Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 610 discussion

A company deploys Amazon EC2 instances that run in a VPC. The EC2 instances load source data into Amazon S3 buckets so that the data can be processed in the future. According to compliance laws, the data must not be transmitted over the public internet. Servers in the company's on-premises data center will consume the output from an application that runs on the EC2 instances.

Which solution will meet these requirements?

  • A. Deploy an interface VPC endpoint for Amazon EC2. Create an AWS Site-to-Site VPN connection between the company and the VPC.
  • B. Deploy a gateway VPC endpoint for Amazon S3. Set up an AWS Direct Connect connection between the on-premises network and the VPC.
  • C. Set up an AWS Transit Gateway connection from the VPC to the S3 buckets. Create an AWS Site-to-Site VPN connection between the company and the VPC.
  • D. Set up proxy EC2 instances that have routes to NAT gateways. Configure the proxy EC2 instances to fetch S3 data and feed the application instances.
Show Suggested Answer Hide Answer
Suggested Answer: B ūüó≥ÔłŹ

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
taustin2
Highly Voted 8 months, 3 weeks ago
Selected Answer: B
Gateway VPC Endpoint = no internet to access S3. Direct Connect = secure access to VPC.
upvoted 9 times
...
awsgeek75
Most Recent 5 months ago
Selected Answer: B
No public internet != encrypted public internet (VPN) Direct connect is the only option.
upvoted 2 times
...
OSHOAIB
5 months, 1 week ago
Selected Answer: B
A gateway VPC endpoint for Amazon S3 allows the EC2 instances within the VPC to access Amazon S3 buckets without using the public internet. The traffic between the VPC and S3 is routed within the AWS network. AWS Direct Connect establishes a private connection between the on-premises data center and AWS infrastructure, avoiding data transfer over the public internet and ensuring compliance with the specified requirements. It provides a dedicated network link with higher bandwidth options and potentially more consistent network performance than internet-based connections. Whereas Option A uses Site-to-Site VPN connection which is secure. However it typically runs over the public internet, which would not meet the company's requirement of avoiding public internet data transit.
upvoted 2 times
...
pentium75
5 months, 2 weeks ago
Selected Answer: B
I think the last sentence ("Servers in the company's on-premises data center will consume the output from an application that runs on the EC2 instances") refers to a different application. Purely from the wording, it does NOT seem to refer to the data 'loaded into S3 buckets so that it can be processed in the future' before. So the EC2 instances could write to S3, the on-premises servers can talk to the EC2 application, and data would not be transmitted over the public internet. Not A: There's no such thing as a "VPC endpoint for Amazon EC2 (!)" Not C: Transit Gateway is not for EC2->S3, VPN is over public internet Not D: Would address only the first part and use public Internet
upvoted 1 times
wizcloudifa
1 month, 1 week ago
Interface endpoint is a thing, the only reason A is not true is because of the presence of site-to-site vpn which is essentially accessing public internet
upvoted 1 times
...
...
ale_brd_
5 months, 2 weeks ago
Selected Answer: A
I would go for A, for two reasons: 1) "S3 gateway endpoints do not currently support access from resources in a different Region, different VPC, or from an on-premises (non-AWS) environment. 2) we tryna access an output from an application hosted in e2 instances and not to access the s3 stored data so ideally we should use Interface Endpoints for the applications running in ec2.
upvoted 1 times
pentium75
5 months, 2 weeks ago
Plus, in A you deploy a VPC endpoint "for EC2" (!) which doesn't exist
upvoted 2 times
...
pentium75
5 months, 2 weeks ago
"Data must not be transmitted over the public internet", as it would with A (VPN).
upvoted 2 times
...
...
ftaws
5 months, 3 weeks ago
I standhood answer is B, but why not A?
upvoted 1 times
pentium75
5 months, 2 weeks ago
there's no such things a 'VPC endpoint for EC2', and it uses public Internet
upvoted 1 times
...
...
achechen
6 months, 2 weeks ago
Selected Answer: A
https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/ According to this document, " S3 gateway endpoints do not currently support access from resources in a different Region, different VPC, or from an on-premises (non-AWS) environment. However, if you’re willing to manage a complex custom architecture, you can use proxies. In all those scenarios, where access is from resources external to VPC, S3 interface endpoints access S3 in a secure way." so, the answer is A.
upvoted 2 times
pentium75
5 months, 2 weeks ago
A uses a VPC endpoint "for Amazon EC2", not S3. Also it uses public Internet.
upvoted 1 times
...
...
TariqKipkemei
6 months, 2 weeks ago
Selected Answer: B
data must not be transmitted over the public internet = gateway VPC endpoint for Amazon S3 and AWS Direct Connect connection between the on-premises network and the VPC.
upvoted 1 times
...
Guru4Cloud
8 months, 3 weeks ago
Selected Answer: B
Gateway VPC Endpoint = no internet to access S3. Direct Connect = secure access to VPC I agree with you @taustin2- Happy Learning all
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...