A company wants to enforce that all outbound traffic from its VPC flows through a centralized inspection VPC for security monitoring. The VPCs are connected via Transit Gateway. Which set of actions should a network engineer take to ensure that traffic from application VPCs is routed to the inspection VPC before reaching the internet?
Trap 1: Create VPC peering connections between each application VPC and the…
VPC peering does not support transitive routing; traffic to internet would not go through inspection VPC.
Trap 2: Attach an internet gateway to each application VPC and add a…
NAT gateway cannot be a route target across VPCs.
Trap 3: Attach an internet gateway to each application VPC and add default…
This bypasses the inspection VPC.
- A
Create VPC peering connections between each application VPC and the inspection VPC, and add routes pointing to the peering connection.
Why wrong: VPC peering does not support transitive routing; traffic to internet would not go through inspection VPC.
- B
Attach an internet gateway to each application VPC and add a default route pointing to the inspection VPC's NAT gateway.
Why wrong: NAT gateway cannot be a route target across VPCs.
- C
Attach an internet gateway to each application VPC and add default route pointing to it.
Why wrong: This bypasses the inspection VPC.
- D
Create a TGW route table with a blackhole route for 0.0.0.0/0 and associate it with application VPC attachments; attach the inspection VPC to a different TGW route table that has a route to the internet via an egress VPC.
This enforces traffic flow through inspection VPC.