ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 455 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 455
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company with a single AWS account runs its internet-facing containerized web application on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster.
The EKS cluster is placed in a private subnet of a VPC. System administrators access the EKS cluster through a bastion host on a public subnet.
A new corporate security policy requires the company to avoid the use of bastion hosts. The company also must not allow internet connectivity to the EKS cluster.
Which solution meets these requirements MOST cost-effectively?

  • A. Set up an AWS Direct Connect connection.
  • B. Create a transit gateway.
  • C. Establish a VPN connection.
  • D. Use AWS Storage Gateway.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by lovelyone at May 31, 2021, 6:10 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
lovelyone
Highly Voted 3 years, 8 months ago
the answer is C Site to Site VPN is much cheaper than Transit Gateway The relation is 1:2 according to pricing
upvoted 35 times
noahsark
3 years, 7 months ago
Q. How does AWS Direct Connect differ from an IPSec VPN Connection? A VPC VPN Connection utilizes IPSec to establish encrypted network connectivity between your intranet and Amazon VPC over the Internet. VPN Connections can be configured in minutes and are a good solution if you have an immediate need, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC. https://aws.amazon.com/directconnect/faqs/
upvoted 1 times
...
cnmc
3 years, 7 months ago
Hijacking this (correct) comment to clarify the "Internet" part. The question states that the "EKS cluster cannot allow Internet connectivity". Meaning, THE CLUSTER is isolated from Internet gateway, from public subnet, it doesn't have Security Group that allows 0.0.0.0/32 etc... It means you cannot connect *directly* to the EKS cluster from the wide open Internet, it does NOT mean that you HAVE to use a single line of cable directly from your datacenter into AWS datacenter. Really, if the question is changed from an EKS cluster to a EC2 instance in a private subnet, it's still the same answer. The Site-to-site VPN does that. With VPN you can only access the EKS cluster (API)'s VPC from your network. It's secure. Yes the VPN tunnel goes through the Internet, on the Internet, whatever, but it DOES NOT expose your EKS cluster to the wide open web. And yes you can somehow hack the tunnel (can you?), but in that scenario, is the transit gateway secure, is direct connect really secure? Are we dealing in absolutes?
upvoted 10 times
Jonfernz
3 years, 7 months ago
You cant simply just say "Yes the VPN tunnel goes through the Internet, on the Internet, whatever, but it DOES NOT expose your EKS cluster to the wide open web." You have to question why doesn't the company want internet connectivity to the cluster? It is obviously because they don't want sensitive data exposed to the internet. That's it. So let's rule out anything that traverses the internet. We are left with Direct Connect Gateway and Transit Gateway. Which is cheaper? The latter. Hence TG is the answer.
upvoted 4 times
osel
3 years, 4 months ago
Doesn't the Transit GW requires the user's end to use either S2S VPN or DX connection to connect to the Transit GW prior onward to the VPC? If yes, still it requires the cheapest S2S VPN for the using Transit GW.
upvoted 2 times
...
...
naveenagurjara
2 years, 11 months ago
** Cost Effective*** Transit GWY also need an VPN connection to on prem. I am ruling out DX now.
upvoted 1 times
...
meeko86
3 years, 7 months ago
I would choose C because the connection is secure and private. https://aws.amazon.com/vpn/site-to-site-vpn/ "With AWS Site-to-Site VPN, you can connect to an Amazon VPC or AWS Transit Gateway the same way you connect to your on-premises servers. AWS Site-to-Site VPN establishes secure and private sessions using IP Security (IPSec)." When I searched about Transit Gateway, it mostly talk about consolidating multiple VPCs. In the question it says "EKS cluster is placed in a private subnet of a VPC" which is singular. https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html "Transit Gateway enables customers to connect thousands of VPCs. You can attach all your hybrid connectivity (VPN and Direct Connect connections) to a single Transit Gateway"
upvoted 4 times
...
Load full discussion...
...
...
Gats
Highly Voted 3 years, 7 months ago
B https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html Accessing a private only API server If you have disabled public access for your cluster's Kubernetes API server endpoint, you can only access the API server from within your VPC or a connected network. Here are a few possible ways to access the Kubernetes API server endpoint: Connected network – Connect your network to the VPC with an AWS transit gateway or other connectivity option and then use a computer in the connected network. You must ensure that your Amazon EKS control plane security group contains rules to allow ingress traffic on port 443 from your connected network. Amazon EC2 bastion host – You can launch an Amazon EC2 instance into a public subnet in your cluster's VPC and then log in via SSH into that instance to run kubectl commands. For more information, see Linux bastion hosts on AWS. You must ensure that your Amazon EKS control plane security group contains rules to allow ingress traffic on port 443 from your bastion host. For more information, see Amazon EKS security group considerations.
upvoted 30 times
noahsark
3 years, 7 months ago
Q. How does AWS Direct Connect differ from an IPSec VPN Connection? A VPC VPN Connection utilizes IPSec to establish encrypted network connectivity between your intranet and Amazon VPC over the Internet. VPN Connections can be configured in minutes and are a good solution if you have an immediate need, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC. https://aws.amazon.com/directconnect/faqs/
upvoted 2 times
...
Dimkaaa
2 years, 9 months ago
Read carefully the origin article! It says - "Connected network – Connect your network to the VPC with an AWS transit gateway or other connectivity option and then use a computer in the connected network." Pay attention to "other connectivity option", it can be VPN. So, the answer is C due to cost efficiency.
upvoted 1 times
...
...
jw1806
Most Recent 2 years, 8 months ago
Selected Answer: A
without internet connection, that's the keyword
upvoted 3 times
...
Dimkaaa
2 years, 9 months ago
Selected Answer: C
Read carefully the origin article! https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html It says - "Connected network – Connect your network to the VPC with an AWS transit gateway or other connectivity option and then use a computer in the connected network." Pay attention to "other connectivity option", it can be VPN. So, the answer is C due to cost efficiency.
upvoted 2 times
...
Moathov
2 years, 10 months ago
Selected Answer: B
B for me the answer
upvoted 2 times
...
bora4motion
2 years, 10 months ago
Selected Answer: C
somehow you have to connect to the VPC. The options are Internet VPN or DX. Now for both you need the TGW so in theory you have to chose between VPN and DX. I think you need VPN + TGW. So...it should be C. Are there any arguments against?
upvoted 2 times
...
bora4motion
2 years, 10 months ago
from my point of view you need a TGW with both VPN and DX.
upvoted 1 times
...
Aniketh
2 years, 11 months ago
Selected Answer: B
will be charged for your AWS Transit Gateway on an hourly basis. For this region, the rate is $0.1 per hour on the other hand You pay $72.00 per month for AWS Site-to-Site VPN. https://aws.amazon.com/vpn/pricing/ https://aws.amazon.com/transit-gateway/pricing/
upvoted 2 times
...
GBAU
3 years ago
Selected Answer: C
My experience is that a resource only available when on a VPN is not considered 'exposed to the Internet", i.e. the resource does not have internet connectivity. It can not connect to Internet resources of any form, it can only connect to resources past the VPN end point which are private resources. Therefore C is my selection We shouldn't need to 'over think' exam questions, they should be a test of knowledge only, not a test of interpretation!
upvoted 3 times
...
reve666
3 years ago
Selected Answer: C
the answer is C
upvoted 1 times
...
nischi9lek
3 years ago
it should B prohibit internet connectivity.. plz explain if am correct
upvoted 1 times
...
trojan123
3 years, 3 months ago
C Networking Modes Public endpoint only: In this case, nodes should have a public IP address to connect to the control plane. There should also be a route to an internet gateway or a NAT gateway where they can use the public IP address of the NAT gateway. This is the default behaviour of the EKS. Public and private endpoint: In this mode, Kubernetes API requests from within the worker node VPC to the control plane go through the EKS-managed ENIs within the worked node VPC. Private endpoint only: Public access to the API server from the internet is closed. Any kubectl commands will work only if they originate from within the VPC or a connected network such as !!!AWS VPN or !!!AWS DirectConnect to your VPC.
upvoted 1 times
...
SimoneP
3 years, 4 months ago
ANS C because of "in terms of cost-effectiveness"
upvoted 1 times
...
adsdadasdad
3 years, 4 months ago
Would use ssm, since no ssm use vpn for sure
upvoted 1 times
...
Edgarrt
3 years, 5 months ago
Selected Answer: B
A. w/o internet connectivity option
upvoted 3 times
...
Pankaj_Shet
3 years, 5 months ago
Answer has to A Even though most cost effective solution is VPN, we can't chose VPN as it involves internet connectivity. Question also have the condition that the solution should not allow internet connectivity which is where Direct Connect comes into picture.
upvoted 5 times
...
FF11
3 years, 5 months ago
Selected Answer: C
https://aws.amazon.com/vpn/pricing/
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel