exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 255 discussion

A company is creating a centralized logging service running on Amazon EC2 that will receive and analyze logs from hundreds of AWS accounts. AWS PrivateLink is being used to provide connectivity between the client services and the logging service.

In each AWS account with a client, an interface endpoint has been created for the logging service and is available. The logging service running on EC2 instances with a Network Load Balancer (NLB) are deployed in different subnets. The clients are unable to submit logs using the VPC endpoint.

Which combination of steps should a solutions architect take to resolve this issue? (Choose two.)

  • A. Check that the NACL is attached to the logging service subnet to allow communications to and from the NLB subnets. Check that the NACL is attached to the NLB subnet to allow communications to and from the logging service subnets running on EC2 instances.
  • B. Check that the NACL is attached to the logging service subnets to allow communications to and from the interface endpoint subnets. Check that the NACL is attached to the interface endpoint subnet to allow communications to and from the logging service subnets running on EC2 instances.
  • C. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the NLB subnets.
  • D. Check the security group for the logging service running on EC2 instances to ensure it allows ingress from the clients.
  • E. Check the security group for the NLB to ensure it allows ingress from the interface endpoint subnets.
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️
Community vote distribution
AC (65%)
BD (21%)
6%

Comments

Chosen Answer:
This is a voting comment. You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
magmichal05
Highly Voted 11 months, 1 week ago
Selected Answer: AC
When you associate a Network Load Balancer with an endpoint service, the Network Load Balancer forwards requests to the registered target. The requests are forwarded as if the target was registered by IP address. In this case, the source IP addresses are the private IP addresses of the load balancer nodes. If you have access to the Amazon VPC endpoint service, then verify that: The Inbound security group rules of the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes The rules within the network ACL associated with the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint
upvoted 14 times
...
red_panda
Highly Voted 4 months, 1 week ago
Selected Answer: AC
A and C. The flow is: Application -> NLB -> Logging Monitor Tool. So we need to check NACL of NLB subnets (in and out from applications client and in and out to EC2 subnet) and Security group (Statefull, so only ingress) of EC2 Instances of Logging Monitor Tool.
upvoted 5 times
...
eesa
Most Recent 23 hours, 55 minutes ago
Selected Answer: BE
B.- Network ACLs operate at the subnet level and could be blocking traffic between: The interface endpoints (created in each AWS account) and the logging service's subnets. The logging service subnets and the interface endpoint subnets. AWS PrivateLink uses interface endpoints, and the NACL must allow inbound/outbound traffic between the interface endpoint subnets and the EC2 instances running the logging service. E.-The interface endpoint in each AWS account connects to the NLB. If the NLB security group does not allow ingress from the interface endpoint subnets, traffic from the clients will be dropped.
upvoted 1 times
...
titi_r
4 months, 1 week ago
Selected Answer: AC
A and C. https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint
upvoted 2 times
...
BrijMohan08
4 months, 2 weeks ago
Selected Answer: BD
B. Network Access Control Lists (NACLs) act as a firewall at the subnet level. To ensure communication between the interface endpoint subnets and the logging service subnets running on EC2 instances, the NACLs attached to both subnets should be configured to allow the necessary traffic. D. Security groups act as virtual firewalls at the instance level. To allow clients to submit logs to the logging service running on EC2 instances, the security group associated with the EC2 instances should be configured to allow ingress traffic from the clients' IP addresses or security groups.
upvoted 2 times
altonh
2 weeks, 6 days ago
The EC2 will not receive the interface endpoint IP but the NLB's IP instead.
upvoted 1 times
...
...
chelbsik
7 months, 1 week ago
Selected Answer: CE
CE: we only need to allow access from client -> NLB -> application
upvoted 3 times
...
Mehrannn
8 months, 2 weeks ago
Selected Answer: BD
B&D are correct answers. Rational: EC2s and NLB are both in one subnet, so the NACL is associated with one subnet and there is no NACL which controls EC2 and NLB communication --> A is not Valid, C is not Valid. Security groups are attached to EC2s --> E is not Valid
upvoted 1 times
7f6aef3
4 months, 2 weeks ago
The logging service running on EC2 instances with a Network Load Balancer (NLB) are deployed in different subnets.
upvoted 1 times
...
...
duriselvan
9 months ago
guys .pls B,E ans e:- The Inbound security group rules of the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes
upvoted 1 times
...
duriselvan
9 months, 1 week ago
CE is ans The clients are trying to connect to the logging service through the NLB. The NLB needs to forward the requests to the EC2 instances running the logging service. Therefore, both the NLB and the EC2 instances need to have security group rules allowing inbound traffic from each other's subnets.
upvoted 2 times
...
ayadmawla
9 months, 2 weeks ago
Selected Answer: AC
Link below seems to confirm it. The focus is on the Provider VPC so the question wasn't really that clear. https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint
upvoted 3 times
...
career360guru
9 months, 4 weeks ago
Selected Answer: AC
A and C
upvoted 1 times
...
severlight
10 months ago
Selected Answer: AC
see magmichal05's answer
upvoted 1 times
...
dpatra
11 months ago
Selected Answer: BE
B is pretty clear plus E is valid as well since AWS has introduced support for associating security groups with Network Load Balancers (NLBs).
upvoted 1 times
...
Certified101
11 months ago
Selected Answer: AC
AC - NLB needs to be allowed to the instances otherwise targets are unhealthy
upvoted 1 times
...
cmoreira
1 year ago
Selected Answer: AC
AC 3rd point on https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#considerations-endpoint-services
upvoted 3 times
...
vjp_training
1 year ago
Selected Answer: AC
https://www.examtopics.com/discussions/amazon/view/36058-exam-aws-certified-solutions-architect-professional-topic-1/
upvoted 4 times
...
Just_Ninja
1 year, 1 month ago
Selected Answer: BC
B and C. The NLB is places in the destination Account. That means the EC2 logging instance get traffic from the NLB. So the source for the Logging EC2 instance must be the NLB. https://aws.amazon.com/de/blogs/architecture/building-saas-services-for-aws-customers-with-privatelink/ Old but not outdated
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
AZ-900
Miami, 1 minute ago