- [Morgan] Let's explore another sample question focusing on the topic, select high-performing networking solutions for a workload. The question reads: A large international company has a management account in AWS Organizations, and over 50 individual accounts for each country they operate in. Each of the country accounts has at least four VPCs set up for functional divisions. There is a high amount of trust across the accounts, and communication among all the VPCs should be allowed. Each of the individual VPCs throughout the entire global organization will need to access an account and VPC that provide shared services to all of the other accounts. How can the member accounts access the shared services VPC with the least operational overhead? All right, so this is a bit of a long one. Let's break it down. Right off the bat, we know we are looking at a setup with multiple AWS accounts, over 50, as the stem states. Then, as you keep reading, you can see that the VPCs in these accounts need to access resources in a shared services account. Then, the question asks how the AWS accounts can access the shared services VPC with the least operational overhead, or essentially, which will require the least amount of work to operate? Now, let's take a look at the responses, and keep these key points in mind. A, Create an Application Load Balancer with the target of the private IP address of the shared services VPC. Add a Certification Authority Authorization record for the ALB to Route 53. Point all requests for shared services to the VPCs routing tables to that CAA record. B, Create a peering connection between each of the VPCs and the shared services VPC. C, Create a Network Load Balancer across the AZs in the shared services VPC. Create service consumer roles in IAM, and set endpoint connection acceptance to automatically accept. Create consumer endpoints in each division VPC and point to the NLB. D, Create a VPN connection between each of the VPCs and the shared services VPC. We will now pause to allow you to review the question and the responses. As usual, you have 3 seconds to choose or pause now, if you want more time. Three, two, one. The key is C, Create a Network Load Balancer across the AZs in the shared services VPC. Create service consumer roles in IAM, and set endpoint connection acceptance to automatically accept. Create consumer endpoints in each division VPC and point to the NLB. Now, the key to getting this one right, is knowing that setting up an AWS PrivateLink connection is more appropriate than using VPC peering. You would use AWS PrivateLink when you have a client-server setup where you want to allow one or more consumer VPCs unidirectional access to a specific service, or set of instances, in the service-provider VPC. With the scenario setup in the question, there are multiple consumers who need to access the shared services, so the use case does fit. Then, the second thing you need to know is how to establish a PrivateLink connection. To do this, you would create a Network Load Balancer, create a service consumer role in IAM, set up an endpoint connection in the shared services VPC, and set it to auto-accept, create consumer endpoints in each VPC trying to access the shared VPC, and then point to the NLB in the shared services VPC. This is how you establish a PrivateLink connection across VPCs. Now, let's review the incorrect responses, starting with A, Create an Application Load Balancer with a target of the private IP address of the shared services VPC. Add a Certification Authority Authorization record for the ALB to Route 53. Point all requests for shared services in the VPCs routing table to that CAA record. While this answer seems almost feasible, a CAA record specifies which certificate authorities can issue a certificate for a domain or subdomain. So, this type of record does not actually help in this scenario, so this is a distractor. Next is B, Create a peering connection between each of the VPCs and the shared services VPC. This response, I think is the strongest distractor. It's a simple solution for VPCs to connect. So, why is this one incorrect? Well, VPC peering connections have a limitation on the number of peering connections. One VPC can accept up to 125 peering connections. And when you look at the question, you can see there are over 50 accounts, with four VPCs per account. This puts the number of needed peering connections over 125, so the shared services VPC could not accept all of those peering connection requests. So, this is a distractor. Last up is D, Create a VPN connection between each of the VPCs and the shared services VPC. This is incorrect because while you could create and manage VPN connections between all of these VPCs, there is nothing wrong with that technically, you would need to maintain and operate all those VPN connections, which is more operational overhead than setting up the PrivateLink connection as described in response C. If you didn't get this one right, you should dive deeper in how to establish connectivity between VPCs. And also, you should read into how to architect networking strategies for a multi-account setup, including a scenario that has a shared services VPC, which is very common.
