A company is designing a network architecture for a multi-account AWS environment. They need to establish a central inspection VPC through which all traffic between VPCs in different accounts must pass. Which AWS service should be used to route traffic between VPCs through the inspection VPC?
Transit Gateway supports transitive routing and central inspection VPC architectures.
Why this answer
AWS Transit Gateway (D) is the correct service because it acts as a central hub that can route traffic between multiple VPCs across different accounts, and it supports route tables that can force all inter-VPC traffic through a dedicated inspection VPC (e.g., using a blackhole route or a network appliance). This enables transitive routing without requiring full mesh peering, and it integrates with AWS Resource Access Manager (RAM) for cross-account sharing.
Exam trap
The trap here is that candidates often confuse VPC peering with transitive routing, assuming that a full mesh of peering connections can achieve the same centralized inspection as Transit Gateway, but VPC peering explicitly does not support transitive routing (per AWS documentation), making it impossible to force all traffic through a single inspection VPC without additional, unsupported workarounds.
How to eliminate wrong answers
Option A is wrong because AWS Direct Connect gateway is used to connect on-premises networks to AWS via Direct Connect, not for routing traffic between VPCs in different accounts. Option B is wrong because VPC peering with full mesh connectivity does not support transitive routing—each peering connection is a one-to-one relationship, so traffic cannot be forced through a central inspection VPC without complex, non-scalable configurations. Option C is wrong because Elastic Load Balancer is a traffic distribution service for applications, not a routing service for inter-VPC traffic; it cannot route packets between VPCs or enforce inspection paths.