A solutions architect needs to ensure that API calls to Amazon DynamoDB from Amazon EC2 instances in a VPC do not travel across the internet.
Which combination of steps should the solutions architect take to meet this requirement? (Choose two.)
A solutions architect needs to ensure that API calls to Amazon DynamoDB from Amazon EC2 instances in a VPC do not travel across the internet.
Which combination of steps should the solutions architect take to meet this requirement? (Choose two.)
To ensure that API calls to Amazon DynamoDB from Amazon EC2 instances in a VPC do not travel across the internet, it is necessary to create a gateway endpoint for DynamoDB. This allows for private connectivity between the VPC and DynamoDB, ensuring that traffic does not leave the AWS network. Additionally, a route table entry for the endpoint is needed to ensure that the traffic is directed to the gateway endpoint within the VPC. Elastic network interfaces and security group entries are not required for this configuration, as gateway endpoints do not use ENIs or security groups.
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html
The reasons are: A gateway endpoint for DynamoDB enables private connectivity between DynamoDB and the VPC. This allows EC2 instances to access DynamoDB APIs without traversing the internet. A security group entry is needed to allow the EC2 instances access to the DynamoDB endpoint over the VPC. An interface endpoint is used for services like S3 and Systems Manager, not DynamoDB. Route table entries route traffic within a VPC but do not affect external connectivity. Elastic network interfaces are not needed for gateway endpoints.
"The outbound rules for the security group for instances that access DynamoDB through the gateway endpoint must allow traffic to DynamoDB", https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html The option however is talking about the security group of the endpoint
Gateway Endpoint does not have an ENI, thus it has no security group. Instances have security groups and those must allow access to DynamoDB.
Answer: E. Example Question #555 - Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the private subnets. Add to the endpoint a security group that has an inbound access rule that allows traffic from the EC2 instances that are in the private subnets.
555 refers to the Interface endpoint not the Gateway endpoint
A and B for sure
go through this video it will show the answer is AB https://www.youtube.com/watch?v=8FTnyhklEvU
DynamoDB can only be connected via Gateway endpoint (just like S3) route table for connecting the VPC tor the endpoint So do B then A C: interface endpoint for EC2 to what? D: ENI not applicable here for VPC E: Incomplete option as to access to what?
It is A and B. Not E because security group does not span VPCs.
You can access Amazon DynamoDB from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to DynamoDB.
refer to question 555
Create a gateway endpoint for DynamoDB then create a route table entry for the endpoint
A. Create a route table entry for the endpoint: This is not necessary, as the gateway endpoint itself automatically creates the required route table entries.
AB https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html
B and D.
https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html#vpc-endpoints-routing Traffic from your VPC to Amazon S3 or DynamoDB is routed to the gateway endpoint. Each subnet route table must have a route that sends traffic destined for the service to the gateway endpoint using the prefix list for the service.
C & D are both not relevant. D looks ok but DynamoDB doesn't go with security group, it only allows route table for VPC endpoint. Link here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html
Sorry, E not D. E looks ok but DynamoDB doesn't go with security group, it only allows route table for VPC endpoint. Link here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html
Creating the gateway endpoint and edit the route table is enough, there are no secruity group involved