Fortinet NSE7_CDS_AR-7.6 Exam - Topic 2 Question 3 Discussion

Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:

Based on the FortiOS 7.6 Cloud Security Study Guide regarding AWS Transit Gateway (TGW) integration and VPC routing, the following steps are mandatory to establish connectivity between Spoke VPCs via a TGW:

VPC Route Table Configuration (Option A): For traffic to leave a VPC and reach the Transit Gateway, the VPC's subnet route table must have a specific entry. While the exhibit shows local routes for internal VPC traffic (192.168.50.0/24 and 192.168.100.0/24), any traffic destined for 'outside' the local VPC (such as the other Spoke VPC) must be directed to the TGW. Adding a default route (0.0.0.0/0) with the TGW ID as the next hop ensures that all non-local traffic is forwarded to the Transit Gateway for processing.

TGW Association (Option B): Within the Transit Gateway itself, connectivity is managed through Associations and Propagations. An 'Association' links a specific VPC attachment to a TGW route table. Without associating the two attachments (for Spoke VPC A and Spoke VPC B) to a TGW route table, the TGW will not know which route table to use to make forwarding decisions for packets arriving from those VPCs.

Why Option C is incorrect: Route propagation is used to automatically populate the TGW route table with the CIDR blocks of the attached VPCs. While propagation is a valid step for dynamic routing, Option C specifically mentions propagating a static summary range (192.168.0.0/16) which is not the standard automated mechanism; usually, you propagate the specific VPC CIDRs. Furthermore, without the Association (Option B), propagation alone does not allow the TGW to process incoming traffic from the attachment.

Why Option D is incorrect: Directing traffic to an Internet Gateway (IGW) would send the traffic to the public internet. This would not facilitate internal routing between the two Spoke VPCs via the Transit Gateway.