The company needs centralized traffic inspection and centralized internet access for multiple workload VPCs connected by a transit gateway. The standard AWS hub-and-spoke pattern for centralized inspection is to use an inspection VPC that hosts network virtual appliances behind a Gateway Load Balancer, and to steer traffic from spoke VPCs through the transit gateway to the inspection VPC. Gateway Load Balancer endpoints are used to privately connect VPCs to the GWLB, allowing traffic to be transparently redirected to the appliances for inspection without changing application configurations.
To ensure symmetric routing for stateful inspection (so that return traffic traverses the same appliance path), appliance mode is enabled on the transit gateway attachment that connects to the inspection VPC. Appliance mode is specifically used with transit gateways and third-party appliances to preserve flow symmetry and avoid asymmetric routing issues.
Option D matches the centralized model: it creates a dedicated inspection VPC that contains the GWLB, endpoints, and the inspection appliance. It updates workload VPC routes to send traffic to the transit gateway and configures the transit gateway route tables to forward relevant traffic to the GWLB endpoints in the inspection VPC. Enabling appliance mode on the transit gateway is the key operational setting to maintain symmetric routing through the appliance fleet for inspected traffic.
Option A is incorrect because it places the inspection components inside an existing workload VPC rather than using a centralized inspection VPC. This increases coupling, makes the architecture harder to manage, and does not match the typical centralized inspection pattern. It also references enabling appliance mode on the GWLB, whereas appliance mode is a transit gateway attachment feature used for routing symmetry with appliances, not a setting “on the GWLB” itself.
Option B is incorrect because it splits the GWLB and endpoints/appliances across different workload VPCs, which complicates the design and is not the intended GWLB pattern. GWLB endpoints are created in VPCs that need to send traffic to the GWLB service; the appliances sit behind the GWLB in the provider/inspection VPC. The option also refers to enabling appliance mode on endpoints, but the appliance mode setting is associated with the transit gateway attachment.
Option C is incorrect because VPC flow logs are for logging and visibility; flow logs do not route traffic. Also, separating “inspection VPC” and “internet access VPC” with the appliances in the internet VPC does not align with the standard GWLB centralized inspection architecture and introduces unnecessary complexity.
Therefore, creating a dedicated inspection VPC with GWLB and endpoints and enabling appliance mode on the transit gateway attachment is the correct centralized approach.
[References:AWS documentation on AWS Transit Gateway centralized inspection architectures using an inspection VPC.AWS documentation on Gateway Load Balancer and Gateway Load Balancer endpoints for inserting third-party appliances transparently.AWS documentation on transit gateway appliance mode for preserving symmetric routing through network appliances., , ]
