ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 407 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 407
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company has created an account for individual Development teams, resulting in a total of 200 accounts. All accounts have a single virtual private cloud (VPC) in a single region with multiple microservices running in Docker containers that need to communicate with microservices in other accounts. The Security team requirements state that these microservices must not traverse the public internet, and only certain internal services should be allowed to call other individual services. If there is any denied network traffic for a service, the Security team must be notified of any denied requests, including the source IP.
How can connectivity be established between service while meeting the security requirements?

  • A. Create a VPC peering connection between the VPCs. Use security groups on the instances to allow traffic from the security group IDs that are permitted to call the microservice. Apply network ACLs and allow traffic from the local VPC and peered VPCs only. Within the task definition in Amazon ECS for each of the microservices, specify a log configuration by using the awslogs driver. Within Amazon CloudWatch Logs, create a metric filter and alarm off of the number of HTTP 403 responses. Create an alarm when the number of messages exceeds a threshold set by the Security team.
  • B. Ensure that no CIDR ranges are overlapping, and attach a virtual private gateway (VGW) to each VPC. Provision an IPsec tunnel between each VGW and enable route propagation on the route table. Configure security groups on each service to allow the CIDR ranges of the VPCs in the other accounts. Enable VPC Flow Logs, and use an Amazon CloudWatch Logs subscription filter for rejected traffic. Create an IAM role and allow the Security team to call the AssumeRole action for each account.
  • C. Deploy a transit VPC by using third-party marketplace VPN appliances running on Amazon EC2, dynamically routed VPN connections between the VPN appliance, and the virtual private gateways (VGWs) attached to each VPC within the region. Adjust network ACLs to allow traffic from the local VPC only. Apply security groups to the microservices to allow traffic from the VPN appliances only. Install the awslogs agent on each VPN appliance, and configure logs to forward to Amazon CloudWatch Logs in the security account for the Security team to access.
  • D. Create a Network Load Balancer (NLB) for each microservice. Attach the NLB to a PrivateLink endpoint service and whitelist the accounts that will be consuming this service. Create an interface endpoint in the consumer VPC and associate a security group that allows only the security group IDs of the services authorized to call the producer service. On the producer services, create security groups for each microservice and allow only the CIDR range of the allowed services. Create VPC Flow Logs on each VPC to capture rejected traffic that will be delivered to an Amazon CloudWatch Logs group. Create a CloudWatch Logs subscription that streams the log data to a security account.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by DalianYifang at Sept. 9, 2019, 3:04 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Warrenn
Highly Voted 3 years, 7 months ago
C is not correct as a VPN solution between VPC's would require traffic traversing the internet secure yes but it will traverse the internet. D would be the correct answer providing "only the CIDR range the allowed services" meant only the CIDR range of the producer services as only the ELB would be sending traffic to those services not the consumers directly.
upvoted 19 times
examacc
3 years, 7 months ago
C cannot be right. as it mentions to allow traffic from VPN appliance only(that mean they are looking to do NAT that way loacal security group will never see which connections to deny). C is scalable but has issues. I think D is better answer for this.
upvoted 5 times
...
...
mimadour21698
Most Recent 2 years ago
Selected Answer: D
D for me
upvoted 1 times
...
joanneli77
2 years, 7 months ago
The answer is C even though it is awful. Today this is TransitGateway to VPC, but prior to that architecture TransitVPC was normal. A transit VPC is EC2 hosting VPN software, so it's EC2-to-EC2 VPN. Yes, that's awful, but that's what drove Transit Gateway architecture into being. I'd be shocked if this question still existed on this old exam.
upvoted 4 times
heany
2 years, 7 months ago
agree. that's 3rd party VPN appliance is equivalent to transit gw .
upvoted 1 times
...
...
hilft
2 years, 9 months ago
D. PrivateLink
upvoted 2 times
...
aandc
2 years, 10 months ago
Selected Answer: D
keyword "PrivateLink"
upvoted 2 times
...
Ni_yot
3 years, 2 months ago
D for me.
upvoted 1 times
...
cldy
3 years, 4 months ago
D: CORRECT
upvoted 1 times
...
AzureDP900
3 years, 4 months ago
I will go with D
upvoted 1 times
...
andylogan
3 years, 6 months ago
It's D
upvoted 2 times
...
Kopa
3 years, 6 months ago
Im going for D
upvoted 2 times
...
StelSen
3 years, 6 months ago
Option-D seems better than other options.
upvoted 2 times
...
DashL
3 years, 6 months ago
None of the answers are correct. In the question one of the key items is "If there is any denied network traffic for a service, the Security team must be notified of any denied requests". A - Provides notification, but will hit the VPC peering limit of 125 B/C/D- Provides no notification
upvoted 1 times
...
01037
3 years, 6 months ago
D A: The maximum quota is 125 peering connections per VPC. Also too complex. B: Virtual private gateways per Region is 5. Also too complex. C: No obvious difference with B, I think.
upvoted 4 times
...
nisoshabangu
3 years, 6 months ago
D is the correct answer, I have implemeted a similar solution in my environment.
upvoted 1 times
...
Radhaghosh
3 years, 6 months ago
Correct Answer is D
upvoted 1 times
...
WhyIronMan
3 years, 6 months ago
I'll go with D
upvoted 3 times
...
ksl4u
3 years, 6 months ago
D is correct
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago