Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 514 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 514
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company is running a microservices application on Amazon EC2 instances. The company wants to migrate the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for scalability. The company must configure the Amazon EKS control plane with endpoint private access set to true and endpoint public access set to false to maintain security compliance. The company must also put the data plane in private subnets. However, the company has received error notifications because the node cannot join the cluster.

Which solution will allow the node to join the cluster?

  • A. Grant the required permission in AWS Identity and Access Management (IAM) to the AmazonEKSNodeRole IAM role.
  • B. Create interface VPC endpoints to allow nodes to access the control plane.
  • C. Recreate nodes in the public subnet. Restrict security groups for EC2 nodes.
  • D. Allow outbound traffic in the security group of the nodes.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by nosense at May 17, 2023, 2:25 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
y0
Highly Voted 1 year, 6 months ago
Selected Answer: A
Check this : https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html Also, EKS does not require VPC endpoints. This is not the right use case for EKS
upvoted 19 times
TwinSpark
6 months, 2 weeks ago
correct i was going for B, but A looks better. https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html "When you enable endpoint private access for your cluster, Amazon EKS creates a Route 53 private hosted zone on your behalf and associates it with your cluster's VPC. This private hosted zone is managed by Amazon EKS, and it doesn't appear in your account's Route 53 resources. "
upvoted 1 times
...
h0ng97_spare_002
8 months ago
https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html#:~:text=Before,launched "Before you can launch nodes and register them into a cluster, you must create an IAM role for those nodes to use when they are launched."
upvoted 4 times
...
...
cloudenthusiast
Highly Voted 1 year, 6 months ago
Selected Answer: B
By creating interface VPC endpoints, you can enable the necessary communication between the Amazon EKS control plane and the nodes in private subnets. This solution ensures that the control plane maintains endpoint private access (set to true) and endpoint public access (set to false) for security compliance.
upvoted 18 times
...
a7md0
Most Recent 4 months, 2 weeks ago
Selected Answer: A
AmazonEKSNodeRole IAM role https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html
upvoted 1 times
...
emakid
4 months, 3 weeks ago
Selected Answer: B
When Amazon EKS nodes cannot join the cluster, especially when the control plane is set to private access only, the issue typically revolves around networking and connectivity. When the EKS control plane is configured with private access only, the nodes must communicate with the control plane over private IP addresses. Creating VPC endpoints (specifically, com.amazonaws.<region>.eks) allows traffic between the EKS nodes and the control plane to be routed privately within the VPC, which resolves the connectivity issue.
upvoted 2 times
...
Gape4
4 months, 4 weeks ago
Selected Answer: B
I think is B.
upvoted 1 times
...
MandAsh
5 months, 1 week ago
Selected Answer: B
Error they have mentioned is at network level. They are not saying authorisation is failed rather noce is enable to connect to cluster aka connectivity issue. So answer it must be B
upvoted 1 times
...
Rocconno
5 months, 1 week ago
Selected Answer: B
https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html "Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group."
upvoted 1 times
...
stalk98
6 months, 2 weeks ago
I Think is A
upvoted 1 times
...
trinh_le
6 months, 3 weeks ago
Selected Answer: B
B is good to go
upvoted 2 times
...
JackyCCK
7 months, 2 weeks ago
S3/DynamoDB - VPC endpoint, other service should use interface endpoint so B is incorrect
upvoted 1 times
...
bujuman
7 months, 2 weeks ago
Selected Answer: B
Because of these two assertions: - Amazon EKS control plane with endpoint private access set to true and endpoint public access set to false to maintain security compliance. ( The company must also put the data plane in private subnets. The best answer is related to Networking, Private Subnets (EKS Ctr Plane is strictly private and Data Plane stick under private subnets) and not related to EKS autodeployment that sure need an IAM policy. So according to me, answer B is the best answer.
upvoted 2 times
...
potomac
1 year ago
Selected Answer: A
Before can launch nodes and register nodes into a EKS cluster, must create an IAM role for those nodes to use when they are launched.
upvoted 2 times
...
thanhnv142
1 year, 1 month ago
A is correct: To deploy a new EKS cluster: 1. Need to have a VPC and at least 2 subnets 2. An IAM role that have permission to create and describe EKS cluster
upvoted 3 times
...
thanhnv142
1 year, 1 month ago
A is good to go. B is not correct because they already setup connection to control plane.
upvoted 2 times
pentium75
10 months, 3 weeks ago
"They already setup connection to control plane" where did you read that?
upvoted 2 times
...
...
Bennyboy789
1 year, 2 months ago
Selected Answer: B
In Amazon EKS, nodes need to communicate with the EKS control plane. When the Amazon EKS control plane endpoint access is set to private, you need to create interface VPC endpoints in the VPC where your nodes are running. This allows the nodes to access the control plane privately without needing public internet access.
upvoted 2 times
...
Smart
1 year, 2 months ago
Selected Answer: A
This should be an associate-level question. https://repost.aws/knowledge-center/eks-worker-nodes-cluster https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html
upvoted 3 times
Smart
1 year, 2 months ago
This should NOT be an associate-level question
upvoted 7 times
...
...
Guru4Cloud
1 year, 3 months ago
Selected Answer: B
Since the EKS control plane has public access disabled and is in private subnets, the EKS nodes in the private subnets need interface VPC endpoints to reach the control plane API. Creating these interface endpoints allows the EKS nodes to communicate with the control plane privately within the VPC to join the cluster.
upvoted 3 times
Guru4Cloud
1 year, 3 months ago
Why B Private Control Plane: You've configured the Amazon EKS control plane with private endpoint access, which means the control plane is not accessible over the public internet. VPC Endpoints: When the control plane is set to private access, you need to set up VPC endpoints for the Amazon EKS service so that the nodes in your private subnets can communicate with the EKS control plane without going through the public internet. These are known as interface VPC endpoints.
upvoted 2 times
Guru4Cloud
1 year, 3 months ago
Reason why, not A While security groups and IAM permissions are important considerations for networking and authentication, they alone won't resolve the issue of nodes not being able to join the cluster when the control plane is configured for private access.
upvoted 2 times
...
...
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel