Your company uses an AWS Transit Gateway as a hub to manage the interconnections between multiple VPCs and the on-premises networks. The security team asks you to implement a control that can allow or block the traffic between the EC2 network interface workload and the Transit Gateway. Which of the following approaches would you select?

Answer options:

A.Attach the EC2 instances with an IAM role that has the AWS managed policy “AWSNetworkManagerServiceRolePolicy”.
B.Associate security groups to the EC2 instance network interface and the Transit Gateway to control the traffic.
C.Create route tables in the AWS Transit Gateway to allow or disallow the traffic from the EC2 workload.
D.Apply NACL rules between EC2 instances in the subnets and Transit Gateway associations to control the traffic.

Correct Answer: D
Option A is incorrect because the IAM role in EC2 instances provisions permissions for EC2 applications. It does not control the network traffic between the EC2 network interface workload and the Transit Gateway.
Option B is incorrect because security groups cannot be applied to either the EC2 network interface workload or the Transit Gateway. For the access control methods of Transit Gateway, please check the following references.
Option C is incorrect because Transit Gateway route tables are used to configure routing for Transit Gateway attachments. They do not act as a security layer to allow or block traffic.
Option D is CORRECT because the inbound and outbound NACL rules applied in the subnets can act as a firewall and control traffic in and out of the Transit Gateway.
References:
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-nacls.html
https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-authentication-access-control.html