routing, meaning VPCs and on-premises networks can communicate efficiently without the overhead of a full mesh of VPC Peering connections. Inter-region peering enhances connectivity between regions over AWS’s private backbone, offering high bandwidth, low latency, and automated failover during regional outages. Transit Gateway also simplifies hybrid connectivity by integrating with Direct Connect or VPN connections, ensuring a secure hybrid network.
AWS Network Firewall provides centralized traffic inspection, segmentation, intrusion prevention, and policy enforcement across all connected VPCs. Centralized firewalls ensure consistent security policies, reduce the risk of misconfigurations, and facilitate regulatory compliance, such as HIPAA, PCI DSS, or GDPR, by enforcing encryption and inspection policies across all traffic. Deploying firewalls per VPC (option A) complicates administration and fragments security visibility.
CloudWatch centralized logging aggregates metrics, alarms, and logs from Transit Gateway and Network Firewall, enabling real-time monitoring, operational insights, compliance auditing, and troubleshooting from a single pane of glass. Decentralized monitoring (options A and C) leads to fragmented logging, delayed incident response, and difficulty in auditing. Centralized logs also enable organizations to meet compliance and audit requirements effectively.
Option D), Direct Connect to each VPC, ensures dedicated connectivity but lacks centralized routing, centralized security, and consolidated monitoring, increasing operational complexity. Multiple Site-to-Site VPNs (option C) are reliant on the public internet, resulting in variable latency, bandwidth limitations, and manual failover, which fails to meet enterprise reliability requirements.
By implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging, the organization achieves a resilient, secure, fully monitored, and regulatory-compliant global network. This solution provides centralized routing, automated failover, encryption, traffic inspection, policy enforcement, low-latency inter-region connectivity, and compliance-ready centralized monitoring, making it ideal for complex hybrid cloud architectures.
Question 77
An enterprise needs a secure, multi-region AWS network connecting several accounts and on-premises data centers. The network must provide centralized routing, automated failover, encryption, traffic inspection, and centralized logging to meet compliance standards. Which architecture meets these requirements?
A) VPC Peering with firewalls deployed in each VPC and separate logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect to each VPC with individual routing and logging
Answer: B
Explanation:
For a secure, multi-region hybrid network, a solution must integrate centralized routing, automated failover, traffic inspection, encryption, and centralized logging for compliance. The optimal architecture is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway functions as a central hub, connecting multiple VPCs and on-premises networks through a hub-and-spoke model. This enables transitive routing, allowing all VPCs and on-premises networks to communicate efficiently without the overhead of a VPC Peering mesh. Inter-region peering enhances low-latency, high-bandwidth communication across regions using AWS’s private backbone, ensuring predictable network performance and automated failover in case of VPC or regional outages.
AWS Network Firewall ensures centralized traffic inspection, security policy enforcement, and segmentation, which is essential for enterprise-grade security and compliance auditing. Centralized firewalls provide uniform security policies across all accounts and regions, simplifying administration and reducing the risk of misconfigurations. Deploying individual firewalls per VPC (option A) increases complexity and fragments security visibility.
CloudWatch centralized logging consolidates metrics, alarms, and logs from Transit Gateway and Network Firewall into a single platform for real-time monitoring, alerting, troubleshooting, and compliance reporting. This centralized approach ensures operational visibility and audit-readiness, which is challenging with decentralized logging (options A and C) or per-VPC logging.
Option D), Direct Connect to each VPC, provides dedicated connectivity but lacks centralized routing, centralized traffic inspection, and consolidated monitoring, increasing operational overhead. Multiple Site-to-Site VPNs (option C) rely on the public internet, which introduces variable latency, bandwidth limitations, and manual failover challenges, compromising reliability and scalability.
By deploying AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging, the enterprise achieves a resilient, secure, scalable, and fully monitored global network. This architecture satisfies centralized routing, automated failover, encryption, traffic inspection, policy enforcement, low-latency inter-region communication, and compliance-ready monitoring, making it optimal for multinational organizations managing hybrid cloud environments.
Question 78
A global organization plans to connect multiple AWS accounts, VPCs, and on-premises data centers with a highly secure and resilient network. The architecture must provide centralized routing, automated failover, traffic inspection, encryption, and centralized logging to meet regulatory requirements. Which solution is most appropriate?
A) VPC Peering with firewalls per VPC and separate logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect circuits to each VPC with independent routing and logging
Answer: B
Explanation:
Designing a secure, multi-account, multi-region hybrid AWS network requires addressing centralized routing, automated failover, traffic inspection, encryption, and compliance-ready logging. The most suitable solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway enables centralized routing and connectivity for multiple VPCs and on-premises environments through a hub-and-spoke topology. Transitive routing simplifies communication between VPCs and on-premises networks without requiring a complex mesh of VPC Peering connections. Inter-region peering ensures low-latency, high-bandwidth connectivity between regions over AWS’s private backbone, providing automated failover during regional outages and improving network resilience.
AWS Network Firewall provides centralized security enforcement, traffic inspection, and segmentation, ensuring consistent security policies across multiple accounts and regions. Centralized firewall deployment reduces operational complexity, mitigates the risk of misconfigurations, and ensures compliance with regulations such as HIPAA, PCI DSS, or GDPR. Deploying individual firewalls per VPC (option A) fragments policy enforcement and increases administrative overhead.
CloudWatch centralized logging aggregates logs, metrics, and alarms from Transit Gateway and Network Firewall into a unified platform, enabling real-time monitoring, alerting, troubleshooting, and audit-ready compliance reporting. Decentralized logging (options A and C) leads to fragmented visibility, delayed response times, and difficulties in audit compliance. Centralized logging allows enterprises to maintain a single source of truth for operational monitoring and regulatory reporting.
Option D), Direct Connect circuits to each VPC, provides dedicated connectivity but lacks centralized routing, traffic inspection, and consolidated logging, complicating operational management. Multiple Site-to-Site VPNs (option C) rely on the public internet, which results in unpredictable latency, bandwidth limitations, and manual failover, failing to meet enterprise-grade reliability requirements.
Implementing AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging ensures a resilient, secure, scalable, and fully monitored global network. This architecture satisfies centralized routing, automated failover, encryption, traffic inspection, policy enforcement, low-latency inter-region connectivity, and compliance-ready centralized monitoring, making it the optimal choice for global enterprises with complex hybrid networks.
Question 79
A multinational enterprise wants to create a hybrid AWS network connecting multiple regions, accounts, and on-premises data centers. The architecture must provide centralized routing, automated failover, traffic inspection, encryption, and centralized logging to comply with regulatory standards. Which architecture should be chosen?
A) VPC Peering with firewalls per VPC and separate logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and decentralized monitoring
D) Direct Connect to each VPC with independent routing and logging
Answer: B
Explanation:
For a hybrid AWS network spanning multiple accounts and regions, the architecture must provide centralized routing, automated failover, traffic inspection, encryption, and compliance-ready logging. The recommended solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway serves as a central hub, enabling hub-and-spoke routing between multiple VPCs and on-premises networks. This allows transitive routing, eliminating the need for a complex mesh of VPC Peering connections. Inter-region peering enables low-latency, high-bandwidth communication between regions via AWS’s private backbone, providing reliable connectivity and automated failover for business continuity during outages.
AWS Network Firewall enforces centralized traffic inspection, policy enforcement, and segmentation, ensuring that security policies are uniform across multiple accounts and regions. Centralized firewalls reduce operational complexity and mitigate the risk of misconfigurations. Deploying individual firewalls per VPC (option A) fragments security and increases administrative overhead.
CloudWatch centralized logging consolidates metrics, alarms, and logs from Transit Gateway and Network Firewall, enabling real-time monitoring, alerting, troubleshooting, and compliance reporting. Decentralized logging (options A and C) complicates audit-readiness and operational visibility. Centralized logging provides a single source of truth for security and operational monitoring, ensuring compliance with regulatory standards.
Option D), Direct Connect to each VPC, provides dedicated connectivity but lacks centralized routing, traffic inspection, and consolidated monitoring, increasing operational complexity. Multiple Site-to-Site VPNs (option C) rely on public internet paths, resulting in variable latency, bandwidth limitations, and manual failover, which is unsuitable for enterprise-grade reliability.
By deploying AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging, enterprises achieve a resilient, secure, scalable, and fully monitored hybrid cloud network. This design meets centralized routing, automated failover, encryption, traffic inspection, policy enforcement, low-latency inter-region communication, and compliance-ready monitoring, making it ideal for multinational organizations.
Question 80
An enterprise must design a global AWS network connecting multiple accounts, regions, and on-premises data centers. The solution must ensure centralized routing, automated failover, traffic inspection, encryption, and centralized logging to satisfy regulatory compliance. Which architecture is most appropriate?
A) VPC Peering with firewalls per VPC and decentralized logging
B) AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging
C) Multiple Site-to-Site VPNs with static routing and individual monitoring
D) Direct Connect circuits to each VPC with independent routing and logging
Answer: B
Explanation:
Designing a global hybrid AWS network for multiple accounts, regions, and on-premises connectivity requires a solution that ensures centralized routing, automated failover, traffic inspection, encryption, and compliance-ready centralized logging. The most appropriate solution is AWS Transit Gateway with inter-region peering, AWS Network Firewall, and CloudWatch centralized logging.
AWS Transit Gateway acts as a central hub, providing hub-and-spoke routing between multiple VPCs and on-premises networks. This enables transitive routing, eliminating the need for complex VPC Peering meshes. Inter-region peering ensures high-speed, low-latency communication across regions using AWS’s private backbone, providing predictable performance and automated failover during regional outages.
AWS Network Firewall delivers centralized traffic inspection, intrusion detection, segmentation, and policy enforcement, ensuring uniform security policies across multiple accounts and regions. Centralized firewall deployment reduces operational complexity, mitigates misconfiguration risk, and ensures regulatory compliance. Firewalls per VPC (option A) create fragmented enforcement and increase administrative overhead.
CloudWatch centralized logging consolidates metrics, logs, and alarms from Transit Gateway and Network Firewall, enabling real-time monitoring, alerting, troubleshooting, and compliance reporting. Centralized logging ensures a single source of truth for operational and security visibility, which is challenging with decentralized logging (options A and C) or per-VPC monitoring.
Option D), Direct Connect to each VPC, provides dedicated connectivity but lacks centralized routing, centralized security enforcement, and consolidated monitoring, resulting in operational complexity. Multiple Site-to-Site VPNs (option C) rely on the public internet, introducing variable latency, bandwidth limitations, and manual failover, making them unsuitable for enterprise-grade reliability.
Deploying AWS Transit Gateway with inter-region peering, Network Firewall, and CloudWatch centralized logging creates a secure, resilient, scalable, and fully monitored global hybrid network. This solution ensures centralized routing, automated failover, encryption, traffic inspection, policy enforcement, low-latency inter-region communication, and compliance-ready centralized monitoring, making it optimal for multinational organizations with hybrid cloud environments.
