A company wants to send data from its on-premises systems to Amazon S3 buckets. The company created the S3 buckets in three different accounts. The company must send the data privately without the data traveling across the internet. The company has no existing dedicated connectivity to AWS.
Which combination of steps should a solutions architect take to meet these requirements? (Choose two.)
To send data from an on-premises environment to Amazon S3 buckets privately without it traveling across the internet, and without existing dedicated connectivity to AWS, one should first establish a networking account in the AWS Cloud and create a private VPC in that account. Next, an AWS Direct Connect connection should be set up with a private virtual interface (VIF) to ensure the data does not travel over the internet. Additionally, creating an Amazon S3 interface endpoint in the networking account is necessary, as interface endpoints allow access from on-premises environments and are suitable for cross-region and cross-account communication, unlike gateway endpoints, which are limited to a specific VPC and do not support access from on-premises systems.
Ans is A C. S3 supports both gateway and interface endpoints. The main difference is that interface endpoint allows access from on-premises while gateway endpoint does not. https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
AC: https://aws.amazon.com/blogs/aws/aws-privatelink-for-amazon-s3-now-available/
Answer: Private VIF + Interface endpoint https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-direct-connect/ Use a private IP address over Direct Connect (with an interface VPC endpoint) To access Amazon S3 using a private IP address over Direct Connect, perform the following steps: ... 3. Create a private virtual interface for your connection. ... 5. Create an interface VPC endpoint for Amazon S3 in a VPC that is associated with the virtual private gateway. The VGW must connect to a Direct Connect private virtual interface. This interface VPC endpoint resolves to a private IP address even if you enable a VPC endpoint for S3.
AC Rule out B because it didn't mentioned creating an interface VPC endpoint for Amazon S3 which is needed for Using a private IP address over Direct Connect (with an interface VPC endpoint).. Thus A seems a logical choice instead of B.
My Answer is A,C We all have consensus on A. Between D & E, D (S3 Gateway Endpoint) is Regional, and doesn't support in cross-VPC. Here question doesn't state anything on region on cross-account. So have doubt on D that it will NOT work. And C(S3 Interfcae endpoint) can work on multi-region, cross-account etc. REf - https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
BD Need public VIF + Gateway endpoint for S3
changed to AC
S3 - Gateway interface - https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
A&C: https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
public VIF + interface endpoint
AC Private VIF + Interface endpoint
In scenarios where you must access S3 buckets securely from on-premises or from across Regions, we recommend using an interface endpoint. If you chose a gateway endpoint, install a fleet of proxies in the VPC to address transitive routing.
As an architect consider future needs too. GW EPs is supported for resources in a specific VPC to which the EP is associated, which complicates future design. Hence A,C !!
A & C to me are preferable
I think so too - it's A & C
A,C, as interface endpoint allows access from on-premises while gateway endpoint does not
Correct AC.
A and C. You can't route from on prem to the gateway VPC endpoint.
AC Here is the link: https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
A & C https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
D & E make sense