ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 16 discussion

Exam question from Amazon's ANS-C00
Question #: 16
Topic #: 1
[All ANS-C00 Questions]

You currently use a single security group assigned to all nodes in a clustered NoSQL database. Only your cluster members in one region must be able to connect to each other. This security group uses a self-referencing rule using the cluster security group's group-id to make it easier to add or remove nodes from the cluster. You need to make this database comply with out-of-region disaster recovery requirements and ensure that the network traffic between the nodes is encrypted when travelling between regions. How should you enable secure cluster communication while deploying additional cluster members in another AWS region?

  • A. Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group rules that reference each other's security group-id in each region.
  • B. Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
  • C. Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
  • D. Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group rules that reference each other's security group-id in each region.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by ohcan at Aug. 15, 2019, 5:45 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dpvnme
Highly Voted 3 years, 8 months ago
I think B this correct answer also. You can use private IP to communicate between regions and must use CIDR-based rule if reference SG is from another region
upvoted 13 times
Globetrotter
3 years, 8 months ago
I am also thinking option B , as SG is regional cosnstruct
upvoted 3 times
sapien45
3 years, 3 months ago
Thanks, I switched from A to B, as Security Groups are indeed a regional entity.
upvoted 1 times
...
...
...
ohcan
Highly Voted 3 years, 8 months ago
Thinking about if is possible to route private traffic for DynamoDB through a VPN I found this: https://aws.amazon.com/blogs/database/how-to-configure-a-private-network-environment-for-amazon-dynamodb-using-vpc-endpoints/ So, it's possible to create a more secure environment using private routing, and CDIR based security group references can be created: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html In my opinion B is the right answer.
upvoted 7 times
Stardec
3 years, 7 months ago
It is B. https://docs.aws.amazon.com/devicefarm/latest/developerguide/amazon-vpc-cross-region.html
upvoted 1 times
...
...
PavanKushwah123
Most Recent 2 years, 5 months ago
Correct Answer D
upvoted 1 times
...
Brum
2 years, 6 months ago
Selected Answer: B
not sure if previously it was possible to setup a VPN with private ip. The following article was release in Jun/2022 this year and this questions was developed before than that. https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/
upvoted 1 times
...
kopper2019
3 years, 3 months ago
It is right B right away
upvoted 1 times
...
ceros399
3 years, 5 months ago
Selected Answer: B
B is the correct answer.
upvoted 2 times
...
Cyril_the_Squirl
3 years, 7 months ago
B is Correct. A and D have the same error, you cannot reference SG in another region. C is just silly, we don’t need to cross the internet to get to another VPC, that leaves B.
upvoted 3 times
...
linhgnr
3 years, 7 months ago
C and D are wrong because although it is correct to use TLS, setting the security group by vpc cidr block is not possible because VPC cidr block is private, and also setting the security group by security group ID is also ridiculous because security group ID is meaningless outside of its VPC A is wrong because again security group ID is meaningless outside of its VPC B is correct because VPN can encrypt the data and because the two VPCs are connected by VPN, the private IPs can be referenced in the security groups p/s: only a share from my understanding so no reference link
upvoted 1 times
JamesTR
3 years, 7 months ago
Group ID is meaningless outside of its VPC unless VPCs are peered. Group ID is always meaningless outside of its region, i think
upvoted 2 times
...
...
ChauPhan
3 years, 7 months ago
Go with B
upvoted 1 times
...
kebkim
3 years, 7 months ago
There is some missing part in answer D "Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group rules that reference each other’s security group-id in each region."
upvoted 2 times
kebkim
3 years, 7 months ago
Sorry but the answer is B.
upvoted 2 times
...
...
Johnny_Green
3 years, 7 months ago
Answer is B. Security Groups are regional (cannot span multiple regions).
upvoted 1 times
Johnny_Green
3 years, 7 months ago
In addition, using public IP addresses and TLS is out of context here because the whole idea is to use private IP addresses to route traffic. https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/amazon-vpc-to-amazon-vpc-connectivity-options.html
upvoted 2 times
...
...
backfringe
3 years, 7 months ago
I go for B
upvoted 2 times
...
LexyA
3 years, 7 months ago
A and D not correct because you can't reference SGs across regions C not correct because if you use TLS - EIPs - you have to reference EIPs in SGs, not the VPC CIDR B is correct
upvoted 1 times
...
luckymuki
3 years, 7 months ago
B is my take
upvoted 1 times
...
skkk
3 years, 7 months ago
B is the right anser
upvoted 1 times
...
AdamSmith
3 years, 8 months ago
as said above SG is a regional construct so A won't work. B is the best answer in this case. Although in practice you can just use Cross-region (aka inter-region) VPC peering.
upvoted 1 times
...
BillyC
3 years, 8 months ago
B i think
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel