A global marketing company has applications that run in the ap-southeast-2 Region and the eu-west-1 Region. Applications that run in a VPC in eu-west-1 need to communicate securely with databases that run in a VPC in ap-southeast-2. Which network design will meet these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west-1 VPUpdate the subnet route tables. Create an inbound rule in the ap-southeast-2 database security group that allows traffic from the eu-west-1 application server IP addresses..
Why this is the answer
VPC peering allows direct network connectivity between two VPCs. To enable communication, route tables in both VPCs must be updated to direct traffic for the peered VPC's CIDR range through the peering connection. Security groups then control access. The database security group in ap-southeast-2 needs an inbound rule to permit traffic from the application server IP addresses in eu-west-1. Referencing the security group ID directly across peered VPCs in different regions is not supported; you must use IP addresses or CIDR blocks. The first incorrect option is wrong because security group rules for cross-region VPC peering cannot reference security group IDs directly; they require IP addresses or CIDR blocks. The second incorrect option makes the same mistake regarding security group references. The fourth option, using Transit Gateway peering, is a valid solution for complex hub-and-spoke or many-to-many connectivity, but it's overkill for a simple two-VPC connection and still requires IP-based security group rules for cross-region peering.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed