Examice

Exam ANS-C01 All QuestionsBrowse all questions from this exam

Question 6

A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud.

A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the provider's SaaS service over the internet.

Which combination of steps is part of a solution that meets these requirements? (Choose two.)

Deploy the SaaS service endpoint behind a Network Load Balancer.

Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service.

Deploy the SaaS service endpoint behind an Application Load Balancer.

Configure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways.

Deploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the customers. Configure routing on the transit gateway.

Correct Answer: A, B

To meet the requirements of not having to share internal IP addresses and avoid connecting over the internet despite IP address overlap, deploying the SaaS service endpoint behind a Network Load Balancer (NLB) allows for highly available, scalable architecture and presents a single IP address to customers. Configuring an endpoint service and granting customers permission to create a connection allows them to securely and privately connect to the SaaS service using their own private IP addresses without traversing the internet.

Discussion

emmanuelodenyireOptions: AB

The correct answer is A and B. Option A, deploying the SaaS service endpoint behind a Network Load Balancer (NLB), allows the provider to present a single IP address to customers, while maintaining a highly available and scalable architecture. This is achieved by mapping the NLB's IP address to the SaaS service endpoint. Option B, configuring an endpoint service, enables customers to connect to the SaaS service endpoint using their own private IP addresses. This allows customers to avoid IP address overlap with the provider's AWS deployment and provides a secure, private connection to the SaaS service without traversing the internet.

Dammyt

I totally agree with your choice of answers. NLB supports static IP Address.

bogehad181Options: AB

A&B: https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-saas.html

gpt_testOptions: AB

Deploying the SaaS service endpoint behind a Network Load Balancer (NLB) allows for better scalability and performance, while also supporting connections from AWS PrivateLink, which can provide secure access to the SaaS service without crossing the public internet. Configuring an endpoint service and granting the customers permission to create a connection to the endpoint service allows the customers to access the SaaS service securely and privately through AWS PrivateLink. This ensures that the traffic does not traverse the public internet and does not require sharing internal IP addresses, while also handling IP address overlaps.

slackbotOptions: AB

A&B are correct ones

patanjali

Answer are A and B D cant be the answer as per https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html#vpc-peering-limitations, You cannot create a VPC peering connection between VPCs that have matching or overlapping IPv4 or IPv6 CIDR blocks.

HisayukiOptions: AB

With a PrivateLink, you can expose your own services to another VPC. But you can not choose the ALB as an endpoint for PrivateLink. Instead, Use the NLB for the PrivateLink.

[Removed]Options: AB

The trick here is C, D, and E require sharing internal IP. https://aws.amazon.com/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/

[Removed]

Edit going with C,D after carefully re-reading question. The question is asking for a COMBINATION of steps. So I am going to assume that the SaaS offering is serving traffic through HTTP/HTTPS Deploy the SaaS service endpoint behind an Application Load Balancer. Configure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways.

Mario_134354

not valid.. VPC peering cant have overlapping CIDR between the VPC that wants to form peering.

RaphaelloOptions: AB

AB are the correct answers. Ideal use case for VPC service endpoint (PrivateLink)

tromyunpak

A and B that is the configuration to setup a private link

Marfee400704

I think that it's correct answer is AB according to SPOTO products.

Marfee400704

I think that It's correct answer is AB according to SPOTO products.

marfee

I think that it's correcty answer is A & B.

FayeGOptions: AB

The correct answer is A and B

MEDES

dvaidyaOptions: AB

this is standard use case of privatelink

PhilMultiCloud

The correct choices are: A. Deploy the SaaS service endpoint behind a Network Load Balancer. B. Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service. The problem here is that there is an IP address overlap between the SaaS provider's deployment and the customers' environments. Given this, we need a solution that allows private connectivity without the need for specific IP addresses. Deploying the SaaS service behind a Network Load Balancer (NLB) will allow the service to scale and handle traffic in a reliable way. Also, NLB supports IP targets, which would allow the SaaS service to connect directly to the EC2 instances. AWS PrivateLink, which includes endpoint services, provides private connectivity between VPCs, AWS services, and on-premises applications, without exposing the traffic to the public internet. This is precisely the functionality we need in this scenario. When we create an endpoint service, the customers can create a connection to the service, which allows them to connect to the SaaS application privately.

4bed5ff

I chose C instead of A, because "Elastic Load Balancing now supports forwarding traffic directly from Network Load Balancer (NLB) to Application Load Balancer (ALB). With this feature, you can now use AWS PrivateLink and expose static IP addresses for applications built on ALB." https://aws.amazon.com/about-aws/whats-new/2021/09/application-load-balancer-aws-privatelink-static-ip-addresses-network-load-balancer/