AWS Certified Solutions Architect - Professional SAP-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

AWS Certified Solutions Architect - Professional SAP-C02 Exam - Question 361

A software as a service (SaaS) company uses AWS to host a service that is powered by AWS PrivateLink. The service consists of proprietary software that runs on three Amazon EC2 instances behind a Network Load Balancer (NLB). The instances are in private subnets in multiple Availability Zones in the eu-west-2 Region. All the company's customers are in eu-west-2.

However, the company now acquires a new customer in the us-east-1 Region. The company creates a new VPC and new subnets in us-east-1. The company establishes inter-Region VPC peering between the VPCs in the two Regions.

The company wants to give the new customer access to the SaaS service, but the company does not want to immediately deploy new EC2 resources in us-east-1.

Which solution will meet these requirements?

Show Answer
Correct Answer: A

To meet the requirements of giving the new customer access to the SaaS service without deploying new EC2 resources in us-east-1, the best solution is to configure a PrivateLink endpoint service in us-east-1 that utilizes the existing Network Load Balancer (NLB) in eu-west-2. This setup allows the new customer in us-east-1 to access the SaaS service hosted in eu-west-2 without requiring additional EC2 instances in the us-east-1 region. Additionally, granting specific AWS accounts access to connect to the SaaS service ensures that only authorized users can access it, which meets the security requirements.

Discussion

40 comments
Sign in to comment
heatblurOption: B
Nov 30, 2023

The best option among these is B. While it introduces some complexity, it's the most viable solution that aligns with AWS capabilities and the company's requirements. Creating an NLB in us-east-1 and targeting the IP addresses of the existing instances in eu-west-2 is a feasible approach. This setup allows the company to use their existing infrastructure in eu-west-2 while providing access to the customer in us-east-1 through the PrivateLink endpoint service in us-east-1. This avoids the immediate need to deploy new EC2 resources in the us-east-1 region. It can't be A because AWS PrivateLink endpoint services cannot span regions. They are region-specific, so an endpoint service in us-east-1 cannot directly use an NLB located in eu-west-2.

ayadmawla
Dec 9, 2023

But the company has establishing Inter-Region VPC Peering so the endpoint would work

liquen14
Mar 8, 2024

I was unable to find documentation saying that an AWS PrivateLink endpoint requires the NLB to be in the same region but if you go to the console for instance here: https://eu-west-1.console.aws.amazon.com/vpcconsole/home?region=eu-west-1#CreateVpcEndpointServiceConfiguration: try to create an endpoint service and you don't have a NLB there the console explicitly states: "No Network Load Balancers or Gateway Load Balancers available in this Region." so for me A in invalid

SKS
Apr 4, 2024

Wrong on part where private link support for inter region vpc peering . https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/

pk0619
Dec 25, 2024

This is saying you can access privatelink in us-east-1 from ec2 instance in eu-west-1. It does not say that you can create a privatelink in us-east-1 for a resource like NLB in eu-west-1.

pk0619
Dec 25, 2024

This is saying you can access privatelink in us-east-1 from ec2 instance in eu-west-1. It does not say that you can create a privatelink in us-east-1 for a resource like NLB in eu-west-1.

devalenzuela86Option: A
Nov 22, 2023

A Explanation: * Configuring a PrivateLink endpoint service in us-east-1 to use the existing NLB that is in eu-west-2 will allow the new customer to access the SaaS service without deploying new EC2 resources in us-east-1 1. * Granting specific AWS accounts access to connect to the SaaS service will ensure that only authorized users can access the service 1.

Pilot
Dec 1, 2023

Network Load Balancers now support connections from clients to IP-based targets in peered VPCs across different AWS Regions. Previously, access to Network Load Balancers from an inter-region peered VPC was not possible. With this launch, you can now have clients access Network Load Balancers over an inter-region peered VPC. Network Load Balancers can also load balance to IP-based targets that are deployed in an inter-region peered VPC. This support on Network Load Balancers is available in all AWS Regions. https://aws.amazon.com/about-aws/whats-new/2018/10/network-load-balancer-now-supports-inter-region-vpc-peering/ NLB support client from different region, I think A is correct.

abhitricanada
Jan 7, 2024

Answer is A because ... VPC peering between the VPCs in the two Regions already done & company does not want to immediately deploy new EC2 resources in us-east-1, later on company will change the architecture

kalitwolOption: B
Dec 2, 2023

Privatelink service is a regional service and cannot be accessed across regions.

George88
Nov 24, 2023

B is correct. See https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/use-case-examples.html

devalenzuela86
Nov 25, 2023

https://aws.amazon.com/es/blogs/architecture/building-saas-services-for-aws-customers-with-privatelink/

devalenzuela86
Nov 25, 2023

I think is A

devalenzuela86
Nov 25, 2023

I think is A

HunkyBunkyOption: A
Nov 27, 2023

I guess A. Becuase this https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/use-case-examples.html documentation related only to PrivateLink connections WITHOUT VPC peering

HunkyBunky
Nov 27, 2023

I guess that B is correct, because during creation of PrivateLink - you need to define NLB for it, so it should be created under same VPC https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#create-endpoint-service-nlb

shaaam80Option: B
Nov 29, 2023

Answer B

ayadmawlaOption: A
Dec 9, 2023

Answer is A. Notice the reference to "Inter-Region VPC Peering" in the question. See: https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/#:~:text=Applications%20in%20an%20AWS%20VPC,using%20Inter%2DRegion%20VPC%20Peering.

GibaSP45Option: A
Dec 24, 2023

https://aws.amazon.com/pt/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/

igor12ghsj577Option: A
Jan 20, 2024

A is the ans

Arnaud92Option: B
Feb 1, 2024

B https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/use-case-examples.html#inter-region-endpoint-services

saggy4Option: A
Feb 8, 2024

A- Private link supports access over inter region vpc peering

pri32Option: A
Feb 13, 2024

B will also work but unnecessaey complexities

AnonymousOption: A
Feb 17, 2024

A: AWS PrivateLink endpoints can now be accessed across both intra- and inter-region VPC peering connections. https://aws.amazon.com/about-aws/whats-new/2019/03/aws-privatelink-now-supports-access-over-vpc-peering/

yog927
Mar 16, 2024

It is A. For all those saying can not access PrivateLink endpoint service across region. "This release makes it possible for customers to privately connect to a service even if the service endpoint resides in a different AWS Region." https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/

TonytheTigerOption: A
Apr 25, 2024

Option A : you don't need to create a new NLB in the us-east-1. Read the link below for Inter-Region access to endpoint service . https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/use-case-examples.html#inter-region-endpoint-services

Josh1217
Jun 23, 2024

This article requires new NLB in new region which uses the instances in old region.

Spike2020Option: B
Dec 8, 2024

As of November 2024, AWS PrivateLink supports native cross-region connectivity. However, since this exam question appears to be set before this feature was available, we need to consider the solution using the previous architecture patterns. Option A: Not viable because PrivateLink endpoint services must be in the same region as the NLB

AnonymousOption: B
Feb 11, 2025

This question was written before AWS PrivateLink supported cross-region connectivity. At that time, the only way to give a customer in us-east-1 access to a service in eu-west-2 without deploying resources in us-east-1 was the complex workaround described in Option B. This involved creating an NLB in us-east-1 and using an IP target group pointing back to the instances in eu-west-2. It was a complicated solution, but it was the only way to achieve the desired outcome given the limitations at the time. Therefore, B was the correct answer for the question as it was originally written. But now the answer has changed to A.

cypkirOption: B
Nov 22, 2023

Answer: B

J0n102Option: B
Dec 4, 2023

Answer: B

vibzr2023
Jan 7, 2024

Answer: B Somehow A also supports but there is limitations to only S3 - Multi-Region Access Points are designed for Amazon S3, not directly for AWS PrivateLink. - Provide a single global endpoint for accessing S3 buckets across multiple regions. - Simplify data access and management for multi-region S3 deployments. https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessConfiguration.html

marszalekmOption: A
Feb 14, 2024

https://repost.aws/questions/QU4qk3TdeBTyqZ-vcvODn84w/private-link-cross-region-cross-account-support

bjexamprepOption: B
Feb 25, 2024

Private link endpoint service can only use the NLB in the same region. So A is wrong.

mav3r1ckOption: B
Mar 29, 2024

This is the use case: https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/use-case-examples.html#inter-region-endpoint-services

VerRiOption: A
Mar 30, 2024

AWS PrivateLink now supports access over Inter-Region VPC Peering since 2018. https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/

titi_rOption: A
Apr 17, 2024

A - correct.

mark_232323Option: B
Jul 14, 2024

Option A is not possible because a PrivateLink endpoint service in us-east-1 cannot directly use an NLB in another Region (eu-west-2).

asquared16Option: B
Aug 21, 2024

A is wrong, In this scenario, the existing NLB is located in the eu-west-2 Region, while the new customer is in the us-east-1 Region. PrivateLink does not support cross-Region connectivity directly. Therefore, you cannot create a PrivateLink endpoint service in us-east-1 and associate it with the NLB in eu-west-2. To provide access to the SaaS service for the new customer in us-east-1, you need to create a load balancer (in this case, an NLB) in the us-east-1 Region and then configure a PrivateLink endpoint service in us-east-1 that uses that NLB. This NLB can then forward traffic to the instances in eu-west-2 over the inter-Region VPC peering connection, as described in the correct solution (option B).

youonebeOption: B
Nov 28, 2024

Creating an NLB in us-east-1 with IP target group pointing to the existing eu-west-2 instances is the most efficient solution because: IP target groups can route traffic across VPC peering connections This configuration allows the use of existing EC2 instances while providing local access in us-east-1 PrivateLink endpoint service can be configured with the new NLB to provide secure access

kujin
Nov 30, 2023

Option A is not feasible because AWS PrivateLink endpoint services are region-specific and cannot use an NLB from a different region.

Anonymous
Feb 17, 2024

AWS PrivateLink endpoints can now be accessed across both intra- and inter-region VPC peering connections. https://aws.amazon.com/about-aws/whats-new/2019/03/aws-privatelink-now-supports-access-over-vpc-peering/

career360guruOption: B
Jan 10, 2024

Option B is best option.

adelynllllllllll
Feb 18, 2024

A: https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html

sat2008Option: B
Mar 2, 2024

When you create PrivateLink endpoint service in us-east-1 you also need a NLB to handle traffic flow between target NLB . So A doesn't seem to be a complete answer

tushar321
Apr 15, 2024

A. A looks to be right answer

seetptOption: A
May 3, 2024

A for me

qaz12wsxOption: A
May 7, 2024

a because of this https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/

ctrue
Jul 27, 2024

it is accessing private endpoint from remote region, it is not possible to configure private endpoint to a nlb in the remote region.

kgpoj
Aug 12, 2024

A is correct. In this case, the remote EU region is accessing US region, becuase the EU region is the SaaS, the US region is "customer"

kgpoj
Aug 12, 2024

A is correct. In this case, the remote EU region is accessing US region, becuase the EU region is the SaaS, the US region is "customer"

fabriciollfOption: B
Oct 11, 2024

Inter-Region endpoint services "Service providers can leverage a Network Load Balancer in a remote Region and create an IP target group that uses the IPs of their instance fleet in the remote Region hosting the service." https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/use-case-examples.html#:~:text=Inter%2DRegion%20access%20to%20endpoint%20services,-As%20customers%20expand&text=Inter%2DRegion%20VPC%20peering%20traffic%20is%20transported%20over%20Amazon's%20network,costs%20between%20the%20two%20Regions.

Woody1848Option: A
Oct 27, 2024

"An interface endpoint is essentially a service-level ENI. The service is attached straight to the VPC subnet through the ENI. This allows us to assign a private IP address from the subnet pool directly to the service." (AWS Certified Advanced Networking - Specialty Exam Guide pg. 36) There is no need to create EC2 resources in us-east-1 when creating a PrivateLink endpoint.

AzureDP900
Nov 17, 2024

correct answer : A Using an existing NLB in eu-west-2 as the basis for a PrivateLink endpoint service in us-east-1 allows the company to quickly provide access to its SaaS service without having to create new EC2 resources or configure complex networking setups.

0b43291Option: B
Nov 22, 2024

The correct solution is Option B: Create an NLB in us-east-1. Create an IP target group that uses the IP addresses of the company's instances in eu-west-2 that host the SaaS service. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service. Option A is not possible because PrivateLink endpoint services cannot span across AWS Regions. The existing NLB in eu-west-2 cannot be directly used for a PrivateLink endpoint service in us-east-1.

TomTomOption: A
Nov 29, 2024

Answer A is correct (now) Recently AWS announce, Now PrivateLink endpoint supports native cross-region connectivity. https://aws.amazon.com/about-aws/whats-new/2024/11/aws-privatelink-across-region-connectivity/

alexbraila
Dec 3, 2024

The article refers to Interface VPC endpoints connectivity to VPC endpoint services, but this is not the use case here. The comment of liquen14 is still valid, I tested today 3rd of Dec 2024. When creating an endpoint service, you can only select load balancers in the same region. Hence for the current use case we must create an NLB in us-east-1, which will be able to connect to the EC2 instances over the peered VPC due to the link in Pilot's comment (however, his comment is not right, A does not work): https://aws.amazon.com/about-aws/whats-new/2018/10/network-load-balancer-now-supports-inter-region-vpc-peering/

alexbraila
Dec 3, 2024

Bottom line, A does not work, B does

alexbraila
Dec 3, 2024

Bottom line, A does not work, B does

altonh
Feb 13, 2025

A is still incorrect. Note that A requires creating an ENDPOINT SERVICE in us-east-1 that points to an NLB in us-west-2. This is not possible. What you can do is create an endpoint service in us-west-2 that points to the NLB in us-west-2 and then make the endpoint service cross-region. Then, in us-east-1, you can create an ENDPOINT that points to the ENDPOINT SERVICE in us-east-1.