Exam ANS-C00 topic 1 question 92 discussion

Answer: A (if wrong, please explain why) The 2 x subnets are for the "customer network interface" and the "management interface" of the AppStream interfaces. not for availability (https://docs.aws.amazon.com/appstream2/latest/developerguide/appstream2-port-requirements-appstream2.html) A - correct - soution never mentions a AppStream VPC endpoint, so use public. It also already has a Private VIF, why do you need another? Add a public VIF to access the public AppStream endpoint. B - incorrect - no need for another VIF. it already exists on-prem->DX->VIF->VGW->VPC C - incorrect - can't transit through one VPC to resources in the other VPC D - incorrect - require 2 x subnets (although could use an existing), but unsure what the additional private VIF is for

A is correct, we need public IPs to access Appstream endpoint.

I'm going with A.

The answer is absolutely B. It is mentioned they implements "a highly available solution", and they are using "an" private VIF currently. So they need two subnets for AppStream in the existing VPC, and an additional private virtual interface for the direct connect connection availability.

B. Deploy two subnets into the existing VPC. Add a private virtual interface on the Direct Connect connection for users to access the AppStream endpoint.

Answer:A what inf explained below

My choice is Answer B. you need to communicate the AppStream VPC and the Existing VPC, for that you need an "Interface Enpoint". On the next AWS link a Note indicate "Users cannot stream using the internet endpoint when an interface endpoint is specified.", that restrcit the communication only over Private IP https://docs.aws.amazon.com/appstream2/latest/developerguide/creating-streaming-from-interface-vpc-endpoints.html. I have doubts about the neccesity of a new Private VIF, maybe the appsream could be reach with the Interface Ednpoint on Existing VPC

"You can use an interface VPC endpoint in your AWS account to restrict all network traffic between your Amazon VPC and AppStream 2.0 to the Amazon network" in AWS documentation suggests it can be accessed via interface endpoint. However, since the question says AppStream endpoint and not specifically interface endpoint, it may be safe to assume access via public VIF. Also, by default, AppStream 2.0 is configured to route streaming connections over the public internet. So the closest answer is A

"A team implements a highly available solution using Amazon AppStream 2.0." --> Highly available indicates that we should deploy at least 2 subnets, even though it is feasible to launch AppStream flleet instances in one subnet. thus, D is wrong. since there is already an existing private VIF, we don't need to add new private VIF to be able to access subnets in the same VPC. thus, B is wrong. C is wrong as well, creating new VPC just for AppStream is unnecessary, and on-prem users will not be able to access the Appstream VPC via VPC peering. The only possible answer left is A. By default, AppStream 2.0 is configured to route streaming connections over the public internet. so, it's correct to allow on-prem user to access it via public VIF. The confusing and frustrating part is the wording 'AppStream endpoint'. It is not clear if they meant Appstream Interface VPC Endpoints or not. That's why the question confuses us, and consumes us a lot of time thinking through. From how the other options in the answers, we can conclude that it does not mean interface endpoint. Thus, the correct answer is A.

ans A all day long. private vif won't traverse and there is no vpc endpoint

I will go with A as well, if you want to connect to appstream via private network you need to create the interface endpoint first

I agree that Answer B is questionable because a Private VIF already exists, why do we need to add another one? B would have been a good answer if it did not include a second Private VIF. However, I don't think A is the correct answer either. The reason is that the whole purpose of an interface VPC endpoint in your AWS account is to restrict all network traffic between your Amazon VPC and AppStream 2.0 to the Amazon network. Having a Public VIF seems to defeat the purpose. The funny thing is that none of the given answers seems to be absolutely correct. I will go with B though as it is probably the closest.

The question states that the Private virtual interface already exists to the VPC. Why do we need another VIF to the same VPC?

My take is B. I agree with exmjame, B is highly available solution. https://docs.aws.amazon.com/appstream2/latest/developerguide/creating-streaming-from-interface-vpc-endpoints.html

I think B is right, as the question says the connectivity need from Private virtual interface

AppStream 2.0 requires a VPC subnet; this can be a private subnet with NATGW. Adding a second subnet on a different AZ will add high-availability. B - is high available AppStream spread across two private subnets. D is also OK for AppStream2 but not highly available.

B for me : http://awsdocs.s3.amazonaws.com/AppStream2/appstream2-dg-2017-07-23.pdf (page 35, section Fleet)