According to the FortiOS 7.6 AWS Administration Guide and the Fortinet Public Cloud Security 7.4 training materials regarding centralized security inspection:
Multiple Route Tables (Option B): A single AWS Transit Gateway is designed to support multiple TGW route tables. By default, there is a soft limit of 20 route tables per Transit Gateway, which allows administrators to implement sophisticated network segmentation and granular routing policies. In a FortiGate-centric "Security Hub" or "Transit VPC" architecture, multiple route tables are used to separate "Spoke" traffic from "Security" traffic, ensuring all inter-VPC traffic is forced through the FortiGate-VM for inspection.
Associations and Propagations: * Association: Each individual TGW attachment (VPC, VPN, or Direct Connect) can be associated with exactly one TGW route table at any given time. This table dictates where packets coming from that attachment will be sent. Because of this 1:1 relationship, Option C is incorrect.
Propagation: An attachment can propagate its routes to one or many TGW route tables. This flexibility allows a VPC's prefix to be known in multiple routing domains, meaning that association and propagation do not need to occur in the same table, making Option A incorrect.
Default Route Table Management: When creating an AWS Transit Gateway, the options for "Default route table association" and "Default route table propagation" are enabled by default, but they can be disabled during or after creation. Disabling these is a security best practice when deploying FortiGate-VMs to prevent the TGW from automatically creating a "full-mesh" connectivity that bypasses the firewall, making Option D incorrect.
