ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 86 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 86
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company has 20 service teams. Each service team is responsible for its own microservice. Each service team uses a separate AWS account for its microservice and a VPC with the 192.168.0.0/22 CIDR block. The company manages the AWS accounts with AWS Organizations.

Each service team hosts its microservice on multiple Amazon EC2 instances behind an Application Load Balancer. The microservices communicate with each other across the public internet. The company’s security team has issued a new guideline that all communication between microservices must use HTTPS over private network connections and cannot traverse the public internet.

A DevOps engineer must implement a solution that fulfills these obligations and minimizes the number of changes for each service team.

Which solution will meet these requirements?

  • A. Create a new AWS account in AWS Organizations. Create a VPC in this account, and use AWS Resource Access Manager to share the private subnets of this VPC with the organization. Instruct the service teams to launch a new Network Load Balancer (NLB) and EC2 instances that use the shared private subnets. Use the NLB DNS names for communication between microservices.
  • B. Create a Network Load Balancer (NLB) in each of the microservice VPCs. Use AWS PrivateLink to create VPC endpoints in each AWS account for the NLBs. Create subscriptions to each VPC endpoint in each of the other AWS accounts. Use the VPC endpoint DNS names for communication between microservices.
  • C. Create a Network Load Balancer (NLB) in each of the microservice VPCs. Create VPC peering connections between each of the microservice VPCs. Update the route tables for each VPC to use the peering links. Use the NLB DNS names for communication between microservices.
  • D. Create a new AWS account in AWS Organizations. Create a transit gateway in this account, and use AWS Resource Access Manager to share the transit gateway with the organization. In each of the microservice VPCs, create a transit gateway attachment to the shared transit gateway. Update the route tables of each VPC to use the transit gateway. Create a Network Load Balancer (NLB) in each of the microservice VPCs. Use the NLB DNS names for communication between microservices.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by kassem77 at May 5, 2023, 10:20 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Blueee
Highly Voted 1 year, 10 months ago
Selected Answer: B
B is correct because all 20 services team in different separate AWS accounts are using the same CIDR block, which means they are overlapping CIDR. D state that to update the route tables of each VPC to use the transit gateway but they are all having the same CIDR block so this cannot proceed, as shared by Arnaud92 link the pre-requisite of using the transit gateway is "No-overlapping CIDR block between VPCs."
upvoted 8 times
...
Saudis
Most Recent 5 months, 3 weeks ago
Selected Answer: B
PrivateLink = HTTPS connection
upvoted 1 times
...
zijo
11 months, 2 weeks ago
B is the answer When VPCs have overlapping CIDR blocks, AWS PrivateLink still ensures secure and private connectivity by using Interface Endpoints (ENIs) and Network Load Balancers (NLBs) to route traffic, bypassing the need for direct IP routing between the VPCs.
upvoted 2 times
...
thanhnv142
1 year, 3 months ago
B is correct: <all communication between microservices must use HTTPS over private network connections and cannot traverse the public internet> means privatelink A and C: no mention of privatelink D: Using transite gateway. But this solution need IP to route traffic and cannot be used for overlapped VPC CIDR block (every team uses 192.168.0.0/22)
upvoted 2 times
...
zolthar_z
1 year, 5 months ago
Selected Answer: B
Answer is B, Transit gateway can't route overlapping networks, the solution for this is privatelink: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-privatelink.html
upvoted 4 times
...
RVivek
1 year, 7 months ago
Selected Answer: D
Thanks to rhinozD. Please check the side by sode comparision at the bottom of this page https://tomgregory.com/cross-account-vpc-access-in-aws
upvoted 2 times
[Removed]
1 year, 7 months ago
In that same document you shared it says: No-overlapping CIDR block between VPCs possible for Transit Gateway. So it cannot be D.
upvoted 5 times
...
...
ixdb
1 year, 8 months ago
B is right.,
upvoted 2 times
...
Just_Ninja
1 year, 9 months ago
Selected Answer: B
B. is the right Solution! Due to AWS's Transit Gateway not supporting same CIDRs (https://aws.amazon.com › transit-gateway › faqs), the most viable solution is the deployment of a Network Load Balancer (NLB) in each VPC. However, it's crucial to note that NLB operates similar to a NAT Gateway, allowing only incoming requests. After an incoming request is accepted, the NLB can then provide a response.
upvoted 3 times
...
SVGoogle89
1 year, 9 months ago
AWS Transit Gateway doesn’t support routing between Amazon VPCs with identical CIDRs. If you attach a new Amazon VPC that has a CIDR which is identical to an already attached Amazon VPC, AWS Transit Gateway will not propagate the new Amazon VPC route into the AWS Transit Gateway route table.
upvoted 1 times
...
habros
1 year, 9 months ago
I’ll lean towards B. For D, transit gateway is really expensive and does get the job done. There is also a need for NAT gateway as by default all AWS API traffic passes through the public internet. Hence, PrivateLink endpoints are for.
upvoted 1 times
...
FunkyFresco
1 year, 10 months ago
Selected Answer: D
I go with option D. It makes more sense to me.
upvoted 1 times
...
allen_devops
1 year, 10 months ago
I think the correct answer is B. Please note all service team is using the same cidr block for their vpc. It's impossible to add them in the same network mesh using vpc peering and transit gateway.
upvoted 3 times
...
Arnaud92
1 year, 11 months ago
Selected Answer: D
see https://tomgregory.com/cross-account-vpc-access-in-aws/ , Option 3 The use of a central hub reduce the complexity for 20 accounts need an additional account to avoid cidr block collision, in the link they put the transit gateway in one of existing account
upvoted 2 times
rhinozD
1 year, 10 months ago
Please read the "Side-by-side comparison" part at the end of the post. D is wrong. B is correct.
upvoted 2 times
...
...
youonebe
1 year, 11 months ago
Answer is D. Option B is incorrect because it requires creating a Network Load Balancer in each of the microservice VPCs and using AWS PrivateLink to create VPC endpoints. This would result in a lot of configuration changes for each service team and increased complexity.
upvoted 1 times
...
devnv
1 year, 11 months ago
B is the right answer
upvoted 2 times
...
ParagSanyashiv
1 year, 11 months ago
Selected Answer: B
B is correct
upvoted 4 times
...
PhuocT
1 year, 12 months ago
Option D is correct to me.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago