Miss a step, miss the whole

A company has developed a new billing application that will be released in two weeks.

Developers are testing the application running on 10 EC2 instances managed by an Auto Scaling group in subnet 172.31.0.0/24 within VPC A with CIDR block 172.31.0.0/16. The Developers noticed connection timeout errors in the application logs while connecting to an Oracle database running on an Amazon EC2 instance in the same region within VPC B with CIDR block 172.50.0.0/16. The IP of the database instance is hard- coded in the application instances.

Which recommendations should a Solutions Architect present to the Developers to solve the problem in a secure way with minimal maintenance and overhead?

  1. Disable the SrcDestCheck attribute for all instances running the application and Oracle Database. Change the default route of VPC A to point ENI of the Oracle Database that has an IP address assigned within the range of 172.50.0.0/26
  2. Create and attach internet gateways for both VPCs. Configure default routes to the Internet gateways for both VPCs. Assign an Elastic IP for each Amazon EC2 instance in VPC A
  3. Create a VPC peering connection between the two VPCs and add a route to the routing table of VPC A that points to the IP address range of 172.50.0.0/16
  4. Create an additional Amazon EC2 instance for each VPC as a customer gateway; create one virtual private gateway (VGW) for each VPC, configure an end-to-end VPC, and advertise the routes for 172.50.0.0/16

这道题看似非常的简单,但是却非常容易出错。

要使两个VPC能够通信,文档里有清楚的方法。很明显,答案3符合完全按照手册中的方法来配置,唯独少在VPC B中配置路由这一步。我们不要认为答案有错或者有黑科技可以省去一步。如果答案不符合官方文档,我们可以直接认为它不是合理的答案。

其实答案4也是一个可以满足题目需求的答案,但这个方法并不是文档中直接提到的,而是需要组合自己的知识来得到的。其实现的最后结果,就像是自己在两个VPC之间手动做起了peering。