A company wants to send data from its on-premises systems to Amazon S3 buckets. The company created the S3 buckets in three different accounts. The company must send the data privately without the data traveling across the internet. The company has no existing dedicated connectivity to AWS.
Which combination of steps should a solutions architect take to meet these requirements? (Choose two.)
To meet the requirements of sending data from on-premises systems to Amazon S3 buckets in different accounts without the data traveling across the internet, the company should establish a networking account in AWS and create a private VPC in that account. Setting up an AWS Direct Connect connection with a private virtual interface (VIF) between the on-premises environment and the private VPC ensures a dedicated, private connection that does not traverse the public internet. Additionally, creating an Amazon S3 interface endpoint in the networking account allows the on-premises systems to access the S3 buckets using private IP addresses within the VPC. Gateway endpoints do not allow access from on-premises environments, hence leveraging an interface endpoint is the appropriate approach for secure, private transfer of data.
You can use two types of VPC endpoints to access Amazon S3: gateway endpoints and interface endpoints (by using AWS PrivateLink). A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your VPC over the AWS network. Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on premises, or from a VPC in another AWS Region by using VPC peering or AWS Transit Gateway.
Really, really awful question. Agree that the answer they're looking for is AC. However, technically, this element of B if done in isolation will also work and might actually be better: "Set up an AWS Direct Connect connection with a public VIF between the on-premises environment and the private VPC". Just because you're accessing S3 using its public IPs, doesn't mean you're routing over the "public internet". Plus, accessing S3 via its regular public prefixes means no mucking around with `--endpoint-url https://bucket.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com` command line options. Your devs can just use S3 normally with normal DNS hostnames. If they forget then the traffic will route via the internet - oops. So B+anything-else is technically also correct, and arguably preferable.
And yes, I know that technically a public VIF has nothing to do with nor are they attached to VPCs, but the core tenet of B is to "use public VIF", i.e. public peering. So, if I was faced with this situation in real life, I'd consider that. The downside of the public VIF approach is missing out on VPC endpoint policies. Maybe the optimal solution is to deploy EC2 forward proxies in a VPC with an S3 gateway endpoint?
S3 Gateway endpoint is for access inside VPC and not from on-premise.
AC - detailed steps under use case 2 -> https://repost.aws/knowledge-center/s3-bucket-access-direct-connect
AC: "The company must send the data privately" = Interface endpoints Gateway endpoints, do not allow access from on premises.
AC - DX+Interface endpoint. Both gateway and interface endpoints will use aws backbone, so not internet. However, you cannot access a GW endpoint from onprem. Therefore needs interface (ENIs) endpoints.
Endpoint comparison: https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
Thank you. Perfect explanation
C: needs to be an endpoint E: Company does NOT have a dedicated network connection so DX answers are out, so peer the VPC's.
AC - Access from on-prem is using S3 Interface Endpoint + Private VIF. https://aws.amazon.com/blogs/networking-and-content-delivery/secure-hybrid-access-to-amazon-s3-using-aws-privatelink/
olabiba.ai says A,C. Keep in mind However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.htmlditional cost.
A, C for sure. Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on premises, or from a VPC in another AWS Region by using VPC peering or AWS Transit Gateway.
A. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a private VIF between the on-premises environment and the private VPC. This creates a dedicated, private connection between the on-premises systems and the AWS VPC, ensuring data remains secure and isolated from the public internet. The private VIF further enhances security by preventing access to the S3 buckets from the public internet. E. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Peer VPCs from the accounts that host the S3 buckets with the VPC in the network account. This establishes connectivity between the private VPC and the VPCs containing the S3 buckets, enabling private data transfer without crossing the public internet. Peering allows resources in both VPCs to communicate directly, maintaining data security and privacy.
S3 doesn't live in a customer VPC. Its a public service. So you either connect to it over the Internet or through a VPC Gateway endpoint of Interface Endpoint depending on the setup.
Correct AC.
AC of course. see links below
AC - links provided by other members provide very good explanation.
Seems AC
Amazon S3: interface VPC endpoint and gateway VPC endpoint. Difference : When you configure an interface VPC endpoint, an elastic network interface (ENI) with a private IP address is deployed in your subnet. An Amazon EC2 instance in the VPC can communicate with an Amazon S3 bucket through the ENI and AWS network. Using the interface endpoint, applications in your on-premises data center can easily query S3 buckets over AWS Direct Connect or Site-to-Site VPN. Interface endpoint supports a growing list of AWS services. Consult our documentation to find AWS services compatible with interface endpoints powered by AWS PrivateLink.