ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 190 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 190
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A company is building an API-based application on AWS and is using a microservices architecture for the design. The company is using a multi-account AWS environment that includes a separate AWS account for each microservice development team. Each team hosts its microservice in its own VPC that contains Amazon EC2 instances behind a Network Load Balancer (NLB).

A network engineer needs to use Amazon API Gateway in a shared services account to create an HTTP API to expose these microservices to external applications. The network engineer must ensure that access to the microservices can occur only over a private network. Additionally, the company must be able to control which entities from its internal network can connect to the microservices. In the future, the company will create more microservices that the company must be able to integrate with the application.

What is the MOST secure solution that meets these requirements?

  • A. Create an Application Load Balancer (ALB) in a VPC in the shared services account. Configure the integration to the API Gateway API by using a VPC link. Associate the VPC link with the ALB. Create a VPC endpoint service in each microservice account. Create an AWS PrivateLink endpoint for those services in the shared services account. Add the elastic network interface IP addresses of the VPC endpoint as targets for the target group of the ALB.
  • B. Create an Application Load Balancer (ALB) in a VPC in the shared services account. Configure the integration to the API Gateway API by using a VPC link. Associate the VPC link with the ALConnect all the VPCs to each other by using a central transit gateway. Add the IP addresses of the NLB as IP-based targets in the ALB target group.
  • C. Configure the integration to the API Gateway API by using HTTP-based integration. Connect all the VPCs to each other by using a central transit gateway. Create a separate HTTP integration to each NLB for each microservice. Add the HTTP endpoint of the NLB as the endpoint URL in the HTTP integration.
  • D. Configure the integration to the API Gateway API by using VPC link integration. Connect all the VPCs to each other by using a central transit gateway. Create a separate VPC link to each NLB for each microservice. Add the HTTP endpoint of the NLB as the endpoint URL in the VPC link integration.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by seochan at May 30, 2024, 12:58 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
c1193d4
4 months ago
Selected Answer: A
D: incorrect because the API Gateway won't be able to reach the NLBs located in microservices accounts through the VPC Link created in the shared VPC account "To create a private integration, all resources must be owned by the same AWS account (including the load balancer or AWS Cloud Map service, VPC link and HTTP API)." in https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-private.html
upvoted 3 times
46f094c
3 months, 2 weeks ago
If using PrivateLink there is no need for a TGW
upvoted 1 times
...
...
luisgu
8 months ago
Selected Answer: A
See "Private integration cross-account" on this link: https://docs.aws.amazon.com/whitepapers/latest/best-practices-api-gateway-private-apis-integration/http-api.html
upvoted 2 times
Spaurito
6 months ago
I see your thought here but the environment already has NLB's in place for the EC2 instances.
upvoted 1 times
...
...
Ravan
8 months, 1 week ago
Selected Answer: A
D. Incorrect VPC link configuration: The VPC link should be associated with the ALB, not the NLB.
upvoted 1 times
...
siheom
8 months, 4 weeks ago
Selected Answer: D
VOTE D
upvoted 3 times
...
kupo777
9 months ago
D is correct. A, B: HTTP API does not require ALB creation on the shared account side because the communication is to ENI. C: HTTP-based integration does not exist.
upvoted 2 times
...
Akshay0403
9 months, 2 weeks ago
Selected Answer: D
Option D is the most secure and scalable solution. It provides private network communication using VPC link integration and leverages a transit gateway for efficient VPC management. This approach ensures that traffic remains secure within the AWS network while offering the flexibility to control access and easily integrate new microservices in the future.
upvoted 3 times
jfedotov
3 months, 1 week ago
it's not, "Connect all the VPCs to each other by using a central transit gateway". There is no requirement to connect whole VPCs, it is not secure.
upvoted 1 times
...
...
yeahaya
10 months, 3 weeks ago
Selected Answer: D
D. i choice
upvoted 3 times
...
yeahaya
10 months, 3 weeks ago
D. i choice
upvoted 2 times
...
rdiaz
10 months, 3 weeks ago
Selected Answer: B
TGW required.
upvoted 1 times
...
seochan
11 months, 1 week ago
Selected Answer: A
I think it’s A VPC link - ensure using private network VPC endpoint service - scalable and secure (TGW need non-overlapping CIDR, hence no scalable, and you can access control using ENI SG)
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago