Objectives in this domain

Architect connectivity across many VPCs and accounts using AWS Transit Gateway, VPC peering and AWS PrivateLink, balancing transitive routing, segmentation and scale.
Section 1.1hard
Design hybrid connectivity and name resolution between on-premises, co-location and AWS using AWS Direct Connect, AWS Site-to-Site VPN and Amazon Route 53 Resolver.
Section 1.1hard
Prescribe cross-account access and workforce identity using AWS IAM Identity Center, IAM roles and federation with third-party identity providers.
Section 1.2hard
Design centralised security auditing, event notification and encryption strategy using AWS CloudTrail, AWS Security Hub, AWS KMS and AWS Certificate Manager.
Section 1.2hard
Design reliable and resilient multi-Region architectures by matching backup and restore, pilot light, warm standby and multi-site strategies to RTO and RPO targets.
Section 1.3hard
Design an automated, cross-account and cross-Region backup and restoration strategy using AWS Backup with policy-driven retention and recovery testing.
Section 1.3medium
Design a multi-account environment with AWS Organizations and AWS Control Tower, using service control policies, organisational units and centralised logging for governance.
Section 1.4hard
Determine cost optimisation and visibility strategies across an organisation using AWS Cost Explorer, AWS Budgets, purchasing options and an effective cost allocation tagging model.
Section 1.5medium

Sample question from this domain

Free sampleDesign Solutions for Organizational Complexityhard

A multinational runs around 200 VPCs spread across 40 AWS accounts under a single organisation, and the count grows monthly as new product teams onboard. Every VPC must reach a shared services VPC for DNS and patching, and many must also reach each other, with full transitive routing and central control of which routes propagate where. The networking team wants to avoid managing an ever-expanding mesh of point-to-point links. Which design MOST scalably meets these requirements?

ADeploy an AWS Transit Gateway shared through AWS Resource Access Manager, attach every VPC to it, and use Transit Gateway route tables to control which attachments can route to the shared services VPC and to each other. Correct
BCreate a full mesh of VPC peering connections between every pair of VPCs and add the shared services VPC as another peer, relying on the peering links for any VPC to reach any other VPC directly.
CExpose the shared services through AWS PrivateLink endpoint services and create interface endpoints in every VPC, then add PrivateLink endpoints between product VPCs wherever two teams need to reach each other.
DDesignate one central VPC as a transit hub, run software routers on EC2 instances inside it, and peer every other VPC to that hub so traffic is forwarded between VPCs through the EC2 routing layer.

Select AWS Transit Gateway as the scalable transitive hub for connecting many VPCs and accounts with centrally controlled routing. Transit Gateway acts as a regional routing hub that every VPC attaches to, giving transitive any-to-any routing without a quadratic mesh of links. Sharing it through Resource Access Manager lets accounts across the organisation attach, and Transit Gateway route tables centrally decide which attachments propagate routes to which, something a peering mesh, PrivateLink endpoints or self-managed EC2 routers cannot do at this scale.

Why A is correct: A Transit Gateway is a hub that provides transitive routing for all attached VPCs and accounts, scales to thousands of attachments, and its route tables centrally govern which VPCs reach the shared services VPC or each other.

Why B is wrong: A peering mesh seems to give any-to-any reachability, but peering is non-transitive and the number of links grows roughly with the square of the VPC count, which becomes unmanageable well before 200 VPCs.

Why C is wrong: PrivateLink cleanly publishes the shared services, but it exposes single services rather than whole VPCs, so building any-to-any product connectivity from endpoints does not provide the general transitive routing the estate needs.

Why D is wrong: EC2 software routers can forward traffic to work around non-transitive peering, but they add instances to patch, scale and make highly available, duplicating a managed capability Transit Gateway already provides.

Other domains in this exam

Design for New Solutions29% of the exam
Continuous Improvement for Existing Solutions25% of the exam
Accelerate Workload Migration and Modernization20% of the exam

See also the SAP-C02 cert hub, the study guide, and the cheat sheet.