Examice

Exam SAA-C03 All QuestionsBrowse all questions from this exam

Question 562

A solutions architect needs to ensure that API calls to Amazon DynamoDB from Amazon EC2 instances in a VPC do not travel across the internet.

Which combination of steps should the solutions architect take to meet this requirement? (Choose two.)

Create a route table entry for the endpoint.

Create a gateway endpoint for DynamoDB.

Create an interface endpoint for Amazon EC2.

Create an elastic network interface for the endpoint in each of the subnets of the VPC.

Create a security group entry in the endpoint's security group to provide access.

Correct Answer: A, B

To ensure that API calls to Amazon DynamoDB from Amazon EC2 instances in a VPC do not travel across the internet, it is necessary to create a gateway endpoint for DynamoDB. This allows for private connectivity between the VPC and DynamoDB, ensuring that traffic does not leave the AWS network. Additionally, a route table entry for the endpoint is needed to ensure that the traffic is directed to the gateway endpoint within the VPC. Elastic network interfaces and security group entries are not required for this configuration, as gateway endpoints do not use ENIs or security groups.

Discussion

ukivanlamlpiOptions: AB

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html

Guru4CloudOptions: BE

The reasons are: A gateway endpoint for DynamoDB enables private connectivity between DynamoDB and the VPC. This allows EC2 instances to access DynamoDB APIs without traversing the internet. A security group entry is needed to allow the EC2 instances access to the DynamoDB endpoint over the VPC. An interface endpoint is used for services like S3 and Systems Manager, not DynamoDB. Route table entries route traffic within a VPC but do not affect external connectivity. Elastic network interfaces are not needed for gateway endpoints.

unbendable

"The outbound rules for the security group for instances that access DynamoDB through the gateway endpoint must allow traffic to DynamoDB", https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html The option however is talking about the security group of the endpoint

pentium75Options: AB

Gateway Endpoint does not have an ENI, thus it has no security group. Instances have security groups and those must allow access to DynamoDB.

awsgeek75Options: AB

DynamoDB can only be connected via Gateway endpoint (just like S3) route table for connecting the VPC tor the endpoint So do B then A C: interface endpoint for EC2 to what? D: ENI not applicable here for VPC E: Incomplete option as to access to what?

theonlyhero

go through this video it will show the answer is AB https://www.youtube.com/watch?v=8FTnyhklEvU

iwannabeawsgodOptions: AB

A and B for sure

baba365

Answer: E. Example Question #555 - Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the private subnets. Add to the endpoint a security group that has an inbound access rule that allows traffic from the EC2 instances that are in the private subnets.

theonlyhero

555 refers to the Interface endpoint not the Gateway endpoint

osmk

AB https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html

aws94Options: BE

A. Create a route table entry for the endpoint: This is not necessary, as the gateway endpoint itself automatically creates the required route table entries.

TariqKipkemeiOptions: AB

Create a gateway endpoint for DynamoDB then create a route table entry for the endpoint

EdenWangOptions: BE

refer to question 555

potomacOptions: AB

You can access Amazon DynamoDB from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to DynamoDB.

danielmakita

It is A and B. Not E because security group does not span VPCs.

a7md0Options: AB

Creating the gateway endpoint and edit the route table is enough, there are no secruity group involved

upliftinghutOptions: AB

C & D are both not relevant. D looks ok but DynamoDB doesn't go with security group, it only allows route table for VPC endpoint. Link here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html

upliftinghut

Sorry, E not D. E looks ok but DynamoDB doesn't go with security group, it only allows route table for VPC endpoint. Link here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html

cciesamOptions: AB

https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html#vpc-endpoints-routing Traffic from your VPC to Amazon S3 or DynamoDB is routed to the gateway endpoint. Each subnet route table must have a route that sends traffic destined for the service to the gateway endpoint using the prefix list for the service.

loveaws

B and D.