Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 358 discussion

B. Create a Network Load Balancer and AWS PrivateLink endpoint for Amazon ECS in the same VPC that is hosting the ECS cluster.

A is out because gateway endpoint is used with Dynamo or S3 only. D is out because 53 works on internet only B&C remains and they use Privatelink wher PrivateLink establishes private connectivity between VPC so we need more than one VPC. Using privatelink, to expose own services (not aws), the NLB is used as front-end so it must reside in the same ECS vpc and the ingress endpoint instead must reside in another VPC. This rules out B and C remains as correct.

B Sorry, I changed my answer to B as there is only one VPC and an one on-premises server.

Answer is C. Don't know why there is so much wrong answers. The correct solution is to use AWS PrivateLink in a service provider model. In this configuration a network load balancer will be implemented in the service provider VPC (the one with the ECS cluster in this example), and a PrivateLink endpoint will be created in the consumer VPC (the one with the company’s application).

but service endpoints translate the ip addresses to the one of the NLB. how will the client ip be preserved at the ecs level?

B. Create a Network Load Balancer and AWS PrivateLink endpoint for Amazon ECS in the same VPC that is hosting the ECS cluster. AWS PrivateLink allows you to access services over an Amazon VPC (Virtual Private Cloud) endpoint, rather than over the Internet. By creating a Network Load Balancer and a PrivateLink endpoint in the same VPC as the ECS cluster, you can ensure that traffic originating from on-premises stays within the company's private IP space when communicating with the ECS cluster. This solution meets the security mandate that traffic originating from on-premises should stay within the company's private IP space when communicating with Amazon ECS.

https://aws.amazon.com/about-aws/whats-new/2019/03/aws-privatelink-now-supports-access-over-vpc-peering/ C ?

I 'feeeeellll' ans is B coz, C does not make sense to have VPC peering and VPC EP service...

ITS B as per UDEMY course slide.

It's B since it does not make sense to use VPC peering and PrivateLink in the same solution as for described in option C: PrivateLink is already a kind of "private VPC peering" used to expose services from one VPC to many VPC in the form of Producer (one) and Consumer (many).

The answer is in fact C This diagram shows the 2 VPCs: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/access-container-applications-privately-on-amazon-ecs-by-using-aws-privatelink-and-a-network-load-balancer.html And AWS PrivateLink enables you to configure applications or services in VPCs as endpoints that your VPC peering connections can connect to. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-peering.html

B is correct.

Ans: C We need to create NLB and PrivateLink Endpoint in two VPC. this is the privateLink. And then we need to peer VPC which has NLB and VPC on-premises (not the VPC for ECS)

That's the step of creating VPC endpoint services.

why so many anss

For enabling NLB with PrivateLink we do not need new VPC/Account, we can do it the same way. From the diagram if 1 AZ/VPC had gone, we can still use the same one. Only 1 thing is, Web-Server is hosted and we are using NLB :/

it's C A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection). refered to https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html