SAA-C03 Exam QuestionsBrowse all questions from this exam
Go to Exam

SAA-C03 Exam - Question 514

A company is running a microservices application on Amazon EC2 instances. The company wants to migrate the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for scalability. The company must configure the Amazon EKS control plane with endpoint private access set to true and endpoint public access set to false to maintain security compliance. The company must also put the data plane in private subnets. However, the company has received error notifications because the node cannot join the cluster.

Which solution will allow the node to join the cluster?

Show Answer
Correct Answer: B

When the Amazon EKS control plane is configured with endpoint private access set to true and endpoint public access set to false, the nodes in private subnets need a way to communicate with the control plane. Creating interface VPC endpoints enables this communication by allowing the nodes to access the control plane privately within the VPC without needing public internet access. This resolves the issue of the nodes being unable to join the cluster due to the private access configuration.

Discussion

17 comments
Sign in to comment
cloudenthusiastOption: B
May 19, 2023

By creating interface VPC endpoints, you can enable the necessary communication between the Amazon EKS control plane and the nodes in private subnets. This solution ensures that the control plane maintains endpoint private access (set to true) and endpoint public access (set to false) for security compliance.

y0Option: A
May 22, 2023

Check this : https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html Also, EKS does not require VPC endpoints. This is not the right use case for EKS

h0ng97_spare_002
Mar 26, 2024

https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html#:~:text=Before,launched "Before you can launch nodes and register them into a cluster, you must create an IAM role for those nodes to use when they are launched."

TwinSpark
May 8, 2024

correct i was going for B, but A looks better. https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html "When you enable endpoint private access for your cluster, Amazon EKS creates a Route 53 private hosted zone on your behalf and associates it with your cluster's VPC. This private hosted zone is managed by Amazon EKS, and it doesn't appear in your account's Route 53 resources. "

Guru4CloudOption: B
Aug 23, 2023

Since the EKS control plane has public access disabled and is in private subnets, the EKS nodes in the private subnets need interface VPC endpoints to reach the control plane API. Creating these interface endpoints allows the EKS nodes to communicate with the control plane privately within the VPC to join the cluster.

Guru4Cloud
Aug 23, 2023

Why B Private Control Plane: You've configured the Amazon EKS control plane with private endpoint access, which means the control plane is not accessible over the public internet. VPC Endpoints: When the control plane is set to private access, you need to set up VPC endpoints for the Amazon EKS service so that the nodes in your private subnets can communicate with the EKS control plane without going through the public internet. These are known as interface VPC endpoints.

Guru4Cloud
Aug 23, 2023

Reason why, not A While security groups and IAM permissions are important considerations for networking and authentication, they alone won't resolve the issue of nodes not being able to join the cluster when the control plane is configured for private access.

SmartOption: A
Aug 24, 2023

This should be an associate-level question. https://repost.aws/knowledge-center/eks-worker-nodes-cluster https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html

Smart
Aug 24, 2023

This should NOT be an associate-level question

thanhnv142
Oct 21, 2023

A is correct: To deploy a new EKS cluster: 1. Need to have a VPC and at least 2 subnets 2. An IAM role that have permission to create and describe EKS cluster

Bennyboy789Option: B
Aug 28, 2023

In Amazon EKS, nodes need to communicate with the EKS control plane. When the Amazon EKS control plane endpoint access is set to private, you need to create interface VPC endpoints in the VPC where your nodes are running. This allows the nodes to access the control plane privately without needing public internet access.

thanhnv142
Oct 21, 2023

A is good to go. B is not correct because they already setup connection to control plane.

pentium75
Jan 1, 2024

"They already setup connection to control plane" where did you read that?

potomacOption: A
Nov 6, 2023

Before can launch nodes and register nodes into a EKS cluster, must create an IAM role for those nodes to use when they are launched.

bujumanOption: B
Apr 4, 2024

Because of these two assertions: - Amazon EKS control plane with endpoint private access set to true and endpoint public access set to false to maintain security compliance. ( The company must also put the data plane in private subnets. The best answer is related to Networking, Private Subnets (EKS Ctr Plane is strictly private and Data Plane stick under private subnets) and not related to EKS autodeployment that sure need an IAM policy. So according to me, answer B is the best answer.

trinh_leOption: B
Apr 27, 2024

B is good to go

JackyCCK
Apr 7, 2024

S3/DynamoDB - VPC endpoint, other service should use interface endpoint so B is incorrect

stalk98
May 9, 2024

I Think is A

RocconnoOption: B
Jun 11, 2024

https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html "Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group."

MandAshOption: B
Jun 16, 2024

Error they have mentioned is at network level. They are not saying authorisation is failed rather noce is enable to connect to cluster aka connectivity issue. So answer it must be B

Gape4Option: B
Jun 25, 2024

I think is B.

emakidOption: B
Jun 29, 2024

When Amazon EKS nodes cannot join the cluster, especially when the control plane is set to private access only, the issue typically revolves around networking and connectivity. When the EKS control plane is configured with private access only, the nodes must communicate with the control plane over private IP addresses. Creating VPC endpoints (specifically, com.amazonaws.<region>.eks) allows traffic between the EKS nodes and the control plane to be routed privately within the VPC, which resolves the connectivity issue.

a7md0Option: A
Jul 3, 2024

AmazonEKSNodeRole IAM role https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html