A company has registered its domain name with Amazon Route 53. The company uses Amazon API Gateway in the ca-central-1 Region as a public interface for its backend microservice APIs. Third-party services consume the APIs securely. The company wants to design its API Gateway URL with the company's domain name and corresponding certificate so that the third-party services can use HTTPS.
Which solution will meet these requirements?
To design the API Gateway URL with the company's domain name and corresponding certificate so that third-party services can use HTTPS, the correct approach involves several steps. First, creating a Regional API Gateway endpoint allows the gateway to serve traffic within a specific AWS region. Next, the API Gateway endpoint must be associated with the company's domain name to ensure that the custom domain can be used. The public certificate associated with the company's domain name needs to be imported into AWS Certificate Manager (ACM) in the same region as the API Gateway. This step ensures that the certificate is available in the correct region for use with the API Gateway. Attaching the certificate to the API Gateway endpoint enables HTTPS for the custom domain. Lastly, Route 53 should be configured to route traffic to the API Gateway endpoint, completing the process of using the company's domain name and HTTPS for secure communication. This comprehensive solution meets all the requirements outlined in the question.
The correct solution to meet these requirements is option C. To design the API Gateway URL with the company's domain name and corresponding certificate, the company needs to do the following: 1. Create a Regional API Gateway endpoint: This will allow the company to create an endpoint that is specific to a region. 2. Associate the API Gateway endpoint with the company's domain name: This will allow the company to use its own domain name for the API Gateway URL. 3. Import the public certificate associated with the company's domain name into AWS Certificate Manager (ACM) in the same Region: This will allow the company to use HTTPS for secure communication with its APIs. 4. Attach the certificate to the API Gateway endpoint: This will allow the company to use the certificate for securing the API Gateway URL. 5. Configure Route 53 to route traffic to the API Gateway endpoint: This will allow the company to use Route 53 to route traffic to the API Gateway URL using the company's domain name.
Option C includes all the necessary steps to meet the requirements, hence it is the correct solution. Options A and D do not include the necessary steps to associate the API Gateway endpoint with the company's domain name and attach the certificate to the endpoint. Option B includes the necessary steps to associate the API Gateway endpoint with the company's domain name and attach the certificate, but it imports the certificate into the us-east-1 Region instead of the ca-central-1 Region where the API Gateway is located.
google bard reply..
Why the "reveal solution" most of the time gives the wrong answer ?
i read this before that they can't give 100% of the right answers legally or something
I think the answer is C. we don't need to attach a certificate in us-east-1, if is not for cloudfront. In our case the target is ca-central-1.
I think that is C too, the target would be the same Region. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-regional-api-custom-domain-create.html
Agree, C is correct by using the API Gateway option "Custom domain names" https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html
Important For an API Gateway Regional custom domain name, you must request or import the certificate in the same Region as your API.
Option C encompasses all the necessary steps to design the API Gateway URL with the company's domain name and enable secure HTTPS access using the appropriate certificate. A. This approach does not involve using the company's domain name or a custom certificate. It does not provide a solution for enabling HTTPS access with a corresponding certificate. B. It suggests importing the certificate into ACM in the us-east-1 Region, which may not align with the desired ca-central-1 Region for this scenario. It's important to use ACM in the same Region where API Gateway is deployed to simplify certificate management. D. It suggests importing the certificate into ACM in the us-east-1 Region, which again does not align with the desired ca-central-1 Region. Additionally, it mentions attaching the certificate to API Gateway, which is not necessary for achieving the desired outcome of enabling HTTPS access for the API Gateway endpoint.
All certificates in ACM are regional resources, including the certificates that you import. To use the same certificate with Elastic Load Balancing load balancers in different AWS Regions, you must import the certificate into each Region where you want to use it. To use a certificate with Amazon CloudFront, you must import it into the US East (N. Virginia) Region. https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html
c is right The other options have various issues: Option A: Using stage variables and importing certificates into ACM is not sufficient for achieving the requirement of associating a custom domain and certificate with the API Gateway endpoint. Option B: While it mentions importing the certificate into ACM, it doesn't address the need for a Regional API Gateway or the appropriate region for the certificate. Option D: Using certificates from the us-east-1 region for a Regional API Gateway might cause issues. Additionally, it doesn't provide clear details on how to associate the domain name and certificate with the API Gateway endpoint.
now I am confused, I would have chosen C, but with a Closer look D might be right, because of the A records and again the region used and not stated can be for resilience. I think? can someone clarify
I think C is the correct answer, because the DNS record in this case must be an alias (cname). DNS A record is for IP address. Here some documentation that can be useful: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-api-gateway.html
A records support Elasticity and load balancing and by default resilience is Key in any configuration in AWS
BD are wrong because they are in wrong regions. A. Does not help with R53 routing to API Gateway and not sure what it's trying to do here C is correct
C for sure
Option C is the correct answer
Import the public certificate associated with the company's domain name into AWS Certificate Manager (ACM) in the same Region.
C is the correct solution. To use a custom domain name with HTTPS for API Gateway: The API Gateway endpoint needs to be Regional, not private or edge-optimized. The ACM certificate must be requested in the same region as the API Gateway endpoint. The custom domain name is then mapped to the Regional API endpoint under API Gateway domain names. Route 53 is configured to route traffic to the API Gateway regional domain. The ACM certificate is attached to the API Gateway domain name to enable HTTP
Explain why this saying a different region which not mentioned in the Q.
Correct answer
Only if the API Gateway is global then the corresponding AWS ACM Certificate must be placed in us-east-1
Option C has all the steps to meet the requirenment and attach certificate in the same region