VPC Interconnectivity via Transit Gateway: AWS Multi-Region Configuration

VPC Interconnectivity via Transit Gateway

Question

An administrator would like VPCs in three different AWS accounts to access on-premise resources via a VPN connection terminating on a Transit Gateway.

Each of the VPCs is in distinct AWS regions.

How can this be achieved?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: A.

AWS Resource Access Manager (AWS RAM) allows AWS customers to share resources between multiple AWS accounts.

In this scenario, it is possible to share the access to the Transit Gateway resource with the three AWS accounts, even if the VPCs are in distinct AWS regions.

https://docs.aws.amazon.com/ram/latest/userguide/what-is.html

Option B is INCORRECT because it is not possible to extend the VPN tunnels.

In the scenario, the VPN tunnels terminate on the Transit Gateway in one of the AWS accounts.

Option C is INCORRECT because it cannot create VPC attachments without sharing the Transit Gateway resource.

Option D is INCORRECT because it has transitive routing connotations.

This is not permissible in the AWS environment.

To enable VPCs in different AWS accounts to access on-premise resources through a VPN connection terminating on a Transit Gateway, you can follow the below steps:

Step 1: Create a Transit Gateway First, create a Transit Gateway that will act as the hub for all your VPCs. Transit Gateway allows you to connect multiple VPCs and VPNs together and provide a centralized point to manage traffic.

Step 2: Configure VPN Connection Next, set up a VPN connection between your on-premise network and the Transit Gateway. You can create a VPN connection using AWS VPN CloudHub or AWS VPN Gateway, depending on the number of VPN connections required.

Step 3: Create VPC Attachments After setting up the VPN connection, create VPC attachments for each VPC in your three different AWS accounts. A VPC attachment is a logical connection between a VPC and the Transit Gateway. Each VPC attachment will have a unique identifier that you can use to configure routing.

Step 4: Configure Route Tables To enable traffic flow between the VPCs and on-premise resources, configure the route tables in each VPC attachment to send traffic to the Transit Gateway. This will ensure that traffic from each VPC flows through the Transit Gateway and then to the on-premise network.

Step 5: Enable Resource Sharing Finally, to allow VPCs in different AWS accounts to access the Transit Gateway, use AWS Resource Access Manager (RAM) to share the Transit Gateway resource with the other accounts. This will allow the VPCs in each account to create attachments to the Transit Gateway and enable traffic flow.

So the correct answer for this question would be option A, "Use AWS Resource Access Manager (RAM) to share the Transit Gateway resource."