Question 20
Domain 1: Design Solutions for Organizational ComplexityA solutions architect at a large company needs to set up network security tor outbound traffic to the internet from all AWS accounts within an organization in AWS Organizations. The organization has more than 100 AWS accounts, and the accounts route to each other by using a centralized AWS Transit Gateway. Each account has both an internet gateway and a NAT gateway tor outbound traffic to the internet The company deploys resources only into a single AWS Region. The company needs the ability to add centrally managed rule-based filtering on all outbound traffic to the internet for all AWS accounts in the organization. The peak load of outbound traffic will not exceed 25 Gbps in each Availability Zone. Which solution meets these requirements?
Correct answer: C
Explanation
AWS Network Firewall is the service for centralized, rule-based filtering, and the exam guide includes it under “Security, Identity, and Compliance.” A centralized outbound VPC with firewall endpoints in each AZ fits the scale and routing model, since traffic from all accounts can traverse the Transit Gateway and then be forced through the firewall by changing default routes.
Why each option is right or wrong
A. Create an AWS Network Firewall firewall for rule-based filtering in each AWS account. Modify all default routes to point to the Network Firewall firewalls in each account.
Network Firewall should be centralized, not deployed separately in every account.
B. Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Create an Auto Scaling group of Amazon EC2 instances that run an open-source internet proxy for rule-based filtering across all Availability Zones in the Region. Modify all default routes to point to the proxy's Auto Scaling group.
Open-source proxies are not the AWS-managed service for centrally managed rule-based filtering.
C. Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall firewall for rule-based filtering. Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints.
AWS Network Firewall is the managed service in the exam guide’s Security, Identity, and Compliance domain for centralized, rule-based filtering, and it is designed to be inserted into VPC traffic flows via firewall endpoints. Because the organization uses a single Region and a centralized Transit Gateway, creating a dedicated outbound VPC and steering the default route through Network Firewall endpoints in each AZ forces all egress from the 100+ accounts through one inspection point; the stated 25 Gbps peak per AZ is within the service’s scalable AZ-based endpoint model.
D. In each AWS account, create an Auto Scaling group of network-optimized Amazon EC2 instances that run an open-source internet proxy for rule-based filtering. Modify all default routes to point to the proxy's Auto Scaling group.
Per-account proxy fleets do not provide organization-wide centralized filtering.