ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 361 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 361
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A software as a service (SaaS) company uses AWS to host a service that is powered by AWS PrivateLink. The service consists of proprietary software that runs on three Amazon EC2 instances behind a Network Load Balancer (NLB). The instances are in private subnets in multiple Availability Zones in the eu-west-2 Region. All the company's customers are in eu-west-2.

However, the company now acquires a new customer in the us-east-1 Region. The company creates a new VPC and new subnets in us-east-1. The company establishes inter-Region VPC peering between the VPCs in the two Regions.

The company wants to give the new customer access to the SaaS service, but the company does not want to immediately deploy new EC2 resources in us-east-1.

Which solution will meet these requirements?

  • A. Configure a PrivateLink endpoint service in us-east-1 to use the existing NLB that is in eu-west-2. Grant specific AWS accounts access to connect to the SaaS service.
  • B. Create an NLB in us-east-1. Create an IP target group that uses the IP addresses of the company's instances in eu-west-2 that host the SaaS service. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service.
  • C. Create an Application Load Balancer (ALB) in front of the EC2 instances in eu-west-2. Create an NLB in us-east-1. Associate the NLB that is in us-east-1 with an ALB target group that uses the ALB that is in eu-west-2. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service.
  • D. Use AWS Resource Access Manager (AWS RAM) to share the EC2 instances that are in eu-west-2. In us-east-1, create an NLB and an instance target group that includes the shared EC2 instances from eu-west-2. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by cypkir at Nov. 22, 2023, 7:39 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
devalenzuela86
Highly Voted 1 year, 7 months ago
Selected Answer: A
A Explanation: * Configuring a PrivateLink endpoint service in us-east-1 to use the existing NLB that is in eu-west-2 will allow the new customer to access the SaaS service without deploying new EC2 resources in us-east-1 1. * Granting specific AWS accounts access to connect to the SaaS service will ensure that only authorized users can access the service 1.
upvoted 16 times
abhitricanada
1 year, 5 months ago
Answer is A because ... VPC peering between the VPCs in the two Regions already done & company does not want to immediately deploy new EC2 resources in us-east-1, later on company will change the architecture
upvoted 2 times
...
Pilot
1 year, 7 months ago
Network Load Balancers now support connections from clients to IP-based targets in peered VPCs across different AWS Regions. Previously, access to Network Load Balancers from an inter-region peered VPC was not possible. With this launch, you can now have clients access Network Load Balancers over an inter-region peered VPC. Network Load Balancers can also load balance to IP-based targets that are deployed in an inter-region peered VPC. This support on Network Load Balancers is available in all AWS Regions. https://aws.amazon.com/about-aws/whats-new/2018/10/network-load-balancer-now-supports-inter-region-vpc-peering/ NLB support client from different region, I think A is correct.
upvoted 4 times
...
...
heatblur
Highly Voted 1 year, 7 months ago
Selected Answer: B
The best option among these is B. While it introduces some complexity, it's the most viable solution that aligns with AWS capabilities and the company's requirements. Creating an NLB in us-east-1 and targeting the IP addresses of the existing instances in eu-west-2 is a feasible approach. This setup allows the company to use their existing infrastructure in eu-west-2 while providing access to the customer in us-east-1 through the PrivateLink endpoint service in us-east-1. This avoids the immediate need to deploy new EC2 resources in the us-east-1 region. It can't be A because AWS PrivateLink endpoint services cannot span regions. They are region-specific, so an endpoint service in us-east-1 cannot directly use an NLB located in eu-west-2.
upvoted 16 times
liquen14
1 year, 3 months ago
I was unable to find documentation saying that an AWS PrivateLink endpoint requires the NLB to be in the same region but if you go to the console for instance here: https://eu-west-1.console.aws.amazon.com/vpcconsole/home?region=eu-west-1#CreateVpcEndpointServiceConfiguration: try to create an endpoint service and you don't have a NLB there the console explicitly states: "No Network Load Balancers or Gateway Load Balancers available in this Region." so for me A in invalid
upvoted 4 times
...
SKS
1 year, 2 months ago
Wrong on part where private link support for inter region vpc peering . https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/
upvoted 4 times
pk0619
6 months, 1 week ago
This is saying you can access privatelink in us-east-1 from ec2 instance in eu-west-1. It does not say that you can create a privatelink in us-east-1 for a resource like NLB in eu-west-1.
upvoted 1 times
...
...
ayadmawla
1 year, 6 months ago
But the company has establishing Inter-Region VPC Peering so the endpoint would work
upvoted 2 times
...
...
dfd5668
Most Recent 2 weeks, 3 days ago
Selected Answer: A
Now A is the answer
upvoted 1 times
...
kyo
4 months, 2 weeks ago
Selected Answer: B
This question was written before AWS PrivateLink supported cross-region connectivity. At that time, the only way to give a customer in us-east-1 access to a service in eu-west-2 without deploying resources in us-east-1 was the complex workaround described in Option B. This involved creating an NLB in us-east-1 and using an IP target group pointing back to the instances in eu-west-2. It was a complicated solution, but it was the only way to achieve the desired outcome given the limitations at the time. Therefore, B was the correct answer for the question as it was originally written. But now the answer has changed to A.
upvoted 5 times
...
Spike2020
6 months, 3 weeks ago
Selected Answer: B
As of November 2024, AWS PrivateLink supports native cross-region connectivity. However, since this exam question appears to be set before this feature was available, we need to consider the solution using the previous architecture patterns. Option A: Not viable because PrivateLink endpoint services must be in the same region as the NLB
upvoted 3 times
...
TomTom
7 months ago
Selected Answer: A
Answer A is correct (now) Recently AWS announce, Now PrivateLink endpoint supports native cross-region connectivity. https://aws.amazon.com/about-aws/whats-new/2024/11/aws-privatelink-across-region-connectivity/
upvoted 1 times
altonh
4 months, 2 weeks ago
A is still incorrect. Note that A requires creating an ENDPOINT SERVICE in us-east-1 that points to an NLB in us-west-2. This is not possible. What you can do is create an endpoint service in us-west-2 that points to the NLB in us-west-2 and then make the endpoint service cross-region. Then, in us-east-1, you can create an ENDPOINT that points to the ENDPOINT SERVICE in us-east-1.
upvoted 1 times
...
alexbraila
6 months, 4 weeks ago
The article refers to Interface VPC endpoints connectivity to VPC endpoint services, but this is not the use case here. The comment of liquen14 is still valid, I tested today 3rd of Dec 2024. When creating an endpoint service, you can only select load balancers in the same region. Hence for the current use case we must create an NLB in us-east-1, which will be able to connect to the EC2 instances over the peered VPC due to the link in Pilot's comment (however, his comment is not right, A does not work): https://aws.amazon.com/about-aws/whats-new/2018/10/network-load-balancer-now-supports-inter-region-vpc-peering/
upvoted 1 times
alexbraila
6 months, 4 weeks ago
Bottom line, A does not work, B does
upvoted 1 times
...
...
...
youonebe
7 months ago
Selected Answer: B
Creating an NLB in us-east-1 with IP target group pointing to the existing eu-west-2 instances is the most efficient solution because: IP target groups can route traffic across VPC peering connections This configuration allows the use of existing EC2 instances while providing local access in us-east-1 PrivateLink endpoint service can be configured with the new NLB to provide secure access
upvoted 2 times
...
0b43291
7 months, 1 week ago
Selected Answer: B
The correct solution is Option B: Create an NLB in us-east-1. Create an IP target group that uses the IP addresses of the company's instances in eu-west-2 that host the SaaS service. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service. Option A is not possible because PrivateLink endpoint services cannot span across AWS Regions. The existing NLB in eu-west-2 cannot be directly used for a PrivateLink endpoint service in us-east-1.
upvoted 1 times
...
AzureDP900
7 months, 2 weeks ago
correct answer : A Using an existing NLB in eu-west-2 as the basis for a PrivateLink endpoint service in us-east-1 allows the company to quickly provide access to its SaaS service without having to create new EC2 resources or configure complex networking setups.
upvoted 1 times
...
Woody1848
8 months ago
Selected Answer: A
"An interface endpoint is essentially a service-level ENI. The service is attached straight to the VPC subnet through the ENI. This allows us to assign a private IP address from the subnet pool directly to the service." (AWS Certified Advanced Networking - Specialty Exam Guide pg. 36) There is no need to create EC2 resources in us-east-1 when creating a PrivateLink endpoint.
upvoted 1 times
...
fabriciollf
8 months, 3 weeks ago
Selected Answer: B
Inter-Region endpoint services "Service providers can leverage a Network Load Balancer in a remote Region and create an IP target group that uses the IPs of their instance fleet in the remote Region hosting the service." https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/use-case-examples.html#:~:text=Inter%2DRegion%20access%20to%20endpoint%20services,-As%20customers%20expand&text=Inter%2DRegion%20VPC%20peering%20traffic%20is%20transported%20over%20Amazon's%20network,costs%20between%20the%20two%20Regions.
upvoted 1 times
...
asquared16
10 months, 1 week ago
Selected Answer: B
A is wrong, In this scenario, the existing NLB is located in the eu-west-2 Region, while the new customer is in the us-east-1 Region. PrivateLink does not support cross-Region connectivity directly. Therefore, you cannot create a PrivateLink endpoint service in us-east-1 and associate it with the NLB in eu-west-2. To provide access to the SaaS service for the new customer in us-east-1, you need to create a load balancer (in this case, an NLB) in the us-east-1 Region and then configure a PrivateLink endpoint service in us-east-1 that uses that NLB. This NLB can then forward traffic to the instances in eu-west-2 over the inter-Region VPC peering connection, as described in the correct solution (option B).
upvoted 2 times
...
mark_232323
11 months, 3 weeks ago
Selected Answer: B
Option A is not possible because a PrivateLink endpoint service in us-east-1 cannot directly use an NLB in another Region (eu-west-2).
upvoted 2 times
...
qaz12wsx
1 year, 1 month ago
Selected Answer: A
a because of this https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/
upvoted 1 times
ctrue
11 months, 1 week ago
it is accessing private endpoint from remote region, it is not possible to configure private endpoint to a nlb in the remote region.
upvoted 1 times
kgpoj
10 months, 3 weeks ago
A is correct. In this case, the remote EU region is accessing US region, becuase the EU region is the SaaS, the US region is "customer"
upvoted 1 times
...
...
...
seetpt
1 year, 1 month ago
Selected Answer: A
A for me
upvoted 1 times
...
TonytheTiger
1 year, 2 months ago
Selected Answer: A
Option A : you don't need to create a new NLB in the us-east-1. Read the link below for Inter-Region access to endpoint service . https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/use-case-examples.html#inter-region-endpoint-services
upvoted 3 times
Josh1217
1 year ago
This article requires new NLB in new region which uses the instances in old region.
upvoted 1 times
...
...
titi_r
1 year, 2 months ago
Selected Answer: A
A - correct.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel