VPC Peering

Correct Answer: Use AWS Transit Gateway to provide scalable hub-and-spoke connectivity with transitive routing; attach each VPC to the Transit Gateway and configure appropriate TGW and VPC route tables with non-overlapping CIDRs.

AWS VPC peering is non-transitive, which makes it cumbersome for a hub-and-spoke design with a centralized shared services VPC because each spoke must maintain direct peering to the hub and cannot reach other spokes through the hub. AWS Transit Gateway (TGW) is purpose-built for this: it enables transitive routing between attached VPCs, simplifies management with centralized TGW route tables, scales to thousands of attachments, and integrates with VPN/Direct Connect if needed. To implement, create a TGW, attach each VPC, ensure non-overlapping CIDR blocks, and configure TGW and VPC route tables to direct traffic appropriately. Internet Gateways do not enable private inter-VPC routing, and VPNs are unnecessary for intra-region VPC-to-VPC connectivity. "Nested VPCs" is not an AWS concept.

Correct Answer: Create a VPC peering connection and have an owner in one account accept the request from the other account

For VPC peering connections between separate AWS accounts, a VPC owner in one account sends the request, and an owner in the other account accepts the request.

Correct Answer: AWS VPC Flow Logs

AWS VPC Flow Logs captures metadata about IP traffic to and from network interfaces, including traffic that traverses VPC peering connections. This lets you verify that packets are flowing, see accepted versus rejected flows, and troubleshoot connectivity issues. Amazon CloudWatch by itself does not capture network flow data, Amazon CloudFront is a content delivery network unrelated to VPC peering, and Amazon S3 is object storage.