VPC Design Considerations

Answer - A, B and C.

One option is to create a VPC privatelink which can be used to access the services in the AWS shared VPC.

The below is also mentioned from the AWS Documentation to support this.

You can create your own application in your VPC and configure it as an AWS PrivateLink-powered service (referred to as an endpoint service)

Other AWS principals can create a connection from their VPC to your endpoint service using an interface VPC endpoint.

You are the service provider, and the AWS principals that create connections to your service are service consumers.

And the other option is to make the VPC as public.

But the right security measures need to be put in place.

Option D is INCORRECT because AWS does not support transitive peering between the VPCs.

Please refer to page 17 and 18 of the below link.

https://docs.aws.amazon.com/vpc/latest/peering/vpc-pg.pdf

For more information on VPC and Subnet sizing , please visit the below URL.

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/endpoint-service.html

The recommended architecture consists of a shared services VPC and a hosted VPC accessible to the customer. The hosted VPC will interact with the shared services VPC. To ensure an optimal design, the following three options should also be considered:

A. Ensure a PrivateLink is available for accessing the Shared services VPC:

A PrivateLink is a highly available, scalable, and secure way of accessing services over Amazon's network. It allows access to services in a VPC without using public IPs, NAT devices, VPN connections, or internet gateways. By using PrivateLink, traffic between VPCs is routed through Amazon's network, which ensures that it remains within the AWS environment and never traverses the public internet. This solution ensures that the shared services VPC is accessed securely and provides a highly available solution.

B. Use VPC peering between the shared services VPC and other VPCs:

VPC peering is a way to connect two VPCs together using private IP addresses. VPC peering is a highly available and scalable solution for connecting VPCs. It is a cost-effective solution because it uses the Amazon network, and it can be set up quickly. By using VPC peering, traffic between VPCs remains within the Amazon network, and there is no need to use a VPN connection or an internet gateway. This solution ensures that communication between the shared services VPC and other VPCs is private, highly available, and secure.

C. Ensure the right security measures are in place for publicly accessing the shared services:

If the shared services VPC needs to be publicly accessible, the appropriate security measures must be in place to ensure that only authorized users can access it. These measures include using a web application firewall (WAF), implementing access control lists (ACLs), using AWS Shield to protect against DDoS attacks, and ensuring that the VPC is configured with the appropriate security groups. The use of a VPN connection or an internet gateway is also recommended to restrict access to the shared services VPC.

D. Create transitive peering where necessary between the VPCs:

Transitive peering is when VPCs are connected through one or more intermediate VPCs. While this is generally not recommended, it may be necessary in certain situations. For example, if one VPC needs to access resources in another VPC that is not directly peered, transitive peering may be required. However, there are some limitations to transitive peering, such as reduced bandwidth and increased latency, and it should be used judiciously.

In summary, to optimize the design for the shared services VPC and hosted VPC architecture, the use of PrivateLink, VPC peering, and appropriate security measures should be considered. Transitive peering may be necessary in some cases, but it should be used with caution.