Examice

Exam SAP-C01 All QuestionsBrowse all questions from this exam

Question 873

A company has two VPCs: VPC A and VPC B. The company uses a solution in VPC A in the ca-central-1 Region to expose services that are deployed on Amazon

EC2 instances. The services read objects that are stored in an Amazon S3 bucket in ca-central-1. The S3 bucket must not be publicly accessible, and the EC2 instances must use a gateway VPC endpoint. A rule in the S3 bucket policy allows only traffic that comes from the VPC A endpoint.

The company recently created another application. The application is hosted on EC2 instances that are deployed in VPC B in the us-east-1 Region in the same

AWS account. The application needs to access objects that are stored in the S3 bucket in ca-central-1.

Which solution will meet these requirements?

Create a cross-Region VPC peering connection between the two VPCs. Add a route in the route table of VPC B to use the peering connection to access the S3 gateway VPC endpoint.

Create a gateway VPC endpoint in VPC B in us-east-1. Add a route in the route table of VPC B to use the S3 gateway VPC endpoint to access Amazon S3. Update the S3 bucket policy to accept connection from this gateway VPC endpoint.

Create a third VPC (VPC C) in ca-central-1. Create a cross-Region VPC peering connection between VPC C and VPC B in us-east-1. Use AWS PrivateLink with a Network Load Balancer (NLB) to expose the services in VPC A in ca-central-1. Use the interface VPC endpoint created with PrivateLink in VPC C to call the services.

Create a virtual private gateway, and attach it to VPC A in ca-central-1. Create an IPsec VPN connection between the EC2 instances in us-east-1 and the virtual private gateway. Grant the EC2 instances in us-east-1 direct access to the S3 bucket by adding a route to use the VPN connection to access Amazon S3.

Correct Answer: C

Given the requirement that the S3 bucket must not be publicly accessible and the EC2 instances must use a gateway VPC endpoint, creating a third VPC in the ca-central-1 Region and using AWS PrivateLink with a Network Load Balancer (NLB) to expose the services in VPC A is the most viable solution. By creating an interface VPC endpoint with PrivateLink in VPC C, VPC B in us-east-1 can access those services through the cross-Region VPC peering connection without violating any restrictions imposed by the S3 gateway endpoints.

Discussion

JohnPiOption: C

C is the answer, you need an interface gateway. S3 access through gateway endpoints is supported only for resources in a specific VPC to which the endpoint is associated. S3 gateway endpoints do not currently support access from resources in a different Region, different VPC, or from an on-premises (non-AWS) environment. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/

Kakusaif

agreed - Resources on the other side of a VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a S3 gateway endpoint to communicate with Amazon S3.

timmysixstrings

I think that your interpretation of this is wrong. Accessing the gateway endpoint in VPC B from VPC B is fine because its the same region and same VPC. In other words, the gateway endpoint and the resource using it need to be in the same VPC/region. This restriction doesn't apply to the bucket in S3 (the gateway endpoint can access a bucket in another region without issue) The answer is B

rajveeOption: A

I believe should be A, https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/

Kakusaif

question mentions S3 gateway endpoint - Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a S3 gateway endpoint to communicate with Amazon S3.

nano2nd

For example, if you deploy an S3 VPC endpoint in the us-west-2 Region, then you can access S3 buckets in us-west-2 from that VPC endpoint.

nano2nd

from that link: However, you can access these VPC endpoints from the same Region only. For example, if you deploy an S3 VPC endpoint in the us-west-2 Region, then you can access S3 buckets in us-west-2 from that VPC endpoint.

joanneli77

Answer is B IMHO - you can write to an S3 bucket from anywhere, and a Gateway Endpoint in VPC B is to the S3 service in that region. Yes there is more latency. As long as I can communicate to S3 service and have some sort of auth, I can write to a bucket anywhere.

sb333Option: C

Neither A nor B are correct. This is because they both use S3 "gateway" endpoints. Gateway endpoints cannot be used outside of its own VPC, and they also cannot reference S3 buckets in another Region. Answer C is correct. For answer C, it has both relevant and non-relevant information in it. The relevant part for accessing the S3 bucket from both Regions is: "Create a third VPC (VPC C) in ca-central-1. Create a cross-Region VPC peering connection between VPC C and VPC B in us-east-1. Use the interface VPC endpoint created with PrivateLink in VPC C to call the services." An interface VPC endpoint is a newer offering (for S3 can be accessed across a cross-Region VPC peering connection. The rest of the answer isn't relevant as it speaks to what you can do for accessing the application. https://aws.amazon.com/blogs/aws/aws-privatelink-for-amazon-s3-now-available/

AkaAka4

This comment really helped me understand. Thanks so much!

hobokaboboOption: B

S3 is a global resource. So you can access an S3 Bucket from any regional access point. Gateway access Points on the other hand are regional. Ultimatelely it is routing S3 requests to the regional access point. Works. C is a little cumbersome for S3 access but - depending on how I choose to interpret the implementation details - might work. But: for one if I want an interface entpoint, I would simply create S3 endpoint and secondly the question explicitely states that an s3 gatway endpoint has to be used. C are interface endpoints to services and not gateway endpoints.

Rakesh8585Option: B

It is B https://repost.aws/knowledge-center/connect-s3-vpc-endpoint

Heer

Option B is the right answer It's important to note that cross-region VPC peering is supported between VPCs in different accounts and different regions but it is not currently supported between VPCs in different regions within the same account. Also, to use VPC endpoints to access S3 resources across regions, you will need to create a VPC endpoint for each S3 region that you want to access.

evargasbrzOption: C

A-> Resources on the other side of a VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC can not use a S3 gateway endpoint to communicate with Amazon S3. B-> It's not possible. "A gateway endpoint is available only in the Region where you created it. Be sure to create your gateway endpoint in the same Region as your S3 buckets." https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html so I'll go with C

WhyIronManOption: A

A) and here's the reasoning: * Cross-Region VPC Peering: This allows the instances in VPC B to communicate with resources in VPC A, which includes the gateway VPC endpoint for S3. * Using the Gateway VPC Endpoint: The S3 gateway endpoint in VPC A enables secure access to S3 without the need for public internet access, which aligns with the requirement that the S3 bucket should not be publicly accessible. * Bucket Policy: Since the bucket policy allows traffic only from the VPC A endpoint, the cross-region peering allows the EC2 instances in VPC B to utilize the endpoint from VPC A for accessing S3. * Other options either involve creating unnecessary resources (like an additional VPC or VPN connections) or do not align with the requirements of accessing the S3 bucket securely from a different region without making it public.

WhyIronMan

No, I am WRONG! it is not A: AWS Documentation says However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway.

MikelH93Option: A

https://repost.aws/knowledge-center/vpc-endpoints-cross-region-aws-services need peering and update route table with endpoint

MikelH93

I was wrong after re-reading the article, you need an endpoint interface to do cross region.

MikelH93

Answer C sry for multiples posts

dev112233xxOption: A

A is easy

vn_thanhtung

Note: The following example uses Amazon S3 interface endpoints for cross-Region traffic because gateway endpoints don't support cross-Region access. Use the same setup for any VPC interface endpoint.

[Removed]

Must be c by process of elimination

mike9999Option: A

Its A because https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/

janvandermerwerOption: C

D seems overkill A doesn't seem like it's going to work B also won't work Answer must be C: Gateway VPC endpoint is VPC specific and allows access to resources in that region only. "A gateway endpoint is available only in the Region where you created it. Be sure to create your gateway endpoint in the same Region as your S3 buckets." "Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3." https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

Rocketeer

A https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/

AwsBRFanOption: A

https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/

JohnPiOption: A

Gateway VPC endpoint must be in the same region as S3 bucket

JohnPi

it is not A. Gateway endpoint cannot be extended out of a VPC (VPN, DX, TGW, peering

JohnPi

C must be the answer, you need an interface gateway. S3 access through gateway endpoints is supported only for resources in a specific VPC to which the endpoint is associated. S3 gateway endpoints do not currently support access from resources in a different Region, different VPC, or from an on-premises (non-AWS) environment. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/