Examice

Exam SAP-C02 All QuestionsBrowse all questions from this exam

Question 462

A company has many services running in its on-premises data center. The data center is connected to AWS using AWS Direct Connect (DX) and an IPSec VPN. The service data is sensitive and connectivity cannot traverse the internet. The company wants to expand into a new market segment and begin offering its services to other companies that are using AWS.

Which solution will meet these requirements?

Create a VPC Endpoint Service that accepts TCP traffic, host it behind a Network Load Balancer, and make the service available over DX.

Create a VPC Endpoint Service that accepts HTTP or HTTPS traffic, host it behind an Application Load Balancer, and make the service available over DX.

Attach an internet gateway to the VPC, and ensure that network access control and security group rules allow the relevant inbound and outbound traffic.

Attach a NAT gateway to the VPC, and ensure that network access control and security group rules allow the relevant inbound and outbound traffic.

Correct Answer: A

To meet the requirement of ensuring that service data does not traverse the internet and is securely accessible, the best solution is to use a VPC Endpoint Service hosted behind a Network Load Balancer (NLB). VPC Endpoint Services, also known as PrivateLink, allow secure and private connectivity between VPCs without crossing the internet. The use of an NLB is ideal because it can handle TCP traffic, which is versatile and can cover various types of services. This ensures that the sensitive service data remains within the secure network boundaries provided by AWS Direct Connect.

Discussion

pangchnOption: A

A This is a privatelink scenrio. Can't find a hard evidence but the Privatelink seem can only work with NLB. If need ALB, it will be Privatelink -> NLB -> ALB one evidence is the link lasithasilva709 posted another evidence is compare of ALB/NLB https://aws.amazon.com/elasticloadbalancing/features/?nc=sn&loc=2&dn=1 3rd evidence https://aws.amazon.com/about-aws/whats-new/2021/09/application-load-balancer-aws-privatelink-static-ip-addresses-network-load-balancer/

pangchn

Also in question only mentioned services but doesn't mention port, where TCP (NLB) can cover all ports but HTTP/HTTPS (ALB) is restricted

gfhbox0083

A, for sure. Connectivity cannot traverse the internet

trungtdOption: A

A, VPC endpoint used with NLB

VerRiOption: A

VPC endpoint + NLB = PrivateLink

AWSPro1234

Answer is A. Many services is a key word , option B is for http and https.

DgixOption: B

B is just a safe as A — TCP is not inherently safer. However, HTTPS and HTTP are much more commonly used when providing services to other companies. As we don't have any information as to the nature of the service, a safer bet (pun intended) is B.

CMMCOption: A

#C & #D are out given the connectivity cannot traverse the internet. #A enables secure VPC endpoint to privately expose to other companies' VPCs without traversing the internet, and TCP to provide more controlled and secure comm protocol for sensitive data

yog927Option: A

A, VPC endpoint used with NLB

lasithasilva709Option: A

My understanding is that NLB should be used for a VPC endpoint service. Here are some resources: 1. To use AWS PrivateLink, create a Network Load Balancer for your application in your VPC, and create a VPC endpoint service configuration pointing to that load balancer. https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/aws-privatelink.html 2. https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/