Examice

Exam SAP-C02 All QuestionsBrowse all questions from this exam

Question 360

A software as a service (SaaS) company uses AWS to host a service that is powered by AWS PrivateLink. The service consists of proprietary software that runs on three Amazon EC2 instances behind a Network Load Balancer (NLB). The instances are in private subnets in multiple Availability Zones in the eu-west-2 Region. All the company's customers are in eu-west-2.

However, the company now acquires a new customer in the us-east-1 Region. The company creates a new VPC and new subnets in us-east-1. The company establishes inter-Region VPC peering between the VPCs in the two Regions.

The company wants to give the new customer access to the SaaS service, but the company does not want to immediately deploy new EC2 resources in us-east-1.

Which solution will meet these requirements?

Configure a PrivateLink endpoint service in us-east-1 to use the existing NLB that is in eu-west-2. Grant specific AWS accounts access to connect to the SaaS service.

Create an NLB in us-east-1. Create an IP target group that uses the IP addresses of the company's instances in eu-west-2 that host the SaaS service. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service.

Create an Application Load Balancer (ALB) in front of the EC2 instances in eu-west-2. Create an NLB in us-east-1. Associate the NLB that is in us-east-1 with an ALB target group that uses the ALB that is in eu-west-2. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service.

Use AWS Resource Access Manager (AWS RAM) to share the EC2 instances that are in eu-west-2. In us-east-1, create an NLB and an instance target group that includes the shared EC2 instances from eu-west-2. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service.

Correct Answer: A

To meet the requirements of giving the new customer access to the SaaS service without deploying new EC2 resources in us-east-1, the best solution is to configure a PrivateLink endpoint service in us-east-1 that utilizes the existing Network Load Balancer (NLB) in eu-west-2. This setup allows the new customer in us-east-1 to access the SaaS service hosted in eu-west-2 without requiring additional EC2 instances in the us-east-1 region. Additionally, granting specific AWS accounts access to connect to the SaaS service ensures that only authorized users can access it, which meets the security requirements.

Discussion

devalenzuela86Option: A

A Explanation: * Configuring a PrivateLink endpoint service in us-east-1 to use the existing NLB that is in eu-west-2 will allow the new customer to access the SaaS service without deploying new EC2 resources in us-east-1 1. * Granting specific AWS accounts access to connect to the SaaS service will ensure that only authorized users can access the service 1.

Pilot

Network Load Balancers now support connections from clients to IP-based targets in peered VPCs across different AWS Regions. Previously, access to Network Load Balancers from an inter-region peered VPC was not possible. With this launch, you can now have clients access Network Load Balancers over an inter-region peered VPC. Network Load Balancers can also load balance to IP-based targets that are deployed in an inter-region peered VPC. This support on Network Load Balancers is available in all AWS Regions. https://aws.amazon.com/about-aws/whats-new/2018/10/network-load-balancer-now-supports-inter-region-vpc-peering/ NLB support client from different region, I think A is correct.

abhitricanada

Answer is A because ... VPC peering between the VPCs in the two Regions already done & company does not want to immediately deploy new EC2 resources in us-east-1, later on company will change the architecture

heatblurOption: B

The best option among these is B. While it introduces some complexity, it's the most viable solution that aligns with AWS capabilities and the company's requirements. Creating an NLB in us-east-1 and targeting the IP addresses of the existing instances in eu-west-2 is a feasible approach. This setup allows the company to use their existing infrastructure in eu-west-2 while providing access to the customer in us-east-1 through the PrivateLink endpoint service in us-east-1. This avoids the immediate need to deploy new EC2 resources in the us-east-1 region. It can't be A because AWS PrivateLink endpoint services cannot span regions. They are region-specific, so an endpoint service in us-east-1 cannot directly use an NLB located in eu-west-2.

ayadmawla

But the company has establishing Inter-Region VPC Peering so the endpoint would work

liquen14

I was unable to find documentation saying that an AWS PrivateLink endpoint requires the NLB to be in the same region but if you go to the console for instance here: https://eu-west-1.console.aws.amazon.com/vpcconsole/home?region=eu-west-1#CreateVpcEndpointServiceConfiguration: try to create an endpoint service and you don't have a NLB there the console explicitly states: "No Network Load Balancers or Gateway Load Balancers available in this Region." so for me A in invalid

SKS

Wrong on part where private link support for inter region vpc peering . https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/

TonytheTigerOption: A

Option A : you don't need to create a new NLB in the us-east-1. Read the link below for Inter-Region access to endpoint service . https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/use-case-examples.html#inter-region-endpoint-services

Josh1217

This article requires new NLB in new region which uses the instances in old region.

yog927

It is A. For all those saying can not access PrivateLink endpoint service across region. "This release makes it possible for customers to privately connect to a service even if the service endpoint resides in a different AWS Region." https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/

eleOption: A

A: AWS PrivateLink endpoints can now be accessed across both intra- and inter-region VPC peering connections. https://aws.amazon.com/about-aws/whats-new/2019/03/aws-privatelink-now-supports-access-over-vpc-peering/

pri32Option: A

B will also work but unnecessaey complexities

titi_rOption: A

A - correct.

VerRiOption: A

AWS PrivateLink now supports access over Inter-Region VPC Peering since 2018. https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/

mav3r1ckOption: B

This is the use case: https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/use-case-examples.html#inter-region-endpoint-services

bjexamprepOption: B

Private link endpoint service can only use the NLB in the same region. So A is wrong.

marszalekmOption: A

https://repost.aws/questions/QU4qk3TdeBTyqZ-vcvODn84w/private-link-cross-region-cross-account-support

mark_232323Option: B

Option A is not possible because a PrivateLink endpoint service in us-east-1 cannot directly use an NLB in another Region (eu-west-2).

qaz12wsxOption: A

a because of this https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/

seetptOption: A

A for me

tushar321

A. A looks to be right answer

sat2008Option: B

When you create PrivateLink endpoint service in us-east-1 you also need a NLB to handle traffic flow between target NLB . So A doesn't seem to be a complete answer

adelynllllllllll

A: https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html