Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 16 discussion

A,C and D

A, C, and D An interface VPC endpoint provides reliable, scalable connectivity to CloudWatch without requiring a NAT gateway. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-and-interface-VPC.html https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html To use private DNS, you must enable DNS hostnames and DNS resolution for your VPC. The security group for the interface endpoint must allow communication between the endpoint network interface and the resources in your VPC that must communicate with the service. https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html

A, C and D

A,B and D. Option C is not needed because we're not concerned with inbound traffic for this scenario.

I would go for ABD and here is why. The VPC used to have access via NAT and this was removed so there must have been a security group rule for 0.0.0.0/0 via NAT and now we need a new one. Option B is the best we get in the scenario. As the traffic will be triggered outbound, no need for an new inbound rule as SGs are stateful. Option A makes sense always everytime and D is correct as there is no endpoint named "cloudwatch". Option F only makes sense for gateway endpoints but with interface endpoints what we get is an internally created private hosted zone that will resolve "public" endpoint names (like cloudwatch) to internal IP addresses (that of our interface endpoints) so no routes are needed and hence no updates to route tables.

ACD are the correct answers. Service PrivateLink endpoints https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

https://repost.aws/knowledge-center/cloudwatch-unified-agent-metrics-issues Confirm connectivity to the CloudWatch endpoints When traffic to CloudWatch should not transit the public internet, you can use VPC endpoints instead. If you are using VPC endpoints, check the following: If you are using private nameservers, confirm that DNS resolution provided accurate responses. Confirm that the CloudWatch endpoints resolve to private IP addresses. Confirm the security group associated with the VPC endpoint allows inbound traffic from the host.

I think that it's correct answer is ACF according to SPOTO products.

I think that it's correcty answer is A ＆ B ＆ D.

Answers are A, C and D 100% sure.

The Unified CloudWatch Agent uses port 443, which is the default port for HTTPS traffic, for secure communication with CloudWatch. The endpoint name associated with CloudWatch is "monitoring.us-east-1.amazonaws.com" (for the US East region). The endpoint may vary depending on the AWS region where you are operating.

for sure A,B,D dont need inbound rules .... I tested 3 yrs ago. NEED ONLY OUTBOUND

How is A a valid option for private subnet? enableDnsHostname (= DNS Hostname setting) Indicates whether instances with public IP addresses get corresponding public DNS hostnames. If this attribute is true, instances in the VPC get public DNS hostnames, but only if the enableDnsSupport attribute is also set to true .

There seems to be some disagreement among different individuals about the answer to this question. However, based on the requirements provided and the skills being tested, I believe the correct answer is A, D, and F. F is correct because associating the VPC endpoint with the route tables that the private subnets use is necessary to ensure that traffic is routed through the VPC endpoint. Option C is incorrect because it suggests creating inbound rules for the TCP protocol on port 443 from the IP prefixes of the private subnets. However, this is not necessary to allow the unified CloudWatch agent to continue working after the removal of the NAT gateway. In fact, creating inbound rules for port 443 is not related to the problem statement, since the issue is about ensuring the CloudWatch agent can communicate with AWS services without using a NAT gateway. Creating inbound rules would only be necessary if you wanted to allow external traffic to access resources within your VPC over HTTPS on port 443.

https://repost.aws/knowledge-center/cloudwatch-unified-agent-metrics-issues ACD

B is incorrect as we don't need to create outbound rules for interface endpoint. "Note: You don't need to create a rule in the outbound direction of the security group associated with the interface endpoint." https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint A is also partially correct as normally CloudWatch Agent uses public endpoints but it can be overridden. But since other options are incorrect so A is a right choice here.

ABD - https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html